lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <53800bc3-397a-ed1a-958d-a1dbc887d249@gmail.com>
Date:   Mon, 21 Jan 2019 15:48:11 +0300
From:   "Yuriy M. Kaminskiy" <yumkam@...il.com>
To:     netdev@...r.kernel.org
Cc:     Woojung Huh <woojung.huh@...rochip.com>,
        Microchip Linux Driver Support <UNGLinuxDriver@...rochip.com>
Subject: [PATCH] lan78xx: fix ip header misalignment

lan78xx.c:rx_submit() allocates space for frame-to-be-received with 
netdev_alloc_skb_ip_align(), which misalign start of buffer by 2 bytes 
in expectation that frame will start from 14-byte ethernet header, then 
ip header; if start of buffer misaligned by 2 bytes, ip header will be 
16-byte aligned.

Unfortunately, usb frame that is sent by lan78xx starts with another 
10-byte header (lan78xx_rx(): rx_cmd_a/rx_cmd_b/rx_cmd_c), *then* 
follows ethernet header, and *then* ip header (which ends up being 
misaligned).

This issue was observed on arm platform (where misaligned 32-bit word 
access triggers exception and leaves traces in /proc/cpu/alignment, see
https://github.com/raspberrypi/linux/issues/2599 ; for me, about any 
ipv6 traffic that hits machine - `ping -I eth0 ip6-allnodes`, tcp/udp 
packets, etc triggered increase in this counter, with 
ip6_datagram_recv_common_ctl, icmpv6_echo_reply, etc as culprit).

If we just allocate skb data without any misalignment tricks, ip header 
will end up and at offset 24 (8-byte aligned).

Patch attached; runtime-tested with raspbian fork of stable/4.14.y 
[4.14.92] on Raspberry pi 3B+ (it is slightly different from mainline, 
but patch should not have any conflicts, all affected code is pretty same).

P.S. I'm not subscribed, please CC me on reply.

View attachment "0001-lan78xx-fix-ip-header-misalignment.patch" of type "text/x-patch" (993 bytes)

Powered by blists - more mailing lists