| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACGkMEsE8TosCxyf4GwmsBzo1Ot9FiLtsWt16oz0f0J99DGYCg@mail.gmail.com>
Date: Fri, 14 Apr 2023 13:40:32 +0800
From: Jason Wang <jasowang@...hat.com>
To: Xuan Zhuo <xuanzhuo@...ux.alibaba.com>
Cc: netdev@...r.kernel.org, "Michael S. Tsirkin" <mst@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Jesper Dangaard Brouer <hawk@...nel.org>,
John Fastabend <john.fastabend@...il.com>,
virtualization@...ts.linux-foundation.org, bpf@...r.kernel.org
Subject: Re: [PATCH net] virtio_net: bugfix overflow inside xdp_linearize_page()
On Thu, Apr 13, 2023 at 8:19 PM Xuan Zhuo <xuanzhuo@...ux.alibaba.com> wrote:
>
> Here we copy the data from the original buf to the new page. But we
> not check that it may be overflow.
>
> As long as the size received(including vnethdr) is greater than 3840
> (PAGE_SIZE -VIRTIO_XDP_HEADROOM). Then the memcpy will overflow.
>
> And this is completely possible, as long as the MTU is large, such
> as 4096. In our test environment, this will cause crash. Since crash is
> caused by the written memory, it is meaningless, so I do not include it.
>
> Signed-off-by: Xuan Zhuo <xuanzhuo@...ux.alibaba.com>
Missing fixes tag?
Other than this,
Acked-by: Jason Wang <jasowang@...hat.com>
Thanks
> ---
> drivers/net/virtio_net.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
> index 2396c28c0122..ea1bd4bb326d 100644
> --- a/drivers/net/virtio_net.c
> +++ b/drivers/net/virtio_net.c
> @@ -814,8 +814,13 @@ static struct page *xdp_linearize_page(struct receive_queue *rq,
> int page_off,
> unsigned int *len)
> {
> - struct page *page = alloc_page(GFP_ATOMIC);
> + int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
> + struct page *page;
> +
> + if (page_off + *len + tailroom > PAGE_SIZE)
> + return NULL;
>
> + page = alloc_page(GFP_ATOMIC);
> if (!page)
> return NULL;
>
> @@ -823,7 +828,6 @@ static struct page *xdp_linearize_page(struct receive_queue *rq,
> page_off += *len;
>
> while (--*num_buf) {
> - int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
> unsigned int buflen;
> void *buf;
> int off;
> --
> 2.32.0.3.g01195cf9f
>
Powered by blists - more mailing lists