| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Jul 2023 13:08:00 +0000 From: Kaiyu Zhang <squirrel.prog@...il.com> To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, Kaiyu Zhang <squirrel.prog@...il.com> Subject: [PATCH] gro: check returned skb of napi_frags_skb() against NULL Some rogue network adapter and their driver pass bad skbs to GRO. napi_frags_skb() detects this, drops these bad skbs, and return NULL to napi_gro_frags(), which does not check returned skb against NULL and access it. This results in a kernel crash. A better approach to address these bad skbs would be to issue some warnings and drop them, which napi_frags_skb() already does, and move on without crashing the kernel. Signed-off-by: Kaiyu Zhang <squirrel.prog@...il.com> --- net/core/gro.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/gro.c b/net/core/gro.c index 0759277dc..18d92016b 100644 --- a/net/core/gro.c +++ b/net/core/gro.c @@ -731,6 +731,9 @@ gro_result_t napi_gro_frags(struct napi_struct *napi) gro_result_t ret; struct sk_buff *skb = napi_frags_skb(napi); + if (unlikely(!skb)) + return GRO_CONSUMED; + trace_napi_gro_frags_entry(skb); ret = napi_frags_finish(napi, skb, dev_gro_receive(napi, skb)); -- 2.34.1
Powered by blists - more mailing lists