lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <71a398bb-7dfc-dd3e-227c-0d465e3cd634@datenfreihafen.org>
Date:   Wed, 5 Oct 2022 12:57:48 +0200
From:   Stefan Schmidt <stefan@...enfreihafen.org>
To:     Alexander Aring <aahringo@...hat.com>,
        penguin-kernel@...ove.sakura.ne.jp
Cc:     davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, linux-wpan@...r.kernel.org,
        netdev@...r.kernel.org
Subject: Re: [PATCH net 2/2] net/ieee802154: don't warn zero-sized
 raw_sendmsg()

Hello.

On 05.10.22 03:47, Alexander Aring wrote:
> From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> 
> syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],
> for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting
> __dev_queue_xmit() with skb->len == 0.
> 
> Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was
> able to return 0, don't call __dev_queue_xmit() if packet length is 0.
> 
>    ----------
>    #include <sys/socket.h>
>    #include <netinet/in.h>
> 
>    int main(int argc, char *argv[])
>    {
>      struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };
>      struct iovec iov = { };
>      struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 };
>      sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0);
>      return 0;
>    }
>    ----------
> 
> Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't
> redirect packets with invalid pkt_len") should be reverted, for
> skb->len == 0 was acceptable for at least PF_IEEE802154 socket.
> 
> Link: https://syzkaller.appspot.com/bug?extid=5ea725c25d06fb9114c4 [1]
> Reported-by: syzbot <syzbot+5ea725c25d06fb9114c4@...kaller.appspotmail.com>
> Fixes: fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len")
> Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> Signed-off-by: Alexander Aring <aahringo@...hat.com>
> ---
>   net/ieee802154/socket.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
> index 7889e1ef7fad..6e55fae4c686 100644
> --- a/net/ieee802154/socket.c
> +++ b/net/ieee802154/socket.c
> @@ -272,6 +272,10 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
>   		err = -EMSGSIZE;
>   		goto out_dev;
>   	}
> +	if (!size) {
> +		err = 0;
> +		goto out_dev;
> +	}
>   
>   	hlen = LL_RESERVED_SPACE(dev);
>   	tlen = dev->needed_tailroom;

This patch has been applied to the wpan tree and will be
part of the next pull request to net. Thanks!

regards
Stefan Schmidt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ