| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <DM6PR15MB2793AC8087CB99E590C03B99BDA30@DM6PR15MB2793.namprd15.prod.outlook.com>
Date: Tue, 19 Jan 2021 16:35:49 +0000
From: Alexander Duyck <alexanderduyck@...com>
To: Paolo Abeni <pabeni@...hat.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC: "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Xin Long <lucien.xin@...il.com>
Subject: RE: [PATCH net-next] net: fix GSO for SG-enabled devices.
> -----Original Message-----
> From: Paolo Abeni <pabeni@...hat.com>
> Sent: Tuesday, January 19, 2021 4:31 AM
> To: netdev@...r.kernel.org
> Cc: David S . Miller <davem@...emloft.net>; Jakub Kicinski
> <kuba@...nel.org>; Alexander Duyck <alexanderduyck@...com>; Xin Long
> <lucien.xin@...il.com>
> Subject: [PATCH net-next] net: fix GSO for SG-enabled devices.
>
> The commit dbd50f238dec ("net: move the hsize check to the else block in
> skb_segment") introduced a data corruption for devices supporting scatter-
> gather.
>
> The problem boils down to signed/unsigned comparison given unexpected
> results: if signed 'hsize' is negative, it will be considered greater than a
> positive 'len', which is unsigned.
>
> This commit addresses the issue explicitly casting 'len' to a signed integer, so
> that the comparison gives the correct result.
>
> Bisected-by: Matthieu Baerts <matthieu.baerts@...sares.net>
> Fixes: dbd50f238dec ("net: move the hsize check to the else block in
> skb_segment")
> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
> ---
> note: a possible more readable alternative would be moving the
> if (hsize < 0)
>
> before 'if (hsize > len)', but that was explicitly discouraged in a previous
> iteration of the blamed commit to save a comparison, so I opted to preserve
> that optimization.
I would say it is probably better to just moving the "hsize < 0" check. What I had suggested was a minor optimization and it hadn't occurred to me that this is a signed vs unsigned comparison.
> ---
> net/core/skbuff.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c index
> e835193cabcc3..27f69c0bd8393 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -3938,7 +3938,7 @@ struct sk_buff *skb_segment(struct sk_buff
> *head_skb,
> skb_release_head_state(nskb);
> __skb_push(nskb, doffset);
> } else {
> - if (hsize > len || !sg)
> + if (hsize > (int)len || !sg)
> hsize = len;
> else if (hsize < 0)
> hsize = 0;
Powered by blists - more mailing lists