| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1681451962.2157283-1-xuanzhuo@linux.alibaba.com>
Date: Fri, 14 Apr 2023 13:59:22 +0800
From: Xuan Zhuo <xuanzhuo@...ux.alibaba.com>
To: Jason Wang <jasowang@...hat.com>
Cc: netdev@...r.kernel.org, "Michael S. Tsirkin" <mst@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Jesper Dangaard Brouer <hawk@...nel.org>,
John Fastabend <john.fastabend@...il.com>,
virtualization@...ts.linux-foundation.org, bpf@...r.kernel.org
Subject: Re: [PATCH net] virtio_net: bugfix overflow inside xdp_linearize_page()
On Fri, 14 Apr 2023 13:40:32 +0800, Jason Wang <jasowang@...hat.com> wrote:
> On Thu, Apr 13, 2023 at 8:19 PM Xuan Zhuo <xuanzhuo@...ux.alibaba.com> wrote:
> >
> > Here we copy the data from the original buf to the new page. But we
> > not check that it may be overflow.
> >
> > As long as the size received(including vnethdr) is greater than 3840
> > (PAGE_SIZE -VIRTIO_XDP_HEADROOM). Then the memcpy will overflow.
> >
> > And this is completely possible, as long as the MTU is large, such
> > as 4096. In our test environment, this will cause crash. Since crash is
> > caused by the written memory, it is meaningless, so I do not include it.
> >
> > Signed-off-by: Xuan Zhuo <xuanzhuo@...ux.alibaba.com>
>
> Missing fixes tag?
>
> Other than this,
>
> Acked-by: Jason Wang <jasowang@...hat.com>
Sorry, miss this.
Thanks.
>
> Thanks
>
> > ---
> > drivers/net/virtio_net.c | 8 ++++++--
> > 1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
> > index 2396c28c0122..ea1bd4bb326d 100644
> > --- a/drivers/net/virtio_net.c
> > +++ b/drivers/net/virtio_net.c
> > @@ -814,8 +814,13 @@ static struct page *xdp_linearize_page(struct receive_queue *rq,
> > int page_off,
> > unsigned int *len)
> > {
> > - struct page *page = alloc_page(GFP_ATOMIC);
> > + int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
> > + struct page *page;
> > +
> > + if (page_off + *len + tailroom > PAGE_SIZE)
> > + return NULL;
> >
> > + page = alloc_page(GFP_ATOMIC);
> > if (!page)
> > return NULL;
> >
> > @@ -823,7 +828,6 @@ static struct page *xdp_linearize_page(struct receive_queue *rq,
> > page_off += *len;
> >
> > while (--*num_buf) {
> > - int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
> > unsigned int buflen;
> > void *buf;
> > int off;
> > --
> > 2.32.0.3.g01195cf9f
> >
>
Powered by blists - more mailing lists