* net: validate untrusted gso packets without csum offload
@ 2019-02-21 15:38 Willem de Bruijn
2019-02-21 16:18 ` Greg Kroah-Hartman
0 siblings, 1 reply; 5+ messages in thread
From: Willem de Bruijn @ 2019-02-21 15:38 UTC (permalink / raw)
To: stable; +Cc: David Miller, Greg Kroah-Hartman, sashal
Unfortunately commit
net: validate untrusted gso packets without csum offload
d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
needs follow-up
net: avoid false positives in untrusted gso validation
http://patchwork.ozlabs.org/patch/1044429/
It rejects illegal packets injected from userspace, including at
least one that can crash the kernel. But I'm afraid it has false
positives.
I would suggest holding back on the backport to stable branches until
both patches can go in together.
If the second patch is not accepted, the alternative will be to revert
this filter-based approach completely and fix the narrow kernel crash
(but I'm afraid that syzkaller will just find others..)
Apologies for the mess,
Willem
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: validate untrusted gso packets without csum offload
2019-02-21 15:38 net: validate untrusted gso packets without csum offload Willem de Bruijn
@ 2019-02-21 16:18 ` Greg Kroah-Hartman
2019-02-21 16:41 ` Willem de Bruijn
0 siblings, 1 reply; 5+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-21 16:18 UTC (permalink / raw)
To: Willem de Bruijn; +Cc: stable, David Miller, sashal
On Thu, Feb 21, 2019 at 10:38:16AM -0500, Willem de Bruijn wrote:
> Unfortunately commit
>
> net: validate untrusted gso packets without csum offload
> d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
>
> needs follow-up
>
> net: avoid false positives in untrusted gso validation
> http://patchwork.ozlabs.org/patch/1044429/
>
> It rejects illegal packets injected from userspace, including at
> least one that can crash the kernel. But I'm afraid it has false
> positives.
>
> I would suggest holding back on the backport to stable branches until
> both patches can go in together.
>
> If the second patch is not accepted, the alternative will be to revert
> this filter-based approach completely and fix the narrow kernel crash
> (but I'm afraid that syzkaller will just find others..)
>
> Apologies for the mess,
Ok, I will go drop this patch from all of the stable queues. Can you
remind me when your fixup hits Linus's tree so that I can queue up both
patches?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: validate untrusted gso packets without csum offload
2019-02-21 16:18 ` Greg Kroah-Hartman
@ 2019-02-21 16:41 ` Willem de Bruijn
2019-02-24 22:53 ` Willem de Bruijn
0 siblings, 1 reply; 5+ messages in thread
From: Willem de Bruijn @ 2019-02-21 16:41 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, David Miller, Sasha Levin
On Thu, Feb 21, 2019 at 11:18 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Thu, Feb 21, 2019 at 10:38:16AM -0500, Willem de Bruijn wrote:
> > Unfortunately commit
> >
> > net: validate untrusted gso packets without csum offload
> > d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
> >
> > needs follow-up
> >
> > net: avoid false positives in untrusted gso validation
> > http://patchwork.ozlabs.org/patch/1044429/
> >
> > It rejects illegal packets injected from userspace, including at
> > least one that can crash the kernel. But I'm afraid it has false
> > positives.
> >
> > I would suggest holding back on the backport to stable branches until
> > both patches can go in together.
> >
> > If the second patch is not accepted, the alternative will be to revert
> > this filter-based approach completely and fix the narrow kernel crash
> > (but I'm afraid that syzkaller will just find others..)
> >
> > Apologies for the mess,
>
> Ok, I will go drop this patch from all of the stable queues. Can you
> remind me when your fixup hits Linus's tree so that I can queue up both
> patches?
Thanks Greg.
Okay, I'll reply to this thread with the follow-up commit SHA1.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: validate untrusted gso packets without csum offload
2019-02-21 16:41 ` Willem de Bruijn
@ 2019-02-24 22:53 ` Willem de Bruijn
2019-02-25 14:58 ` Greg Kroah-Hartman
0 siblings, 1 reply; 5+ messages in thread
From: Willem de Bruijn @ 2019-02-24 22:53 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, David Miller, Sasha Levin
On Thu, Feb 21, 2019 at 11:41 AM Willem de Bruijn
<willemdebruijn.kernel@gmail.com> wrote:
>
> On Thu, Feb 21, 2019 at 11:18 AM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Thu, Feb 21, 2019 at 10:38:16AM -0500, Willem de Bruijn wrote:
> > > Unfortunately commit
> > >
> > > net: validate untrusted gso packets without csum offload
> > > d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
> > >
> > > needs follow-up
> > >
> > > net: avoid false positives in untrusted gso validation
> > > http://patchwork.ozlabs.org/patch/1044429/
> > >
> > > It rejects illegal packets injected from userspace, including at
> > > least one that can crash the kernel. But I'm afraid it has false
> > > positives.
> > >
> > > I would suggest holding back on the backport to stable branches until
> > > both patches can go in together.
> > >
> > > If the second patch is not accepted, the alternative will be to revert
> > > this filter-based approach completely and fix the narrow kernel crash
> > > (but I'm afraid that syzkaller will just find others..)
> > >
> > > Apologies for the mess,
> >
> > Ok, I will go drop this patch from all of the stable queues. Can you
> > remind me when your fixup hits Linus's tree so that I can queue up both
> > patches?
>
> Thanks Greg.
>
> Okay, I'll reply to this thread with the follow-up commit SHA1.
Both patches have now landed in linus's tree
this patch
net: validate untrusted gso packets without csum offload
d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
and its fix
net: avoid false positives in untrusted gso validation
9e8db5913264d3967b93c765a6a9e464d9c473db
Thanks
Willem
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: validate untrusted gso packets without csum offload
2019-02-24 22:53 ` Willem de Bruijn
@ 2019-02-25 14:58 ` Greg Kroah-Hartman
0 siblings, 0 replies; 5+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-25 14:58 UTC (permalink / raw)
To: Willem de Bruijn; +Cc: stable, David Miller, Sasha Levin
On Sun, Feb 24, 2019 at 05:53:16PM -0500, Willem de Bruijn wrote:
> On Thu, Feb 21, 2019 at 11:41 AM Willem de Bruijn
> <willemdebruijn.kernel@gmail.com> wrote:
> >
> > On Thu, Feb 21, 2019 at 11:18 AM Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > >
> > > On Thu, Feb 21, 2019 at 10:38:16AM -0500, Willem de Bruijn wrote:
> > > > Unfortunately commit
> > > >
> > > > net: validate untrusted gso packets without csum offload
> > > > d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
> > > >
> > > > needs follow-up
> > > >
> > > > net: avoid false positives in untrusted gso validation
> > > > http://patchwork.ozlabs.org/patch/1044429/
> > > >
> > > > It rejects illegal packets injected from userspace, including at
> > > > least one that can crash the kernel. But I'm afraid it has false
> > > > positives.
> > > >
> > > > I would suggest holding back on the backport to stable branches until
> > > > both patches can go in together.
> > > >
> > > > If the second patch is not accepted, the alternative will be to revert
> > > > this filter-based approach completely and fix the narrow kernel crash
> > > > (but I'm afraid that syzkaller will just find others..)
> > > >
> > > > Apologies for the mess,
> > >
> > > Ok, I will go drop this patch from all of the stable queues. Can you
> > > remind me when your fixup hits Linus's tree so that I can queue up both
> > > patches?
> >
> > Thanks Greg.
> >
> > Okay, I'll reply to this thread with the follow-up commit SHA1.
>
> Both patches have now landed in linus's tree
>
> this patch
>
> net: validate untrusted gso packets without csum offload
> d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
>
> and its fix
>
> net: avoid false positives in untrusted gso validation
> 9e8db5913264d3967b93c765a6a9e464d9c473db
Thanks for letting me know, now queued up.
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-02-25 14:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-21 15:38 net: validate untrusted gso packets without csum offload Willem de Bruijn
2019-02-21 16:18 ` Greg Kroah-Hartman
2019-02-21 16:41 ` Willem de Bruijn
2019-02-24 22:53 ` Willem de Bruijn
2019-02-25 14:58 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox