lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Oct 2020 10:29:20 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Heiner Kallweit <hkallweit1@...il.com>, Eric Dumazet <eric.dumazet@...il.com>, Eric Dumazet <edumazet@...gle.com> Cc: "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: [Bug 209423] WARN_ON_ONCE() at rtl8169_tso_csum_v2() On 10/8/20 10:54 PM, Heiner Kallweit wrote: > On 08.10.2020 21:07, Eric Dumazet wrote: >> >> >> On 10/8/20 8:50 PM, Eric Dumazet wrote: >>> >>> >>> OK, it would be nice to know what is the input interface >>> >>> if4 -> look at "ip link | grep 4:" >>> >>> Then identifying the driver that built such a strange packet (32000 >>> bytes allocated in skb->head) >>> >>> ethtool -i ifname >>> >> >> According to https://bugzilla.kernel.org/show_bug.cgi?id=209423 >> >> iif4 is the tun200 interface used by openvpn. >> >> So this might be a tun bug, or lack of proper SKB_GSO_DODGY validation >> in our stack for buggy/malicious packets. >> >> > > Following old commit sounds like it might be related: > 622e0ca1cd4d ("gro: Fix bogus gso_size on the first fraglist entry") > > This code however was removed later in 58025e46ea2d ("net: gro: remove > obsolete code from skb_gro_receive()") > GRO wont keep in its queues a GSO packet dev_gro_receive() ... NAPI_GRO_CB(skb)->flush = skb_is_gso(skb) || skb_has_frag_list(skb); ... Also note that tun no longer can inject a packet with a length of 134 bytes pretending to have gso_size == 538 Look at virtio_net_hdr_to_skb() and commits 6dd912f82680 ("net: check untrusted gso_size at kernel entry") 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") Really looking at the skb layout I suspect some usbnet bug and a use-after-free. ASAN build might help.
Powered by blists - more mailing lists