lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Za6h-tB7plgKje5r@casper.infradead.org>
Date: Mon, 22 Jan 2024 17:12:26 +0000
From: Matthew Wilcox <willy@...radead.org>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "zhangpeng (AS)" <zhangpeng362@...wei.com>, linux-mm@...ck.org,
	linux-fsdevel@...r.kernel.org, netdev@...r.kernel.org,
	akpm@...ux-foundation.org, davem@...emloft.net, dsahern@...nel.org,
	kuba@...nel.org, pabeni@...hat.com, arjunroy@...gle.com,
	wangkefeng.wang@...wei.com
Subject: Re: SECURITY PROBLEM: Any user can crash the kernel with TCP ZEROCOPY

On Mon, Jan 22, 2024 at 05:30:18PM +0100, Eric Dumazet wrote:
> On Mon, Jan 22, 2024 at 5:04 PM Matthew Wilcox <willy@...radead.org> wrote:
> > I'm disappointed to have no reaction from netdev so far.  Let's see if a
> > more exciting subject line evinces some interest.
> 
> Hmm, perhaps some of us were enjoying their weekend ?

I am all in favour of people taking time off!  However the report came
in on Friday at 9am UTC so it had been more than a work day for anyone
anywhere in the world without response.

> I don't really know what changed recently, all I know is that TCP zero
> copy is for real network traffic.
> 
> Real trafic uses order-0 pages, 4K at a time.
> 
> If can_map_frag() needs to add another safety check, let's add it.

So it's your opinion that people don't actually use sendfile() from
a local file, and we can make this fail to zerocopy?  That's good
because I had a slew of questions about what expectations we had around
cache coherency between pages mapped this way and write()/mmap() of
the original file.  If we can just disallow this, we don't need to
have a discussion about it.

> syzbot is usually quite good at bisections, was a bug origin found ?

I have the impression that Huawei run syzkaller themselves without
syzbot.  I suspect this bug has been there for a good long time.
Wonder why nobody's found it before; it doesn't seem complicated for a
fuzzer to stumble into.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ