Re: Sending short raw packets using sendmsg() broke

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alan Cox <alan@linux.intel.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: David Miller <davem@davemloft.net>,
	Heikki Hannikainen <hessu@hes.iki.fi>,
	Network Development <netdev@vger.kernel.org>,
	Willem de Bruijn <willemb@google.com>
Subject: Re: Sending short raw packets using sendmsg() broke
Date: Fri, 04 Mar 2016 15:54:09 +0000	[thread overview]
Message-ID: <1457106849.7064.55.camel@linux.intel.com> (raw)
In-Reply-To: <CAF=yD-+-QFp=g8BSsxjwwMmMwuHzkEiubZHNuyoLccF7qTs0ow@mail.gmail.com>

> > A quick search for ethhdr in drivers/net/ethernet shows, for
> > instance,
> > bnx2x_select_queue casting skb->data to an ethernet header. Reading
> > nonsense in that particular function is quite safe and given the
> > skbuff layout (skb_shared_info) code will never read beyond an
> > allocated region. But that was just the first occurrence I found.
> > efx_tso_check_protocol is another example.

So would always allocating that much space be a good mitigation in
general, and perhaps then making the logic check validate() IFF
CAP_SYS_RAWIO is not set.

A user with CAP_SYS_RAWIO already has the power to control the device
by banging registers so the check is not a security loss.

Alan

next prev parent reply	other threads:[~2016-03-04 15:54 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-25 19:36 Sending short raw packets using sendmsg() broke Heikki Hannikainen
2016-02-25 20:26 ` David Miller
2016-02-26 14:44   ` Alan Cox
2016-02-26 17:33     ` Willem de Bruijn
2016-02-26 17:46       ` David Miller
2016-02-27 23:02         ` Willem de Bruijn
2016-03-02  0:00           ` Alan Cox
2016-03-03 16:40             ` Willem de Bruijn
2016-03-03 16:43               ` Willem de Bruijn
2016-03-04 15:54                 ` Alan Cox [this message]
2016-03-04 16:33                   ` Willem de Bruijn
2016-03-04 20:52                     ` Willem de Bruijn
2016-03-01 23:34       ` Alan Cox
2016-02-26 17:34     ` David Miller
2016-02-25 20:49 ` Willem de Bruijn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1457106849.7064.55.camel@linux.intel.com \
    --to=alan@linux.intel.com \
    --cc=davem@davemloft.net \
    --cc=hessu@hes.iki.fi \
    --cc=netdev@vger.kernel.org \
    --cc=willemb@google.com \
    --cc=willemdebruijn.kernel@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.