| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Feb 2023 17:08:05 +0530
From: Naresh Kamboju <naresh.kamboju@...aro.org>
To: edumazet@...gle.com
Cc: alexanderduyck@...com, davem@...emloft.net, eric.dumazet@...il.com,
kuba@...nel.org, netdev@...r.kernel.org, pabeni@...hat.com,
soheil@...gle.com, syzkaller@...glegroups.com,
lkft-triage@...ts.linaro.org,
Linux Kernel Functional Testing <lkft@...aro.org>
Subject: [PATCH net-next] net: enable usercopy for skb_small_head_cache
> syzbot and other bots reported that we have to enable
> user copy to/from skb->head. [1]
>
> We can prevent access to skb_shared_info, which is a nice
> improvement over standard kmem_cache.
>
> Layout of these kmem_cache objects is:
>
> < SKB_SMALL_HEAD_HEADROOM >< struct skb_shared_info >
>
> usercopy: Kernel memory overwrite attempt detected to SLUB object 'skbuff_small_head' (offset 32, size 20)!
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:102 !
[...]
LKFT also reported this problem on today's Linux next-20230209.
Link: https://lore.kernel.org/linux-next/CA+G9fYs-i-c2KTSA7Ai4ES_ZESY1ZnM=Zuo8P1jN00oed6KHMA@mail.gmail.com
Reported-by: Linux Kernel Functional Testing <lkft@...aro.org>
>
> Fixes: bf9f1baa279f ("net: add dedicated kmem_cache for typical/small skb->head")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
Tested-by: Linux Kernel Functional Testing <lkft@...aro.org>
Thanks for providing a quick fix.
--
Linaro LKFT
https://lkft.linaro.org
Powered by blists - more mailing lists