lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YXKKR6evg66Ip4UB@hovoldconsulting.com>
Date:   Fri, 22 Oct 2021 11:54:15 +0200
From:   Johan Hovold <johan@...nel.org>
To:     Bernard Zhao <bernard@...o.com>
Cc:     Oliver Neukum <oneukum@...e.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
        linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net/usb: potential fix divide error: 0000

On Thu, Oct 21, 2021 at 11:32:38PM -0700, Bernard Zhao wrote:
> This patch try to fix divide error in drivers/net/usb/usbnet.c.
> This bug is reported by google syzbot,
> divide error: 0000 [#1] SMP KASAN
> CPU: 0 PID: 1315 Comm: kworker/0:6 Not tainted 5.15.0-rc6-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: mld mld_ifc_work
> RIP: 0010:usbnet_start_xmit+0x3f1/0x1f70 drivers/net/usb/usbnet.c:1404
> Call Trace:
>  __netdev_start_xmit include/linux/netdevice.h:4988 [inline]
>  netdev_start_xmit include/linux/netdevice.h:5002 [inline]
>  xmit_one net/core/dev.c:3576 [inline]
>  dev_hard_start_xmit+0x1df/0x890 net/core/dev.c:3592
>  sch_direct_xmit+0x25b/0x790 net/sched/sch_generic.c:342
>  __dev_xmit_skb net/core/dev.c:3803 [inline]
>  __dev_queue_xmit+0xf25/0x2d40 net/core/dev.c:4170
>  neigh_resolve_output net/core/neighbour.c:1492 [inline]
>  neigh_resolve_output+0x50e/0x820 net/core/neighbour.c:1472
>  neigh_output include/net/neighbour.h:510 [inline]
>  ip6_finish_output2+0xdbe/0x1b20 net/ipv6/ip6_output.c:126
>  __ip6_finish_output.part.0+0x387/0xbb0 net/ipv6/ip6_output.c:191
>  __ip6_finish_output include/linux/skbuff.h:982 [inline]
>  ip6_finish_output net/ipv6/ip6_output.c:201 [inline]
>  NF_HOOK_COND include/linux/netfilter.h:296 [inline]
>  ip6_output+0x3d2/0x810 net/ipv6/ip6_output.c:224
>  dst_output include/net/dst.h:450 [inline]
>  NF_HOOK include/linux/netfilter.h:307 [inline]
>  NF_HOOK include/linux/netfilt
> the link is:
> https://syzkaller.appspot.com/bug?id=e829c15b6c30d4680cf3198f72b0414adc907911
> 
> Signed-off-by: Bernard Zhao <bernard@...o.com>
> ---
>  drivers/net/usb/usbnet.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index 840c1c2ab16a..ada1b8242498 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -397,7 +397,7 @@ int usbnet_change_mtu (struct net_device *net, int new_mtu)
>  	int		old_rx_urb_size = dev->rx_urb_size;
>  
>  	// no second zero-length packet read wanted after mtu-sized packets
> -	if ((ll_mtu % dev->maxpacket) == 0)
> +	if (dev->maxpacket && ((ll_mtu % dev->maxpacket) == 0))
>  		return -EDOM;
>  	net->mtu = new_mtu;
>  
> @@ -1401,7 +1401,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
>  	 * handling ZLP/short packets, so cdc_ncm driver will make short
>  	 * packet itself if needed.
>  	 */
> -	if (length % dev->maxpacket == 0) {
> +	if (dev->maxpacket && (length % dev->maxpacket == 0)) {
>  		if (!(info->flags & FLAG_SEND_ZLP)) {
>  			if (!(info->flags & FLAG_MULTI_PACKET)) {
>  				length++;

This was fixed properly yesterday:

	https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ