From: Patrick McHardy <kaber@trash.net>
To: Gustavo Guillermo Perez <gustavo@compunauta.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [patch 20/37] {nfnetlink, ip, ip6}_queue: fix skb_over_panic when enlarging packets
Date: Wed, 14 May 2008 19:08:00 +0200 [thread overview]
Message-ID: <482B1C70.5070005@trash.net> (raw)
In-Reply-To: <200805141145.09563.gustavo@compunauta.com>
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
Gustavo Guillermo Perez wrote:
> El Martes, 13 de Mayo de 2008, Greg KH escribió:
>> On Wed, May 14, 2008 at 01:45:15AM +0200, Arnaud Ebalard wrote:
>>> Hi,
>>>
>>> Greg KH <gregkh@suse.de> writes:
>>>> 2.6.25-stable review patch. If anyone has any objections, please let
>>>> us know.
>>> Sorry for the noise, but for those who missed one of the latest post on
>>> the topic on netdev, I should add that the bug is also in 2.6.24.4 (even
>>> if it's probably too late for that poor guy :-( ).
>> Sorry, yes, we are no longer doing 2.6.24-stable releases.
>
> the fix will be available in 2.6.25.4 ?
Yes. This is the patch against the latest 2.6.24.x release in case
someone needs it. Not sure anymore if it differs from the 2.6.25
version.
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 5779 bytes --]
commit 431e3757dbafdad741ef7d9bdaa2fca7fce3d5cc
Author: Arnaud Ebalard <arno@natisbad.org>
Date: Tue May 6 13:03:59 2008 +0200
[NETFILTER]: {nfnetlink,ip,ip6}_queue: fix skb_over_panic when enlarging packets
Upstream commit 9a732ed6d:
While reinjecting *bigger* modified versions of IPv6 packets using
libnetfilter_queue, things work fine on a 2.6.24 kernel (2.6.22 too)
but I get the following on recents kernels (2.6.25, trace below is
against today's net-2.6 git tree):
skb_over_panic: text:c04fddb0 len:696 put:632 head:f7592c00 data:f7592c00 tail:0xf7592eb8 end:0xf7592e80 dev:eth0
------------[ cut here ]------------
invalid opcode: 0000 [#1] PREEMPT
Process sendd (pid: 3657, ti=f6014000 task=f77c31d0 task.ti=f6014000)
Stack: c071e638 c04fddb0 000002b8 00000278 f7592c00 f7592c00 f7592eb8 f7592e80
f763c000 f6bc5200 f7592c40 f6015c34 c04cdbfc f6bc5200 00000278 f6015c60
c04fddb0 00000020 f72a10c0 f751b420 00000001 0000000a 000002b8 c065582c
Call Trace:
[<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0
[<c04cdbfc>] ? skb_put+0x3c/0x40
[<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0
[<c04fd115>] ? nfnetlink_rcv_msg+0xf5/0x160
[<c04fd03e>] ? nfnetlink_rcv_msg+0x1e/0x160
[<c04fd020>] ? nfnetlink_rcv_msg+0x0/0x160
[<c04f8ed7>] ? netlink_rcv_skb+0x77/0xa0
[<c04fcefc>] ? nfnetlink_rcv+0x1c/0x30
[<c04f8c73>] ? netlink_unicast+0x243/0x2b0
[<c04cfaba>] ? memcpy_fromiovec+0x4a/0x70
[<c04f9406>] ? netlink_sendmsg+0x1c6/0x270
[<c04c8244>] ? sock_sendmsg+0xc4/0xf0
[<c011970d>] ? set_next_entity+0x1d/0x50
[<c0133a80>] ? autoremove_wake_function+0x0/0x40
[<c0118f9e>] ? __wake_up_common+0x3e/0x70
[<c0342fbf>] ? n_tty_receive_buf+0x34f/0x1280
[<c011d308>] ? __wake_up+0x68/0x70
[<c02cea47>] ? copy_from_user+0x37/0x70
[<c04cfd7c>] ? verify_iovec+0x2c/0x90
[<c04c837a>] ? sys_sendmsg+0x10a/0x230
[<c011967a>] ? __dequeue_entity+0x2a/0xa0
[<c011970d>] ? set_next_entity+0x1d/0x50
[<c0345397>] ? pty_write+0x47/0x60
[<c033d59b>] ? tty_default_put_char+0x1b/0x20
[<c011d2e9>] ? __wake_up+0x49/0x70
[<c033df99>] ? tty_ldisc_deref+0x39/0x90
[<c033ff20>] ? tty_write+0x1a0/0x1b0
[<c04c93af>] ? sys_socketcall+0x7f/0x260
[<c0102ff9>] ? sysenter_past_esp+0x6a/0x91
[<c05f0000>] ? snd_intel8x0m_probe+0x270/0x6e0
=======================
Code: 00 00 89 5c 24 14 8b 98 9c 00 00 00 89 54 24 0c 89 5c 24 10 8b 40 50 89 4c 24 04 c7 04 24 38 e6 71 c0 89 44 24 08 e8 c4 46 c5 ff <0f> 0b eb fe 55 89 e5 56 89 d6 53 89 c3 83 ec 0c 8b 40 50 39 d0
EIP: [<c04ccdfc>] skb_over_panic+0x5c/0x60 SS:ESP 0068:f6015bf8
Looking at the code, I ended up in nfq_mangle() function (called by
nfqnl_recv_verdict()) which performs a call to skb_copy_expand() due to
the increased size of data passed to the function. AFAICT, it should ask
for 'diff' instead of 'diff - skb_tailroom(e->skb)'. Because the
resulting sk_buff has not enough space to support the skb_put(skb, diff)
call a few lines later, this results in the call to skb_over_panic().
The patch below asks for allocation of a copy with enough space for
mangled packet and the same amount of headroom as old sk_buff. While
looking at how the regression appeared (e2b58a67), I noticed the same
pattern in ipq_mangle_ipv6() and ipq_mangle_ipv4(). The patch corrects
those locations too.
Tested with bigger reinjected IPv6 packets (nfqnl_mangle() path), things
are ok (2.6.25 and today's net-2.6 git tree).
Signed-off-by: Arnaud Ebalard <arno@natisbad.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 16d0fb3..f821a9b 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -349,9 +349,8 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
if (v->data_len > 0xFFFF)
return -EINVAL;
if (diff > skb_tailroom(e->skb)) {
- nskb = skb_copy_expand(e->skb, 0,
- diff - skb_tailroom(e->skb),
- GFP_ATOMIC);
+ nskb = skb_copy_expand(e->skb, skb_headroom(e->skb),
+ diff, GFP_ATOMIC);
if (!nskb) {
printk(KERN_WARNING "ip_queue: error "
"in mangle, dropping packet\n");
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 710a04f..b9db6d9 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -346,9 +346,8 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
if (v->data_len > 0xFFFF)
return -EINVAL;
if (diff > skb_tailroom(e->skb)) {
- nskb = skb_copy_expand(e->skb, 0,
- diff - skb_tailroom(e->skb),
- GFP_ATOMIC);
+ nskb = skb_copy_expand(e->skb, skb_headroom(e->skb),
+ diff, GFP_ATOMIC);
if (!nskb) {
printk(KERN_WARNING "ip6_queue: OOM "
"in mangle, dropping packet\n");
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 7c3646c..d5fab38 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -627,9 +627,8 @@ nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e)
if (data_len > 0xFFFF)
return -EINVAL;
if (diff > skb_tailroom(e->skb)) {
- nskb = skb_copy_expand(e->skb, 0,
- diff - skb_tailroom(e->skb),
- GFP_ATOMIC);
+ nskb = skb_copy_expand(e->skb, skb_headroom(e->skb),
+ diff, GFP_ATOMIC);
if (!nskb) {
printk(KERN_WARNING "nf_queue: OOM "
"in mangle, dropping packet\n");
next prev parent reply other threads:[~2008-05-14 17:08 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080513200453.064446337@mini.kroah.org>
2008-05-13 20:10 ` [patch 00/37] 2.6.25.4 -stable review Greg KH
2008-05-13 20:11 ` [patch 01/37] V4L/DVB (7473): PATCH for various Dibcom based devices Greg KH
2008-05-14 1:27 ` Michael Krufky
2008-05-14 2:03 ` Greg KH
2008-05-14 2:34 ` Michael Krufky
2008-05-14 2:59 ` Greg KH
2008-05-13 20:11 ` [patch 02/37] vt: fix canonical input in UTF-8 mode Greg KH
2008-05-13 20:11 ` [patch 03/37] serial: access after NULL check in uart_flush_buffer() Greg KH
2008-05-13 20:11 ` [patch 04/37] OHCI: fix regression upon awakening from hibernation Greg KH
2008-05-13 20:11 ` [patch 05/37] XFRM: AUDIT: Fix flowlabel text format ambibuity Greg KH
2008-05-13 20:11 ` [patch 06/37] sparc: sunzilog uart order Greg KH
2008-05-13 20:11 ` [patch 07/37] sparc: Fix SA_ONSTACK signal handling Greg KH
2008-05-13 20:11 ` [patch 08/37] sparc: Fix fork/clone/vfork system call restart Greg KH
2008-05-13 20:11 ` [patch 09/37] sparc64: Stop creating dummy root PCI host controller devices Greg KH
2008-05-13 20:11 ` [patch 10/37] sparc64: Fix wedged irq regression Greg KH
2008-05-13 20:11 ` [patch 11/37] SPARC64: Fix args to 64-bit sys_semctl() via sys_ipc() Greg KH
2008-05-13 20:11 ` [patch 12/37] serial: Fix sparc driver name strings Greg KH
2008-05-13 20:12 ` [patch 13/37] sch_htb: remove from event queue in htb_parent_to_leaf() Greg KH
2008-05-13 20:12 ` [patch 14/37] macvlan: Fix memleak on device removal/crash on module removal Greg KH
2008-05-13 20:12 ` [patch 15/37] ipvs: fix oops in backup for fwmark conn templates Greg KH
2008-05-13 20:12 ` [patch 16/37] dccp: return -EINVAL on invalid feature length Greg KH
2008-05-13 20:12 ` [patch 17/37] can: Fix can_send() handling on dev_queue_xmit() failures Greg KH
2008-05-13 20:12 ` [patch 18/37] x86: use defconfigs from x86/configs/* Greg KH
2008-05-13 20:12 ` [patch 19/37] nf_conntrack: padding breaks conntrack hash on ARM Greg KH
2008-05-13 20:12 ` [patch 20/37] {nfnetlink, ip, ip6}_queue: fix skb_over_panic when enlarging packets Greg KH
2008-05-13 23:45 ` Arnaud Ebalard
2008-05-13 22:06 ` Greg KH
2008-05-14 16:45 ` Gustavo Guillermo Perez
2008-05-14 17:08 ` Patrick McHardy [this message]
2008-05-13 20:12 ` [patch 21/37] ata_piix: verify SIDPR access before enabling it Greg KH
2008-05-13 20:12 ` [patch 22/37] x86: sysfs cpu?/topology is empty in 2.6.25 (32-bit Intel system) Greg KH
2008-05-15 18:06 ` Vaidyanathan Srinivasan
2008-05-15 20:07 ` Greg KH
2008-05-13 20:12 ` [patch 23/37] i2c-piix4: Blacklist two mainboards Greg KH
2008-05-14 19:52 ` Hardware designt to prevent Damages... [WAS: [patch 23/37] i2c-piix4: Blacklist two mainboards] Michelle Konzack
2008-05-15 17:57 ` linux-os (Dick Johnson)
2008-05-16 9:55 ` Michelle Konzack
2008-05-15 18:49 ` Jean Delvare
2008-05-16 15:22 ` Michelle Konzack
2008-05-13 20:12 ` [patch 24/37] sparc: Fix ptrace() detach Greg KH
2008-05-13 20:12 ` [patch 25/37] sparc: Fix mremap address range validation Greg KH
2008-05-13 20:28 ` Linus Torvalds
2008-05-13 20:37 ` Greg KH
2008-05-14 1:04 ` David Miller
2008-05-14 1:03 ` David Miller
2008-05-13 20:12 ` [patch 26/37] sparc: Fix debugger syscall restart interactions Greg KH
2008-05-13 20:12 ` [patch 27/37] sparc32: Dont twiddle PT_DTRACE in exec Greg KH
2008-05-13 20:12 ` [patch 28/37] USB: airprime: unlock mutex instead of trying to lock it again Greg KH
2008-05-13 20:12 ` [patch 29/37] r8169: fix past rtl_chip_info array size for unknown chipsets Greg KH
2008-05-13 20:12 ` [patch 30/37] r8169: fix oops in r8169_get_mac_version Greg KH
2008-05-13 20:12 ` [patch 31/37] SCSI: qla1280: Fix queue depth problem Greg KH
2008-05-13 20:12 ` [patch 32/37] SCSI: libiscsi regression in 2.6.25: fix nop timer handling Greg KH
2008-05-13 20:12 ` [patch 33/37] SCSI: libiscsi regression in 2.6.25: fix setting of recv timer Greg KH
2008-05-13 20:12 ` [patch 34/37] SCSI: aha152x: Fix oops on module removal Greg KH
2008-05-13 20:12 ` [patch 35/37] SCSI: aha152x: fix init suspiciously returned 1, it should follow 0/-E convention Greg KH
2008-05-13 20:12 ` [patch 36/37] rtc: rtc_time_to_tm: use unsigned arithmetic Greg KH
2008-05-13 20:12 ` [patch 37/37] md: fix raid5 repair operations Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=482B1C70.5070005@trash.net \
--to=kaber@trash.net \
--cc=gustavo@compunauta.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.