lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3a2e877f-250a-4f58-fee0-a125741ec3ef@amd.com>
Date:   Thu, 27 Jan 2022 08:47:07 -0600
From:   Tom Lendacky <thomas.lendacky@....com>
To:     Shyam Sundar S K <Shyam-sundar.S-k@....com>,
        "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
Cc:     netdev@...r.kernel.org, Raju.Rangoju@....com
Subject: Re: [PATCH net] net: amd-xgbe: Fix skb data length underflow

On 1/27/22 03:20, Shyam Sundar S K wrote:
> There will be BUG_ON() triggered in include/linux/skbuff.h leading to
> intermittent kernel panic, when the skb length underflow is detected.
> 
> Fix this by dropping the packet if such length underflows are seen
> because of inconsistencies in the hardware descriptors.
> 
> Fixes: 622c36f143fc ("amd-xgbe: Fix jumbo MTU processing on newer hardware")
> Suggested-by: Tom Lendacky <thomas.lendacky@....com>
> Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@....com>

Acked-by: Tom Lendacky <thomas.lendacky@....com>

> ---
>   drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 12 +++++++++++-
>   1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
> index 492ac383f16d..ec3b287e3a71 100644
> --- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
> +++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
> @@ -2550,6 +2550,14 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
>   			buf2_len = xgbe_rx_buf2_len(rdata, packet, len);
>   			len += buf2_len;
>   
> +			if (buf2_len > rdata->rx.buf.dma_len) {
> +				/* Hardware inconsistency within the descriptors
> +				 * that has resulted in a length underflow.
> +				 */
> +				error = 1;
> +				goto skip_data;
> +			}
> +
>   			if (!skb) {
>   				skb = xgbe_create_skb(pdata, napi, rdata,
>   						      buf1_len);
> @@ -2579,8 +2587,10 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
>   		if (!last || context_next)
>   			goto read_again;
>   
> -		if (!skb)
> +		if (!skb || error) {
> +			dev_kfree_skb(skb);
>   			goto next_packet;
> +		}
>   
>   		/* Be sure we don't exceed the configured MTU */
>   		max_len = netdev->mtu + ETH_HLEN;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ