lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250509125631.cckfc2ychkyobqqo@skbuf> Date: Fri, 9 May 2025 15:56:31 +0300 From: Vladimir Oltean <olteanv@...il.com> To: Andrew Lunn <andrew@...n.ch>, Jakob Unterwurzacher <jakobunt@...il.com> Cc: Woojung Huh <woojung.huh@...rochip.com>, UNGLinuxDriver@...rochip.com, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, quentin.schulz@...rry.de, Jakob Unterwurzacher <jakob.unterwurzacher@...rry.de>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, George McCollister <george.mccollister@...il.com> Subject: Re: [PATCH] net: dsa: microchip: linearize skb for tail-tagging switches On Fri, May 09, 2025 at 02:31:00PM +0200, Andrew Lunn wrote: > On Fri, May 09, 2025 at 09:18:19AM +0200, Jakob Unterwurzacher wrote: > > The pointer arithmentic for accessing the tail tag does not > > seem to handle nonlinear skbs. > > > > For nonlinear skbs, it reads uninitialized memory inside the > > skb headroom, essentially randomizing the tag, breaking user > > traffic. > > Both tag_rtl8_4.c & tag_trailer.c also linearize, so i would say this > is correct. > > What is interesting is that both xrs700x_rcv() and > sja1110_rcv_inband_control_extension() also don't call > skb_linearize(). > > Vladimir? George? Yes, it should be a more widespread problem. Have non-zero needed_tailroom: trailer ksz8795 ksz9477 ksz9893 lan937x hellcreek sja1110 xrs700x Call skb_linearize(): trailer rtl8_4t It should be only a matter of chance that the other taggers haven't come across non-linear skbs. My opinion is that we should let taggers linearize when and if it is necessary, rather than doing so in the core. For example, sja1110 only needs to do so if (rx_header & SJA1110_RX_HEADER_HAS_TRAILER), which the core obviously does not know. Thus, I agree with the proposed fix. Jakob, when you resend v2 retargeted to "net" and with the Fixes: tag added, could you also address xrs700x and sja1110, or should I?
Powered by blists - more mailing lists