| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <69e38457-1b84-4310-a4a7-6bae996384ba@intel.com>
Date: Wed, 22 Jan 2025 11:38:55 -0800
From: Jacob Keller <jacob.e.keller@...el.com>
To: Denis Arefev <arefev@...mel.ru>, <stable@...r.kernel.org>, "Greg
Kroah-Hartman" <gregkh@...uxfoundation.org>
CC: Nick Child <nnac123@...ux.ibm.com>, Dany Madden <drt@...ux.ibm.com>,
"Lijun Pan" <ljp@...ux.ibm.com>, Sukadev Bhattiprolu <sukadev@...ux.ibm.com>,
"Michael Ellerman" <mpe@...erman.id.au>, Benjamin Herrenschmidt
<benh@...nel.crashing.org>, Paul Mackerras <paulus@...ba.org>, "David S.
Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
<netdev@...r.kernel.org>, <linuxppc-dev@...ts.ozlabs.org>,
<linux-kernel@...r.kernel.org>, Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH 5.10] ibmvnic: Add tx check to prevent skb leak
On 1/20/2025 4:46 AM, Denis Arefev wrote:
> From: Nick Child <nnac123@...ux.ibm.com>
>
> From: Nick Child <nnac123@...ux.ibm.com>
>
> commit 0983d288caf984de0202c66641577b739caad561 upstream.
>
> Below is a summary of how the driver stores a reference to an skb during
> transmit:
> tx_buff[free_map[consumer_index]]->skb = new_skb;
> free_map[consumer_index] = IBMVNIC_INVALID_MAP;
> consumer_index ++;
> Where variable data looks like this:
> free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]
> consumer_index^
> tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null]
>
> The driver has checks to ensure that free_map[consumer_index] pointed to
> a valid index but there was no check to ensure that this index pointed
> to an unused/null skb address. So, if, by some chance, our free_map and
> tx_buff lists become out of sync then we were previously risking an
> skb memory leak. This could then cause tcp congestion control to stop
> sending packets, eventually leading to ETIMEDOUT.
>
> Therefore, add a conditional to ensure that the skb address is null. If
> not then warn the user (because this is still a bug that should be
> patched) and free the old pointer to prevent memleak/tcp problems.
>
> Signed-off-by: Nick Child <nnac123@...ux.ibm.com>
> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
> [Denis: minor fix to resolve merge conflict.]
> Signed-off-by: Denis Arefev <arefev@...mel.ru>
> ---
I thought the process asked to have the stable tag, i.e.
Cc: <stable@...r.kernel.org> # 5.10.x
Anyways, this looks good to me, and seems like a good candidate for
backporting.
Reviewed-by: Jacob Keller <jacob.e.keller@...el.com>
Thanks,
Jake
> Backport fix for CVE-2024-41066
> Link: https://nvd.nist.gov/vuln/detail/CVE-2024-41066
> ---
> drivers/net/ethernet/ibm/ibmvnic.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
> index 84da6ccaf339..439796975cbf 100644
> --- a/drivers/net/ethernet/ibm/ibmvnic.c
> +++ b/drivers/net/ethernet/ibm/ibmvnic.c
> @@ -1625,6 +1625,18 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
> (tx_pool->consumer_index + 1) % tx_pool->num_buffers;
>
> tx_buff = &tx_pool->tx_buff[index];
> +
> + /* Sanity checks on our free map to make sure it points to an index
> + * that is not being occupied by another skb. If skb memory is
> + * not freed then we see congestion control kick in and halt tx.
> + */
> + if (unlikely(tx_buff->skb)) {
> + dev_warn_ratelimited(dev, "TX free map points to untracked skb (%s %d idx=%d)\n",
> + skb_is_gso(skb) ? "tso_pool" : "tx_pool",
> + queue_num, bufidx);
> + dev_kfree_skb_any(tx_buff->skb);
> + }
> +
> tx_buff->skb = skb;
> tx_buff->data_dma[0] = data_dma_addr;
> tx_buff->data_len[0] = skb->len;
Powered by blists - more mailing lists