| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260116201517.273302-1-sgarzare@redhat.com> Date: Fri, 16 Jan 2026 21:15:13 +0100 From: Stefano Garzarella <sgarzare@...hat.com> To: netdev@...r.kernel.org Cc: virtualization@...ts.linux.dev, "Michael S. Tsirkin" <mst@...hat.com>, Eugenio PĂ©rez <eperezma@...hat.com>, Stefan Hajnoczi <stefanha@...hat.com>, Paolo Abeni <pabeni@...hat.com>, kvm@...r.kernel.org, Eric Dumazet <edumazet@...gle.com>, linux-kernel@...r.kernel.org, Jason Wang <jasowang@...hat.com>, Claudio Imbrenda <imbrenda@...ux.vnet.ibm.com>, Simon Horman <horms@...nel.org>, "David S. Miller" <davem@...emloft.net>, Arseniy Krasnov <AVKrasnov@...rdevices.ru>, Asias He <asias@...hat.com>, Stefano Garzarella <sgarzare@...hat.com>, Jakub Kicinski <kuba@...nel.org>, Xuan Zhuo <xuanzhuo@...ux.alibaba.com> Subject: [PATCH RESEND net v5 0/4] vsock/virtio: fix TX credit handling Resend with the right cc (sorry, a mistake on my env) The original series was posted by Melbin K Mathew <mlbnkm1@...il.com> till v4: https://lore.kernel.org/netdev/20251217181206.3681159-1-mlbnkm1@gmail.com/ Since it's a real issue and the original author seems busy, I'm sending the v5 fixing my comments but keeping the authorship (and restoring mine on patch 2 as reported on v4). >From Melbin K Mathew <mlbnkm1@...il.com>: This series fixes TX credit handling in virtio-vsock: Patch 1: Fix potential underflow in get_credit() using s64 arithmetic Patch 2: Fix vsock_test seqpacket bounds test Patch 3: Cap TX credit to local buffer size (security hardening) Patch 4: Add stream TX credit bounds regression test The core issue is that a malicious guest can advertise a huge buffer size via SO_VM_SOCKETS_BUFFER_SIZE, causing the host to allocate excessive sk_buff memory when sending data to that guest. On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only recovered after killing the QEMU process. With this series applied, the same PoC shows only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive. Melbin K Mathew (3): vsock/virtio: fix potential underflow in virtio_transport_get_credit() vsock/virtio: cap TX credit to local buffer size vsock/test: add stream TX credit bounds test Stefano Garzarella (1): vsock/test: fix seqpacket message bounds test net/vmw_vsock/virtio_transport_common.c | 30 +++++-- tools/testing/vsock/vsock_test.c | 112 ++++++++++++++++++++++++ 2 files changed, 133 insertions(+), 9 deletions(-) -- 2.52.0
Powered by blists - more mailing lists