lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 24 Aug 2019 14:51:01 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     liuhangbin@...il.com
Cc:     netdev@...r.kernel.org, sbrivio@...hat.com, wenxu@...oud.cn,
        ast@...com, eric.dumazet@...il.com, ja@....bg
Subject: Re: [PATCHv4 0/2] fix dev null pointer dereference when send
 packets larger than mtu in collect_md mode

From: Hangbin Liu <liuhangbin@...il.com>
Date: Thu, 22 Aug 2019 22:19:47 +0800

> When we send a packet larger than PMTU, we need to reply with
> icmp_send(ICMP_FRAG_NEEDED) or icmpv6_send(ICMPV6_PKT_TOOBIG).
> 
> But with collect_md mode, kernel will crash while accessing the dst dev
> as __metadata_dst_init() init dst->dev to NULL by default. Here is what
> the code path looks like, for GRE:
 ...
> We could not fix it in __metadata_dst_init() as there is no dev supplied.
> Look in to the __icmp_send()/decode_session{4,6} code we could find the dst
> dev is actually not needed. In __icmp_send(), we could get the net by skb->dev.
> For decode_session{4,6}, as it was called by xfrm_decode_session_reverse()
> in this scenario, the oif is not used by
> fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
> 
> The reproducer is easy:
 ...

Series applied, and queued up for -stable, thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ