lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aXO17RbleU_YnX8R@horms.kernel.org>
Date: Fri, 23 Jan 2026 17:54:53 +0000
From: Simon Horman <horms@...nel.org>
To: Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>,
	Donald Hunter <donald.hunter@...il.com>,
	Andrew Lunn <andrew+netdev@...n.ch>, Shuah Khan <shuah@...nel.org>,
	Willem de Bruijn <willemdebruijn.kernel@...il.com>, sdf@...ichev.me,
	petrm@...dia.com, razor@...ckwall.org, idosch@...dia.com
Subject: Re: [PATCH v5 net-next 08/10] geneve: extract hint option at GRO
 stage

On Thu, Jan 22, 2026 at 03:57:39PM +0100, Paolo Abeni wrote:
> On 1/21/26 5:11 PM, Paolo Abeni wrote:
> > @@ -566,6 +726,25 @@ static struct sk_buff *geneve_gro_receive(struct sock *sk,
> >  			goto out;
> >  	}
> >  
> > +	/* The GRO hint/nested hdr could use a different ethernet type. */
> > +	hint_off = geneve_sk_gro_hint_off(sk, gh, &type, &gh_len);
> > +	if (hint_off) {
> > +		const struct geneve_opt_gro_hint *gro_hint;
> > +
> > +		/*
> > +		 * If the hint is present, and nested hdr validation fails, do
> > +		 * not attempt plain GRO: it will ignore inner hdrs and cause
> > +		 * OoO.
> > +		 */
> > +		gh = skb_gro_header(skb, off_gnv + gh_len, off_gnv);
> > +		if (unlikely(!gh))
> > +			goto out;
> > +
> > +		gro_hint = geneve_opt_gro_hint(gh, hint_off);
> > +		if (!geneve_opt_gro_hint_validate_csum(skb, gh, gro_hint))
> > +			goto out;
> > +	}
> > +
> >  	list_for_each_entry(p, head, list) {
> >  		if (!NAPI_GRO_CB(p)->same_flow)
> >  			continue;
> 
> AI review reports a possible OoB access later on in:

Sorry, I forwarded the AI review to you and the whole world,
just now, before noticing this email.

> 
> 	if (gh->opt_len != gh2->opt_len ||
> 		    memcmp(gh, gh2, gh_len)) {
> 			NAPI_GRO_CB(p)->same_flow = 0;
> 			continue;
> 		}
> 
> specifically in the memcmp() accessing bytes not pulled yet from gh2. I
> think such OoB access is not possible: before reaching the buffer bounds
> the other packet hdr should match the current one geneve hdr, including
> the hint option. Thus, while processing the such packet, the GRO stage
> should have already pulled all the relevant data.
> 
> I think this is simply too much to get for the LLM, at least ATM.
> 
> Side note: I was sure I did the shellcheck test before posting, but nipa
> says I at very least forgot about it before some latest update (warn in
> patch 10). @Jakub: please LMK if you prefer another revision.
> 
> /P
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ