From: Stephen Hemminger <stephen@networkplumber.org>
To: Yucheng Lu <kanolyc@gmail.com>
Cc: security@kernel.org, netdev@vger.kernel.org, jhs@mojatatu.com,
jiri@resnulli.us, davem@davemloft.net, Jason@zx2c4.com,
kees@kernel.org, yifanwucs@gmail.com, tomapufckgml@gmail.com,
tanyuan98@outlook.com, bird@lzu.edu.cn, z1652074432@gmail.com
Subject: Re: [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption
Date: Wed, 1 Apr 2026 07:46:31 -0700 [thread overview]
Message-ID: <20260401074631.60d11dff@phoenix.local> (raw)
In-Reply-To: <45435c0935df877853a81e6d06205ac738ec65fa.1774941614.git.kanolyc@gmail.com>
On Tue, 31 Mar 2026 16:00:21 +0800
Yucheng Lu <kanolyc@gmail.com> wrote:
> In netem_enqueue(), the packet corruption logic uses
> get_random_u32_below(skb_headlen(skb)) to select an index for
> modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear
> packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.
>
> Passing 0 to get_random_u32_below() takes the variable-ceil slow path
> which returns an unconstrained 32-bit random integer. Using this
> unconstrained value as an offset into skb->data results in an
> out-of-bounds memory access.
>
> Fix this by verifying skb_headlen(skb) is non-zero before attempting
> to corrupt the linear data area. Fully non-linear packets will silently
> bypass the corruption logic.
>
> Fixes: c865e5d99e25 ("[PKT_SCHED] netem: packet corruption option")
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
> Signed-off-by: Xin Liu <bird@lzu.edu.cn>
> Signed-off-by: Yuhang Zheng <z1652074432@gmail.com>
> Signed-off-by: Yucheng Lu <kanolyc@gmail.com>
> ---
This is the correct fix for the net tree. Will make a more robust
fix for net-next which handles non linear packets better.
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
next prev parent reply other threads:[~2026-04-01 14:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1773323637.git.kanolyc@gmail.com>
2026-03-31 8:00 ` [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption Yucheng Lu
2026-04-01 14:46 ` Stephen Hemminger [this message]
2026-04-02 3:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260401074631.60d11dff@phoenix.local \
--to=stephen@networkplumber.org \
--cc=Jason@zx2c4.com \
--cc=bird@lzu.edu.cn \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kanolyc@gmail.com \
--cc=kees@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
--cc=tanyuan98@outlook.com \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=z1652074432@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox