lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230209113805.48844-1-naresh.kamboju@linaro.org>
Date:   Thu,  9 Feb 2023 17:08:05 +0530
From:   Naresh Kamboju <naresh.kamboju@...aro.org>
To:     edumazet@...gle.com
Cc:     alexanderduyck@...com, davem@...emloft.net, eric.dumazet@...il.com,
        kuba@...nel.org, netdev@...r.kernel.org, pabeni@...hat.com,
        soheil@...gle.com, syzkaller@...glegroups.com,
        lkft-triage@...ts.linaro.org,
        Linux Kernel Functional Testing <lkft@...aro.org>
Subject: [PATCH net-next] net: enable usercopy for skb_small_head_cache

> syzbot and other bots reported that we have to enable
> user copy to/from skb->head. [1]
> 
> We can prevent access to skb_shared_info, which is a nice
> improvement over standard kmem_cache.
> 
> Layout of these kmem_cache objects is:
> 
> < SKB_SMALL_HEAD_HEADROOM >< struct skb_shared_info >
>
> usercopy: Kernel memory overwrite attempt detected to SLUB object 'skbuff_small_head' (offset 32, size 20)!
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:102 !
[...]

LKFT also reported this problem on today's Linux next-20230209.

Link: https://lore.kernel.org/linux-next/CA+G9fYs-i-c2KTSA7Ai4ES_ZESY1ZnM=Zuo8P1jN00oed6KHMA@mail.gmail.com
Reported-by: Linux Kernel Functional Testing <lkft@...aro.org>

> 
> Fixes: bf9f1baa279f ("net: add dedicated kmem_cache for typical/small skb->head")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>

Tested-by: Linux Kernel Functional Testing <lkft@...aro.org>

Thanks for providing a quick fix.

--
Linaro LKFT
https://lkft.linaro.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ