lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <53800bc3-397a-ed1a-958d-a1dbc887d249@gmail.com>
Date: Mon, 21 Jan 2019 15:48:11 +0300
From: "Yuriy M. Kaminskiy" <yumkam@...il.com>
To: netdev@...r.kernel.org
Cc: Woojung Huh <woojung.huh@...rochip.com>,
Microchip Linux Driver Support <UNGLinuxDriver@...rochip.com>
Subject: [PATCH] lan78xx: fix ip header misalignment
lan78xx.c:rx_submit() allocates space for frame-to-be-received with
netdev_alloc_skb_ip_align(), which misalign start of buffer by 2 bytes
in expectation that frame will start from 14-byte ethernet header, then
ip header; if start of buffer misaligned by 2 bytes, ip header will be
16-byte aligned.
Unfortunately, usb frame that is sent by lan78xx starts with another
10-byte header (lan78xx_rx(): rx_cmd_a/rx_cmd_b/rx_cmd_c), *then*
follows ethernet header, and *then* ip header (which ends up being
misaligned).
This issue was observed on arm platform (where misaligned 32-bit word
access triggers exception and leaves traces in /proc/cpu/alignment, see
https://github.com/raspberrypi/linux/issues/2599 ; for me, about any
ipv6 traffic that hits machine - `ping -I eth0 ip6-allnodes`, tcp/udp
packets, etc triggered increase in this counter, with
ip6_datagram_recv_common_ctl, icmpv6_echo_reply, etc as culprit).
If we just allocate skb data without any misalignment tricks, ip header
will end up and at offset 24 (8-byte aligned).
Patch attached; runtime-tested with raspbian fork of stable/4.14.y
[4.14.92] on Raspberry pi 3B+ (it is slightly different from mainline,
but patch should not have any conflicts, all affected code is pretty same).
P.S. I'm not subscribed, please CC me on reply.
View attachment "0001-lan78xx-fix-ip-header-misalignment.patch" of type "text/x-patch" (993 bytes)
Powered by blists - more mailing lists