lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Wed, 23 Sep 2020 20:46:26 -0700
From:   Guenter Roeck <linux@...ck-us.net>
To:     netdev@...r.kernel.org
Subject: skb_under_panic with corrupt (?) head/data pointers

Hi,

we are seeing situations where skb_under_panic is reported with bad
data pointers. A recent example is [1], but we have seen more of the same.
Some random examples:

skb_under_panic: text:0000000039ea4f04 len:272 put:48
	head:00000000bdd3f564 data:00000000f70d12b8 tail:0x102 end:0x2c0 dev:wlan0
skb_under_panic: text:0000000063ae0b92 len:822 put:48
	head:000000004ae66619 data:0000000082f8ca57 tail:0x328 end:0x6c0 dev:wlan0
skb_under_panic: text:0000000056205094 len:272 put:48
	head:000000003aad43d6 data:00000000e8cd088c tail:0x102 end:0x2c0 dev:wlan0
skb_under_panic: text:00000000413c3f8c len:368 put:48
	head:00000000ddd1266f data:00000000f13009ae tail:0x162 end:0x2c0 dev:wlan0
skb_under_panic: text:00000000917c4645 len:520 put:48
	head:000000007108f7f3 data:000000003d260246 tail:0x1fa end:0x6c0 dev:wlan0

This specific condition happens rarely; we do see lots of 'normal' skb_under_panic
crashes (with valid head and data pointers) in the same driver.

I would assume that the skbs are corrupted, but then I noticed a similar pattern
in some kernel commit logs.

commit 7901cd97963d:
    skb_under_panic: text:00000000ca46ad8a len:80 put:20
	head:00000000cd28494e data:000000009366fd6b tail:0x3c end:0xec0 dev:veth0
commit 7901cd97963d:
    skb_under_panic: text:000000001d390b3a len:31 put:24
	head:00000000d8ed776f data:000000008150e823 tail:0x7 end:0xc0 dev:gre0

Is there some situation where skb->head and possibly skb->data may not be
initialized correctly ?

Thanks,
Guenter

---
[1] https://www.spinics.net/lists/linux-wireless/msg200403.html

Powered by blists - more mailing lists