On Wed, May 9, 2018 at 5:05 PM, Willem de Bruijn
wrote:
> On Wed, May 9, 2018 at 3:36 PM, Eric Dumazet wrote:
>>
>>
>> On 05/09/2018 12:21 PM, Willem de Bruijn wrote:
>>
>>> Indeed. The skb shared info struct is zeroed by dev_validate_header
>>> as a result of dev->hard_header_len exceeding skb->
On Wed, May 9, 2018 at 3:36 PM, Eric Dumazet wrote:
>
>
> On 05/09/2018 12:21 PM, Willem de Bruijn wrote:
>
>> Indeed. The skb shared info struct is zeroed by dev_validate_header
>> as a result of dev->hard_header_len exceeding skb->end - skb->data.
>>
>> Not exactly sure yet how this can happen.
On 05/09/2018 12:21 PM, Willem de Bruijn wrote:
> Indeed. The skb shared info struct is zeroed by dev_validate_header
> as a result of dev->hard_header_len exceeding skb->end - skb->data.
>
> Not exactly sure yet how this can happen. The hard header length space
> is accounted for during alloca
On Wed, May 9, 2018 at 12:38 PM, Willem de Bruijn
wrote:
>>> But a crash with the same signature is still occurring, so it should
>>> eventually
>>> get reported again. C reproducer is here, it works on Linus' tree (commit
>>> 036db8bd963): https://syzkaller.appspot.com/text?tag=ReproC&x=105b1ae
>> But a crash with the same signature is still occurring, so it should
>> eventually
>> get reported again. C reproducer is here, it works on Linus' tree (commit
>> 036db8bd963): https://syzkaller.appspot.com/text?tag=ReproC&x=105b1ae780
>
> This appears to be a separate issue.
>
> This repr
On Wed, May 9, 2018 at 3:37 AM, Eric Biggers wrote:
> On Wed, Jan 03, 2018 at 10:53:14PM -0800, Eric Dumazet wrote:
>> On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote:
>> > Note: all commands must start from beginning of the line in the email body.
>> >
>> > I guess skb_probe_transport_heade
On Wed, Jan 03, 2018 at 10:53:14PM -0800, Eric Dumazet wrote:
> On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote:
> > Note: all commands must start from beginning of the line in the email body.
> >
> > I guess skb_probe_transport_header() should be hardened to reject malicious
> > packets giv
On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote:
> Note: all commands must start from beginning of the line in the email body.
>
> I guess skb_probe_transport_header() should be hardened to reject malicious
> packets given by user space, instead of being gentle.
Although bug triggered for t
On Wed, Jan 3, 2018 at 8:58 PM, syzbot
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 37759fa6d0fa9e4d6036d19ac12f555bfc0aeafd
> git://git.cmpxchg.org/linux-mmots.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is a
