From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C686BC433E0 for ; Tue, 28 Jul 2020 14:32:14 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9164120663 for ; Tue, 28 Jul 2020 14:32:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="C/WPCm9B" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9164120663 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Type: Content-Transfer-Encoding:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=+z8LZgeNXU2RSjT6axydGEN2eq5h48+gKhQSfLTvnAc=; b=C/WPCm9B+MW+H6bse/nXBctmS OO990Zblid42g3ZhYL8eYnpQ3JYZlSL2qrSnbqR6i8ijO0jgcZL3w0DtI8TXZOnO5k2XQ6Ckeheu6 qG2iBXbCsjF/Sq3nC3PboL5InHsG+VmWzvjqLMdZTQfgMEPSlvprDhEpEuo+r3GqMMBYLaRrLFx/9 N2T9brwKqSWeZaficPmKsx9qclGuB/v0/J1XTXnIWz6Au2vuW9ZIF4mvC6kvOivV/E/S4lL5ewuzy Rq3XS7g2WispO0eRIzgl3KdfsgrRNi9jg8UjZa8zW+Sskzn8pkXDkZQm9lkMIEYTQmnIBZfw0TS57 Lvam1yToQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1k0QdD-0000rO-Mo; Tue, 28 Jul 2020 14:31:03 +0000 Received: from foss.arm.com ([217.140.110.172]) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1k0QdB-0000qT-BQ for linux-arm-kernel@lists.infradead.org; Tue, 28 Jul 2020 14:31:02 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C2FD131B; Tue, 28 Jul 2020 07:30:53 -0700 (PDT) Received: from [10.57.32.41] (unknown [10.57.32.41]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 71B173F718; Tue, 28 Jul 2020 07:30:51 -0700 (PDT) Subject: Re: [PATCH,v2] arm64: fix the illegal address access in some cases To: Will Deacon , catalin.marinas@arm.com, guodeqing References: <1595642886-78334-1-git-send-email-geffrey.guo@huawei.com> <159593323394.1061330.12501304112140193783.b4-ty@kernel.org> From: Robin Murphy Message-ID: <4b66d792-4c8a-a500-6f81-8e8f78e99b82@arm.com> Date: Tue, 28 Jul 2020 15:30:50 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <159593323394.1061330.12501304112140193783.b4-ty@kernel.org> Content-Language: en-GB X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200728_103101_448001_B43C486B X-CRM114-Status: GOOD ( 20.76 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: luke.starrett@broadcom.com, kernel-team@android.com, linux-arm-kernel@lists.infradead.org Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi Will, On 2020-07-28 14:03, Will Deacon wrote: > On Sat, 25 Jul 2020 10:08:06 +0800, guodeqing wrote: >> The ihl value of ip header is smaller than 5 in some cases, if the >> ihl value is smaller than 5, then the next code will access the illegal >> address, and the system will panic. ip_fast_csum() must be able to handle >> any value that could fit in the ihl field of the ip protocol header. >> >> Here I add the check of the ihl value to solve this problem. > > Applied to arm64 (for-next/fixes), thanks! > > [1/1] arm64: csum: Reject IP headers with 'ihl' field smaller than five > https://git.kernel.org/arm64/c/09aaef1c5f50 I'm not sure your commit message is entirely right there. AFAICS it's not "the same way as x86" at all - x86 dereferences the first word of iph and returns that as the sum if ihl <= 4 (and thus is still capable of crashing given sufficiently bogus data). I'm not sure where "return 1" came from - if we're going to return nonsense then the mildly more efficient choice of 0 seems just as good. Otherwise it would seem reasonable to jump straight into the word-at-a-time loop if ip_fast_csum() is really expected to cope with more than just genuine IP headers (which should be backed by at least 20 bytes of valid memory regardless of what ihl says). I still think this smells of papering over some other bug that led to a bogus skb getting that far into the transmit stack in the first place - presumably it's all wasted effort anyway since a "header" with no space for a destination address and a deliberately wrong checksum seems unlikely to go very far... On a quick look there appear to be quite a few implementations dereferencing up to 5 words unconditionally, so it's not like this is arm64's own bug. Robin. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel