| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e7e05a6f-1995-4c49-929d-3d8ee7b0ac5c@gmail.com>
Date: Mon, 27 Oct 2025 22:05:55 +0700
From: Bui Quang Minh <minhquangbui99@...il.com>
To: Parav Pandit <parav@...dia.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Cc: "Michael S. Tsirkin" <mst@...hat.com>, Jason Wang <jasowang@...hat.com>,
Xuan Zhuo <xuanzhuo@...ux.alibaba.com>, Eugenio Pérez
<eperezma@...hat.com>, Andrew Lunn <andrew+netdev@...n.ch>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
"Minggang(Gavin) Li" <gavinl@...dia.com>, Gavi Teitz <gavi@...dia.com>,
"virtualization@...ts.linux.dev" <virtualization@...ts.linux.dev>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH net v5] virtio-net: fix received length check in big
packets
On 10/27/25 21:55, Parav Pandit wrote:
>> From: Bui Quang Minh <minhquangbui99@...il.com>
>> Sent: 27 October 2025 08:19 PM
>>
>> On 10/25/25 14:11, Parav Pandit wrote:
>>>> From: Bui Quang Minh <minhquangbui99@...il.com>
>>>> Sent: 24 October 2025 08:37 PM
>>>>
>>>> Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length
>>>> for big packets"), when guest gso is off, the allocated size for big
>>>> packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on
>>>> negotiated MTU. The number of allocated frags for big packets is
>>>> stored in vi-
>>>>> big_packets_num_skbfrags.
>>>> Because the host announced buffer length can be malicious (e.g. the
>>>> host vhost_net driver's get_rx_bufs is modified to announce incorrect
>>>> length), we need a check in virtio_net receive path. Currently, the
>>>> check is not adapted to the new change which can lead to NULL page
>>>> pointer dereference in the below while loop when receiving length that is
>> larger than the allocated one.
>>> This looks wrong.
>>> A device DMAed N bytes, and it reports N + M bytes in the completion?
>>> Such devices should be fixed.
>>>
>>> If driver allocated X bytes, and device copied X + Y bytes on receive packet, it
>> will crash the driver host anyway.
>>> The fixes tag in this patch is incorrect because this is not a driver bug.
>>> It is just adding resiliency in driver for broken device. So driver cannot have
>> fixes tag here.
>>
>> Yes, I agree that the check is a protection against broken device.
>>
>> The check is already there before this commit, but it is not correct since the
>> changes in commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length
>> for big packets"). So this patch fixes the check corresponding to the new
>> change. I think this is a valid use of Fixes tag.
> I am missing something.
> If you don’t have the broken device, what part if wrong in the patch which needs fixes tag?
The host can load the own vhost_net driver and sends the incorrect
length. IMHO, it's good to sanity check the received input.
The check
if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE))
goto err;
is wrong because the allocated buffer is (vi->big_packets_num_skbfrags +
1) * PAGE_SIZE not MAX_SKB_FRAGS * PAGE_SIZE anymore.
vi->big_packets_num_skbfrags depends on the negotiated mtu between host
and guest when guest_gso is off as in function virtnet_set_big_packets.
Thanks,
Quang Minh.
Powered by blists - more mailing lists