lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c5f875fc-9d87-42e3-bc33-59864e206f96@redhat.com>
Date: Thu, 22 Jan 2026 15:57:39 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>,
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
 Simon Horman <horms@...nel.org>, Donald Hunter <donald.hunter@...il.com>,
 Andrew Lunn <andrew+netdev@...n.ch>, Shuah Khan <shuah@...nel.org>,
 Willem de Bruijn <willemdebruijn.kernel@...il.com>, sdf@...ichev.me,
 petrm@...dia.com, razor@...ckwall.org, idosch@...dia.com
Subject: Re: [PATCH v5 net-next 08/10] geneve: extract hint option at GRO
 stage

On 1/21/26 5:11 PM, Paolo Abeni wrote:
> @@ -566,6 +726,25 @@ static struct sk_buff *geneve_gro_receive(struct sock *sk,
>  			goto out;
>  	}
>  
> +	/* The GRO hint/nested hdr could use a different ethernet type. */
> +	hint_off = geneve_sk_gro_hint_off(sk, gh, &type, &gh_len);
> +	if (hint_off) {
> +		const struct geneve_opt_gro_hint *gro_hint;
> +
> +		/*
> +		 * If the hint is present, and nested hdr validation fails, do
> +		 * not attempt plain GRO: it will ignore inner hdrs and cause
> +		 * OoO.
> +		 */
> +		gh = skb_gro_header(skb, off_gnv + gh_len, off_gnv);
> +		if (unlikely(!gh))
> +			goto out;
> +
> +		gro_hint = geneve_opt_gro_hint(gh, hint_off);
> +		if (!geneve_opt_gro_hint_validate_csum(skb, gh, gro_hint))
> +			goto out;
> +	}
> +
>  	list_for_each_entry(p, head, list) {
>  		if (!NAPI_GRO_CB(p)->same_flow)
>  			continue;

AI review reports a possible OoB access later on in:

	if (gh->opt_len != gh2->opt_len ||
		    memcmp(gh, gh2, gh_len)) {
			NAPI_GRO_CB(p)->same_flow = 0;
			continue;
		}

specifically in the memcmp() accessing bytes not pulled yet from gh2. I
think such OoB access is not possible: before reaching the buffer bounds
the other packet hdr should match the current one geneve hdr, including
the hint option. Thus, while processing the such packet, the GRO stage
should have already pulled all the relevant data.

I think this is simply too much to get for the LLM, at least ATM.

Side note: I was sure I did the shellcheck test before posting, but nipa
says I at very least forgot about it before some latest update (warn in
patch 10). @Jakub: please LMK if you prefer another revision.

/P

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ