lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZmMxzPoDTNu06itR@pop-os.localdomain>
Date: Fri, 7 Jun 2024 09:14:04 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Florian Westphal <fw@...len.de>
Cc: netdev@...r.kernel.org, bpf@...r.kernel.org,
	Cong Wang <cong.wang@...edance.com>,
	syzbot+0c4150bff9fff3bf023c@...kaller.appspotmail.com
Subject: Re: [Patch net] net: remove the bogus overflow debug check in
 pskb_may_pull()

On Fri, Jun 07, 2024 at 01:27:47AM +0200, Florian Westphal wrote:
> Cong Wang <xiyou.wangcong@...il.com> wrote:
> > From: Cong Wang <cong.wang@...edance.com>
> > 
> > Commit 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push
> > helpers") introduced an overflow debug check for pull/push helpers.
> > For __skb_pull() this makes sense because its callers rarely check its
> > return value. But for pskb_may_pull() it does not make sense, since its
> > return value is properly taken care of. Remove the one in
> > pskb_may_pull(), we can continue rely on its return value.
> 
> See 025f8ad20f2e3264d11683aa9cbbf0083eefbdcd which would not exist
> without this check, I would not give up yet.

What's the point of that commit?

The "fix" (I doubt it fixes anything) you had is merely exiting a few
lines earlier than pskb_may_pull():

 30         if (!skb_inner_network_header_was_set(skb))
 31                 goto out;
 32 
 33         skb_reset_network_header(skb);
 34         mpls_hlen = skb_inner_network_header(skb) - skb_network_header(skb);
 35         if (unlikely(!mpls_hlen || mpls_hlen % MPLS_HLEN))
 36                 goto out;
 37         if (unlikely(!pskb_may_pull(skb, mpls_hlen)))
 38                 goto out;

Before your "fix", we exit on line 37. After your "fix", we exit on line
30. I don't see any difference here, it returns -EINVAL anyway.

> 
> bpf_try_make_writable() could do an explicit check vs. skb->len.

But why? I don't see the point of its existence. pskb_may_pull() already
checks it very well:

2741         if (unlikely(len > skb->len))
2742                 return SKB_DROP_REASON_PKT_TOO_SMALL;

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ