On Tue, Jan 2, 2018 at 12:23 PM, Willem de Bruijn
wrote:
>> Actually, changes just to inet_gso_segment and ipv6_gso_segment
>> will suffice:
>>
>>bool udpfrag = false, fixedid = false, gso_partial, encap;
>> struct sk_buff *segs = ERR_PTR(-EINVAL);
>> + unsigned int offset =
> Actually, changes just to inet_gso_segment and ipv6_gso_segment
> will suffice:
>
>bool udpfrag = false, fixedid = false, gso_partial, encap;
> struct sk_buff *segs = ERR_PTR(-EINVAL);
> + unsigned int offset = 0, gso_type;
> const struct net_offload *ops;
> -
> Good point. Packet sockets require CAP_NET_RAW, but this is also
> taken for virtio, so we probably want more stringent entry tests here.
That would be something like
#include
+#include
#include
+#include
static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
> It seems virtio_net could use more sanity checks. When PACKET_VNET_HDR
> is used, it will end up calling:
> tpacket_rcv() {
> ...
> if (do_vnet) {
> if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
> sizeof(struct virtio_net_hdr
>> and with the reproducer, got:
>> [ 54.255469] Bogus gso_type: 7
>> [ 54.258801] Bogus gso_size: 63464
>> [ 54.262532] [ cut here ]
>> [ 54.267703] syz0: caps=(0x080058c1, 0x) len=32
>> data_len=0 gso_size=63464 gso_type=7 ip_summed0
>> [
On Sun, Dec 31, 2017 at 10:25 AM, Marcelo Ricardo Leitner
wrote:
> On Sat, Dec 30, 2017 at 10:52:20PM -0200, Marcelo Ricardo Leitner wrote:
>> On Sat, Dec 30, 2017 at 08:42:41AM +0100, Willem de Bruijn wrote:
> [...]
>> > Somewhat tangential, but any PF_PACKET socket can set this
>> > magic gso_si
On Sat, Dec 30, 2017 at 10:52:20PM -0200, Marcelo Ricardo Leitner wrote:
> On Sat, Dec 30, 2017 at 08:42:41AM +0100, Willem de Bruijn wrote:
[...]
> > Somewhat tangential, but any PF_PACKET socket can set this
> > magic gso_size value in its virtio_net_hdr, so if it is assumed to
> > be an SCTP GSO
On Sat, Dec 30, 2017 at 08:42:41AM +0100, Willem de Bruijn wrote:
> > syzkaller hit the following crash on
> > 37759fa6d0fa9e4d6036d19ac12f555bfc0aeafd
> > git://git.cmpxchg.org/linux-mmots.git/master
> > compiler: gcc (GCC) 7.1.1 20170620
> > .config is attached
> > Raw console output is attached.
On Sat, Dec 30, 2017 at 7:54 PM, Willem de Bruijn
wrote:
>> So this is a packet socket writing something that apparently looks
>> like an SCTP packet, is only 42 bytes long, but has GSO set in its
>> virtio_net_hdr struct.
>>
>> It crashes in skb_segment seemingly on a NULL list_skb.
>>
>> (gdb) l
> So this is a packet socket writing something that apparently looks
> like an SCTP packet, is only 42 bytes long, but has GSO set in its
> virtio_net_hdr struct.
>
> It crashes in skb_segment seemingly on a NULL list_skb.
>
> (gdb) list *(skb_segment+0x2a4)
> 0x8167cc24 is in skb_segment (
> syzkaller hit the following crash on
> 37759fa6d0fa9e4d6036d19ac12f555bfc0aeafd
> git://git.cmpxchg.org/linux-mmots.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://go
11 matches
Mail list logo
