| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Jan 2019 12:10:18 -0800 (PST)
From: David Miller <davem@...emloft.net>
To: willemdebruijn.kernel@...il.com
Cc: netdev@...r.kernel.org, edumazet@...gle.com, pabeni@...hat.com,
xiyou.wangcong@...il.com, willemb@...gle.com,
syzkaller@...glegroups.com
Subject: Re: [PATCH net] ip: validate header length on virtual device xmit
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Date: Sun, 30 Dec 2018 17:24:36 -0500
> From: Willem de Bruijn <willemb@...gle.com>
>
> KMSAN detected read beyond end of buffer in vti and sit devices when
> passing truncated packets with PF_PACKET. The issue affects additional
> ip tunnel devices.
>
> Extend commit 76c0ddd8c3a6 ("ip6_tunnel: be careful when accessing the
> inner header") and commit ccfec9e5cb2d ("ip_tunnel: be careful when
> accessing the inner header").
>
> Move the check to a separate helper and call at the start of each
> ndo_start_xmit function in net/ipv4 and net/ipv6.
>
> Minor changes:
> - convert dev_kfree_skb to kfree_skb on error path,
> as dev_kfree_skb calls consume_skb which is not for error paths.
> - use pskb_network_may_pull even though that is pedantic here,
> as the same as pskb_may_pull for devices without llheaders.
> - do not cache ipv6 hdrs if used only once
> (unsafe across pskb_may_pull, was more relevant to earlier patch)
>
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Willem de Bruijn <willemb@...gle.com>
Applied and queued up for -stable, thanks Willem.
Powered by blists - more mailing lists