From: Michal Kubecek <mkubecek@suse.cz>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: "David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, stable@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Sasha Levin <sasha.levin@oracle.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.cz>, Zefan Li <lizefan@huawei.com>,
Ben Hutchings <ben@decadent.org.uk>
Subject: Re: [PATCH stable<3.19] net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec()
Date: Fri, 23 Oct 2015 11:39:46 +0200 [thread overview]
Message-ID: <20151023093946.GA9789@unicorn.suse.cz> (raw)
In-Reply-To: <20151023092219.GA10782@bistromath.redhat.com>
On Fri, Oct 23, 2015 at 11:22:19AM +0200, Sabrina Dubroca wrote:
> Hello Michal,
>
> 2015-10-23, 10:46:09 +0200, Michal Kubecek wrote:
> > Mainline commit 89c22d8c3b27 ("net: Fix skb csum races when peeking")
> > backport into pre-3.19 stable kernels introduces a regression causing
> > null pointer dererefence in skb_copy_and_csum_datagram_iovec().
> >
> > This commit only sets CHECKSUM_UNNECESSARY for non-shared skb, allowing
> > udp_recvmsg() to take the "else" branch of if (skb_csum_unnecessary(skb))
> > when called with null iovec (and len=0, e.g. when peeking for datagram
> > size first). The problem is that unlike skb_copy_and_csum_datagram_msg()
> > called in this path since 3.19, skb_copy_and_csum_datagram_iovec() does
> > not handle null iov parameter and always dereferences iov->iov_len. This
> > is especially harmful when udp_recvmsg() is called in kernel context,
> > e.g. from kernel nfsd.
> >
> > Band-aid skb_copy_and_csum_datagram_iovec() by testing iov for null and
> > only checking the checksum in this case.
> >
> > Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> > ---
>
> I ran into this problem too and that was my initial solution to this
> problem as well, but actually, we need a more complete fix, like the
> one I submitted a few days ago:
>
> http://patchwork.ozlabs.org/patch/530642/
>
> With your solution, userspace can still receive bogus EFAULT, or the
> kernel ends up writing data to an unwanted memory location.
I must admit I wondered why skb_copy_and_csum_datagram_iovec() doesn't
get (and check) read length and why it cannot overfill the buffer. But
then I saw the comment "Caller _must_ check that skb will fit to this
iovec", stopped thinking and assumed it's OK. I guess I should be less
trusting... :-(
Thank you for the warning.
Michal Kubecek
next prev parent reply other threads:[~2015-10-23 9:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-23 8:46 [PATCH stable<3.19] net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec() Michal Kubecek
2015-10-23 9:22 ` Sabrina Dubroca
2015-10-23 9:39 ` Michal Kubecek [this message]
2015-10-26 11:25 ` Luis Henriques
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151023093946.GA9789@unicorn.suse.cz \
--to=mkubecek@suse.cz \
--cc=ben@decadent.org.uk \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jslaby@suse.cz \
--cc=lizefan@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=sd@queasysnail.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).