From: Jiri Benc <jbenc@redhat.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com,
David Miller <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
LKML <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
syzkaller-bugs@googlegroups.com,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Subject: Re: KASAN: use-after-free Read in ipv6_gso_pull_exthdrs
Date: Wed, 11 Jul 2018 12:07:53 +0200 [thread overview]
Message-ID: <20180711120753.6940b66d@redhat.com> (raw)
In-Reply-To: <CAF=yD-LcXtF94=5Xt5zeD=AmqHxNHGP+NURazJERigA8ysBuAQ@mail.gmail.com>
Sorry for the delayed reply, I'm working through a pile of stuff after
being off.
On Sun, 8 Jul 2018 18:58:14 -0400, Willem de Bruijn wrote:
> Setting skb->mac_len to 0, similar to mpls_gs_segment,
> is sufficient if the encapsulated packet is not ETH_P_TEB.
>
> If the packet is encapsulated at L2, __skb_pull(skb, vlan_depth)
> has to pull the inner mac header before passing to l3 handlers like
> inet_gso_segment.
>
> If that header includes VLAN tags, skb_network_protocol will
> parse then and update the mac length in vlan_depth. So
> hardcoding to ETH_HLEN should be fine:
>
> @@ -104,7 +95,7 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
> __skb_pull(skb, nsh_len);
>
> skb_reset_mac_header(skb);
> - skb_reset_mac_len(skb);
> + skb->mac_len = proto == ETH_P_TEB ? ETH_HLEN : 0;
> skb->protocol = proto;
>
> features &= NETIF_F_SG;
I agree. I think my original intention was to set mac_len to 0. Which
is obviously not done by calling skb_reset_mac_len...
Strangely, skb_network_protocol does not set *depth to ETH_HLEN if it
is 0 and the type is ETH_P_TEB, which is something I would expect it to
do. Thus we indeed have to differentiate between the two cases before
calling skb_mac_gso_segment.
Willem, will you send the patch formally (with the htons fix)? Thanks a
lot for the analysis and the patch!
Jiri
next prev parent reply other threads:[~2018-07-11 10:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-18 13:31 KASAN: use-after-free Read in ipv6_gso_pull_exthdrs syzbot
2018-07-06 17:52 ` syzbot
2018-07-06 22:16 ` Willem de Bruijn
2018-07-08 22:58 ` Willem de Bruijn
2018-07-08 23:18 ` Willem de Bruijn
2018-07-11 10:07 ` Jiri Benc [this message]
2018-07-11 16:08 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180711120753.6940b66d@redhat.com \
--to=jbenc@redhat.com \
--cc=davem@davemloft.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.