From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: Re: [PATCH net] tcp: don't read out-of-bounds opsize Date: Fri, 20 Apr 2018 07:21:35 -0700 Message-ID: <552d49b6-1b6e-c320-b56a-a119e360f1d7@gmail.com> References: <20180420135730.44921-1-jannh@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit To: Jann Horn , davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Return-path: In-Reply-To: <20180420135730.44921-1-jannh@google.com> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On 04/20/2018 06:57 AM, Jann Horn wrote: > The old code reads the "opsize" variable from out-of-bounds memory (first > byte behind the segment) if a broken TCP segment ends directly after an > opcode that is neither EOL nor NOP. > > The result of the read isn't used for anything, so the worst thing that > could theoretically happen is a pagefault; and since the physmap is usually > mostly contiguous, even that seems pretty unlikely. > No page fault possible, because tcp headers are in skb->head And we have 'struct skb_shared_info' at the end of skb->head anyway. But, yes, reading some extra bytes with random content is possible.