lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <62bd50d459166_54c3b2089f@john.notmuch>
Date:   Thu, 30 Jun 2022 00:29:24 -0700
From:   John Fastabend <john.fastabend@...il.com>
To:     Liu Jian <liujian56@...wei.com>, john.fastabend@...il.com,
        jakub@...udflare.com, davem@...emloft.net, edumazet@...gle.com,
        kuba@...nel.org, pabeni@...hat.com, ast@...nel.org,
        daniel@...earbox.net, andrii@...nel.org, kafai@...com,
        songliubraving@...com, yhs@...com, kpsingh@...nel.org,
        netdev@...r.kernel.org, bpf@...r.kernel.org
Cc:     liujian56@...wei.com
Subject: RE: [PATCH bpf] skmsg: Fix invalid last sg check in sk_msg_recvmsg()

Liu Jian wrote:
> In sk_psock_skb_ingress_enqueue function, if the linear area + nr_frags +
> frag_list of the SKB has NR_MSG_FRAG_IDS blocks in total, skb_to_sgvec
> will return NR_MSG_FRAG_IDS, then msg->sg.end will be set to
> NR_MSG_FRAG_IDS, and in addition, (NR_MSG_FRAG_IDS - 1) is set to the last
> SG of msg. Recv the msg in sk_msg_recvmsg, when i is (NR_MSG_FRAG_IDS - 1),
> the sk_msg_iter_var_next(i) will change i to 0 (not NR_MSG_FRAG_IDS), the
> judgment condition "msg_rx->sg.start==msg_rx->sg.end" and
> "i != msg_rx->sg.end" can not work.
> 
> As a result, the processed msg cannot be deleted from ingress_msg list.
> But the length of all the sge of the msg has changed to 0. Then the next
> recvmsg syscall will process the msg repeatedly, because the length of sge
> is 0, the -EFAULT error is always returned.
> 
> Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
> Signed-off-by: Liu Jian <liujian56@...wei.com>
> ---
>  net/core/skmsg.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/skmsg.c b/net/core/skmsg.c
> index b0fcd0200e84..a8dbea559c7f 100644
> --- a/net/core/skmsg.c
> +++ b/net/core/skmsg.c
> @@ -462,7 +462,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
>  
>  			if (copied == len)
>  				break;
> -		} while (i != msg_rx->sg.end);
> +		} while (!sg_is_last(sge));
>  
>  		if (unlikely(peek)) {
>  			msg_rx = sk_psock_next_msg(psock, msg_rx);
> @@ -472,7 +472,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
>  		}
>  
>  		msg_rx->sg.start = i;
> -		if (!sge->length && msg_rx->sg.start == msg_rx->sg.end) {
> +		if (!sge->length && sg_is_last(sge)) {
>  			msg_rx = sk_psock_dequeue_msg(psock);
>  			kfree_sk_msg(msg_rx);
>  		}
> -- 
> 2.17.1
> 

Looks correct to me, but I'll test it tomorrow and add a reviewed-by and
tested-by then. Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ