From mboxrd@z Thu Jan 1 00:00:00 1970 From: Willem de Bruijn Subject: Re: [PATCH net] packet: in packet_snd start writing at link layer allocation Date: Thu, 24 May 2018 11:17:32 -0400 Message-ID: References: <20180511172425.213901-1-willemdebruijn.kernel@gmail.com> <20180513.202055.2059612987939748570.davem@davemloft.net> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Cc: David Miller , Network Development , Eric Dumazet , Willem de Bruijn , Maor Gottlieb To: Tariq Toukan Return-path: Received: from mail-ua0-f194.google.com ([209.85.217.194]:46803 "EHLO mail-ua0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966307AbeEXPSO (ORCPT ); Thu, 24 May 2018 11:18:14 -0400 Received: by mail-ua0-f194.google.com with SMTP id e8-v6so1337790uam.13 for ; Thu, 24 May 2018 08:18:13 -0700 (PDT) In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Thu, May 24, 2018 at 11:07 AM, Tariq Toukan wrote: > > > On 14/05/2018 3:20 AM, David Miller wrote: >> >> From: Willem de Bruijn >> Date: Fri, 11 May 2018 13:24:25 -0400 >> >>> From: Willem de Bruijn >>> >>> Packet sockets allow construction of packets shorter than >>> dev->hard_header_len to accommodate protocols with variable length >>> link layer headers. These packets are padded to dev->hard_header_len, >>> because some device drivers interpret that as a minimum packet size. >>> >>> packet_snd reserves dev->hard_header_len bytes on allocation. >>> SOCK_DGRAM sockets call skb_push in dev_hard_header() to ensure that >>> link layer headers are stored in the reserved range. SOCK_RAW sockets >>> do the same in tpacket_snd, but not in packet_snd. >>> >>> Syzbot was able to send a zero byte packet to a device with massive >>> 116B link layer header, causing padding to cross over into skb_shinfo. >>> Fix this by writing from the start of the llheader reserved range also >>> in the case of packet_snd/SOCK_RAW. >>> >>> Update skb_set_network_header to the new offset. This also corrects >>> it for SOCK_DGRAM, where it incorrectly double counted reserve due to >>> the skb_push in dev_hard_header. >>> >>> Fixes: 9ed988cd5915 ("packet: validate variable length ll headers") >>> Reported-by: syzbot+71d74a5406d02057d559@syzkaller.appspotmail.com >>> Signed-off-by: Willem de Bruijn >> >> >> Applied and queued up for -stable, thanks Willem. >> > > Hi, > > One of our regression tests started failing. Once this patch is reverted, > test passes. > > The tests add flow steering rules in the receiver side and in the sender > side it send the packet with some RAW socket applications. Then received > side gets completion with error. > > Our verification team compared the packets between the stable and the broken > version, in the broken version we have some extra bytes at the end of the > packet. > > It looks like some bad push to the SKB, maybe the conditional reserved > addition should be more strict? > > Any idea? Thanks for reporting, sorry for the breakage. I think I might. This skb_push moves back the start of skb->data in the same way that tpacket_snd does. But it does not reduce the length passed to skb_put, so this might double count hard_header_len. Let me construct a test.