* [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption [not found] <cover.1773323637.git.kanolyc@gmail.com> @ 2026-03-31 8:00 ` Yucheng Lu 2026-04-01 14:46 ` Stephen Hemminger 2026-04-02 3:00 ` patchwork-bot+netdevbpf 0 siblings, 2 replies; 3+ messages in thread From: Yucheng Lu @ 2026-03-31 8:00 UTC (permalink / raw) To: security, stephen, netdev Cc: jhs, jiri, davem, Jason, kees, yifanwucs, tomapufckgml, tanyuan98, bird, z1652074432, Yucheng Lu In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic. Fixes: c865e5d99e25 ("[PKT_SCHED] netem: packet corruption option") Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Signed-off-by: Yuan Tan <tanyuan98@outlook.com> Signed-off-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Yuhang Zheng <z1652074432@gmail.com> Signed-off-by: Yucheng Lu <kanolyc@gmail.com> --- This email was not CCed to the public mailing list previously, so I am resending it with the mailing list included. Sorry for the inconvenience. net/sched/sch_netem.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c index 5de1c932944a..da9e2f60160c 100644 --- a/net/sched/sch_netem.c +++ b/net/sched/sch_netem.c @@ -519,8 +519,9 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch, goto finish_segs; } - skb->data[get_random_u32_below(skb_headlen(skb))] ^= - 1<<get_random_u32_below(8); + if (skb_headlen(skb)) + skb->data[get_random_u32_below(skb_headlen(skb))] ^= + 1 << get_random_u32_below(8); } if (unlikely(q->t_len >= sch->limit)) { -- 2.47.3 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption 2026-03-31 8:00 ` [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption Yucheng Lu @ 2026-04-01 14:46 ` Stephen Hemminger 2026-04-02 3:00 ` patchwork-bot+netdevbpf 1 sibling, 0 replies; 3+ messages in thread From: Stephen Hemminger @ 2026-04-01 14:46 UTC (permalink / raw) To: Yucheng Lu Cc: security, netdev, jhs, jiri, davem, Jason, kees, yifanwucs, tomapufckgml, tanyuan98, bird, z1652074432 On Tue, 31 Mar 2026 16:00:21 +0800 Yucheng Lu <kanolyc@gmail.com> wrote: > In netem_enqueue(), the packet corruption logic uses > get_random_u32_below(skb_headlen(skb)) to select an index for > modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear > packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. > > Passing 0 to get_random_u32_below() takes the variable-ceil slow path > which returns an unconstrained 32-bit random integer. Using this > unconstrained value as an offset into skb->data results in an > out-of-bounds memory access. > > Fix this by verifying skb_headlen(skb) is non-zero before attempting > to corrupt the linear data area. Fully non-linear packets will silently > bypass the corruption logic. > > Fixes: c865e5d99e25 ("[PKT_SCHED] netem: packet corruption option") > Reported-by: Yifan Wu <yifanwucs@gmail.com> > Reported-by: Juefei Pu <tomapufckgml@gmail.com> > Signed-off-by: Yuan Tan <tanyuan98@outlook.com> > Signed-off-by: Xin Liu <bird@lzu.edu.cn> > Signed-off-by: Yuhang Zheng <z1652074432@gmail.com> > Signed-off-by: Yucheng Lu <kanolyc@gmail.com> > --- This is the correct fix for the net tree. Will make a more robust fix for net-next which handles non linear packets better. Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption 2026-03-31 8:00 ` [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption Yucheng Lu 2026-04-01 14:46 ` Stephen Hemminger @ 2026-04-02 3:00 ` patchwork-bot+netdevbpf 1 sibling, 0 replies; 3+ messages in thread From: patchwork-bot+netdevbpf @ 2026-04-02 3:00 UTC (permalink / raw) To: Yucheng Lu Cc: security, stephen, netdev, jhs, jiri, davem, Jason, kees, yifanwucs, tomapufckgml, tanyuan98, bird, z1652074432 Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Tue, 31 Mar 2026 16:00:21 +0800 you wrote: > In netem_enqueue(), the packet corruption logic uses > get_random_u32_below(skb_headlen(skb)) to select an index for > modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear > packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. > > Passing 0 to get_random_u32_below() takes the variable-ceil slow path > which returns an unconstrained 32-bit random integer. Using this > unconstrained value as an offset into skb->data results in an > out-of-bounds memory access. > > [...] Here is the summary with links: - [RESEND,net,v2,1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption https://git.kernel.org/netdev/net/c/d64cb81dcbd5 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-02 3:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1773323637.git.kanolyc@gmail.com>
2026-03-31 8:00 ` [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption Yucheng Lu
2026-04-01 14:46 ` Stephen Hemminger
2026-04-02 3:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox