lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com>
Date: Sat, 8 Jun 2024 10:01:32 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>, xiyou.wangcong@...il.com
Cc: bpf@...r.kernel.org, cong.wang@...edance.com, fw@...len.de,
 netdev@...r.kernel.org, syzbot+0c4150bff9fff3bf023c@...kaller.appspotmail.com
Subject: Re: [Patch net] net: remove the bogus overflow debug check in
 pskb_may_pull()


On 6/7/24 23:32, Kuniyuki Iwashima wrote:
> From: Cong Wang <xiyou.wangcong@...il.com>
> Date: Fri, 7 Jun 2024 09:14:04 -0700
>> On Fri, Jun 07, 2024 at 01:27:47AM +0200, Florian Westphal wrote:
>>> Cong Wang <xiyou.wangcong@...il.com> wrote:
>>>> From: Cong Wang <cong.wang@...edance.com>
>>>>
>>>> Commit 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push
>>>> helpers") introduced an overflow debug check for pull/push helpers.
>>>> For __skb_pull() this makes sense because its callers rarely check its
>>>> return value. But for pskb_may_pull() it does not make sense, since its
>>>> return value is properly taken care of. Remove the one in
>>>> pskb_may_pull(), we can continue rely on its return value.
>>> See 025f8ad20f2e3264d11683aa9cbbf0083eefbdcd which would not exist
>>> without this check, I would not give up yet.
>> What's the point of that commit?
> 4b911a9690d7 would be better example.  The warning actually found a
> bug in NSH GSO.
>
> Here's splats triggered by syzkaller using NSH over various tunnels.
> https://lore.kernel.org/netdev/20240415222041.18537-2-kuniyu@amazon.com/


Right. We discussed this before. I guess I forgot to send the fix.

Florian could you submit the suggestion I made before ?

diff --git a/net/core/filter.c b/net/core/filter.c
index 
358870408a51e61f3cbc552736806e4dfee1ec39..da7aae6fd8ba557c66699d1cfebd47f18f442aa2 
100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1662,6 +1662,11 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp);
  static inline int __bpf_try_make_writable(struct sk_buff *skb,
                        unsigned int write_len)
  {
+#if defined(CONFIG_DEBUG_NET)
+    /* Avoid a splat in pskb_may_pull_reason() */
+    if (write_len > INT_MAX)
+        return -EINVAL;
+#endif
      return skb_ensure_writable(skb, write_len);
  }



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ