Netdev List
 help / color / mirror / Atom feed
From: maowenan <maowenan@huawei.com>
To: Michal Kubecek <mkubecek@suse.cz>
Cc: <dwmw2@infradead.org>, <gregkh@linux-foundation.org>,
	<netdev@vger.kernel.org>, <eric.dumazet@gmail.com>,
	<edumazet@google.com>, <davem@davemloft.net>, <ycheng@google.com>,
	<jdw@amazon.de>, <stable@vger.kernel.org>,
	Takashi Iwai <tiwai@suse.de>
Subject: Re: [PATCH stable 4.4 0/9] fix SegmentSmack in stable branch (CVE-2018-5390)
Date: Thu, 16 Aug 2018 15:39:14 +0800	[thread overview]
Message-ID: <827465d9-4116-68a8-c699-d5b2aedce69f@huawei.com> (raw)
In-Reply-To: <20180816072349.2ldy75jia3ubqg3u@unicorn.suse.cz>



On 2018/8/16 15:23, Michal Kubecek wrote:
> On Thu, Aug 16, 2018 at 03:19:12PM +0800, maowenan wrote:
>> On 2018/8/16 14:52, Michal Kubecek wrote:
>>>
>>> My point is that backporting all this into stable 4.4 is quite intrusive
>>> so that if we can achieve similar results with a simple fix of an
>>> obvious omission, it would be preferrable.
>>
>> There are five patches in mainline to fix this CVE, only two patches
>> have no effect on stable 4.4, the important reason is 4.4 use simple
>> queue but mainline use RB tree.
>>
>> I have tried my best to use easy way to fix this with dropping packets
>> 12.5%(or other value) based on simple queue, but the result is not
>> very well, so the RB tree is needed and tested result is my desire.
>>
>> If we only back port two patches but they don't fix the issue, I think
>> they don't make any sense.
> 
> There is an obvious omission in one of the two patches and Takashi's
> patch fixes it. If his follow-up fix (applied on top of what is in
> stable 4.4 now) addresses the problem, I would certainly prefer using it
> over backporting the whole series.

Do you mean below codes from Takashi can fix this CVE?
But I have already tested like this two days ago, it is not good effect.

Could you try to test with POC programme mentioned previous mail in case I made mistake?

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 4a261e078082..9c4c6cd0316e 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4835,6 +4835,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
 			end = TCP_SKB_CB(skb)->end_seq;
 			range_truesize = skb->truesize;
 		} else {
+			range_truesize += skb->truesize;
 			if (before(TCP_SKB_CB(skb)->seq, start))
 				start = TCP_SKB_CB(skb)->seq;
 			if (after(TCP_SKB_CB(skb)->end_seq, end))
-- 


> 
> Michal Kubecek
> 
> 
> .
> 

  reply	other threads:[~2018-08-16  7:39 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-16  2:50 [PATCH stable 4.4 0/9] fix SegmentSmack in stable branch (CVE-2018-5390) Mao Wenan
2018-08-16  2:50 ` [PATCH stable 4.4 1/9] Revert "tcp: detect malicious patterns in tcp_collapse_ofo_queue()" Mao Wenan
2018-08-16  2:50 ` [PATCH stable 4.4 2/9] Revert "tcp: avoid collapses in tcp_prune_queue() if possible" Mao Wenan
2018-08-16  2:50 ` [PATCH stable 4.4 3/9] tcp: increment sk_drops for dropped rx packets Mao Wenan
2018-08-16  2:50 ` [PATCH stable 4.4 4/9] tcp: use an RB tree for ooo receive queue Mao Wenan
2018-08-16  2:50 ` [PATCH stable 4.4 5/9] tcp: free batches of packets in tcp_prune_ofo_queue() Mao Wenan
2018-08-16  2:50 ` [PATCH stable 4.4 6/9] tcp: avoid collapses in tcp_prune_queue() if possible Mao Wenan
2018-08-16  2:50 ` [PATCH stable 4.4 7/9] tcp: detect malicious patterns in tcp_collapse_ofo_queue() Mao Wenan
2018-08-16  2:50 ` [PATCH stable 4.4 8/9] tcp: call tcp_drop() from tcp_data_queue_ofo() Mao Wenan
2018-08-16  2:50 ` [PATCH stable 4.4 9/9] tcp: add tcp_ooo_try_coalesce() helper Mao Wenan
2018-08-16  6:16 ` [PATCH stable 4.4 0/9] fix SegmentSmack in stable branch (CVE-2018-5390) Michal Kubecek
2018-08-16  6:42   ` maowenan
2018-08-16  6:52     ` Michal Kubecek
2018-08-16  7:19       ` maowenan
2018-08-16  7:23         ` Michal Kubecek
2018-08-16  7:39           ` maowenan [this message]
2018-08-16  7:44             ` Michal Kubecek
2018-08-16  7:55               ` maowenan
2018-08-16 11:39                 ` Michal Kubecek
2018-08-16 12:05                   ` maowenan
2018-08-16 12:33                     ` Michal Kubecek
2018-08-16 15:24                       ` Greg KH
2018-08-16 16:06                         ` Michal Kubecek
2018-08-16 16:20                           ` Greg KH
2018-08-17  2:48                           ` maowenan
2018-09-13 12:32                         ` Greg KH
2018-09-13 12:44                           ` Eric Dumazet
2018-09-14  2:24                             ` maowenan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=827465d9-4116-68a8-c699-d5b2aedce69f@huawei.com \
    --to=maowenan@huawei.com \
    --cc=davem@davemloft.net \
    --cc=dwmw2@infradead.org \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=gregkh@linux-foundation.org \
    --cc=jdw@amazon.de \
    --cc=mkubecek@suse.cz \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tiwai@suse.de \
    --cc=ycheng@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox