Date: Tue, 9 May 2017 15:50:04 +0200 From: "Jason A. Donenfeld" <Jason@...c4.com> To: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, davem@...emloft.net, kernel-hardening@...ts.openwall.com Cc: "Jason A. Donenfeld" <Jason@...c4.com> Subject: [PATCH v7 0/5] skb_to_sgvec hardening The recent bug with macsec and historical one with virtio have indicated that letting skb_to_sgvec trounce all over an sglist without checking the length is probably a bad idea. And it's not necessary either: an sglist already explicitly marks its last item, and the initialization functions are diligent in doing so. Thus there's a clear way of avoiding future overflows. So, this patchset, from a high level, makes skb_to_sgvec return a potential error code, and then adjusts all callers to check for the error code. There are two situations in which skb_to_sgvec might return such an error: 1) When the passed in sglist is too small; and 2) When the passed in skbuff is too deeply nested. So, the first patch in this series handles the issues with skb_to_sgvec directly, and the remaining ones then handle the call sites. Jason A. Donenfeld (5): skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow ipsec: check return value of skb_to_sgvec always rxrpc: check return value of skb_to_sgvec always macsec: check return value of skb_to_sgvec always virtio_net: check return value of skb_to_sgvec always drivers/net/macsec.c | 13 ++++++++-- drivers/net/virtio_net.c | 4 ++- net/core/skbuff.c | 65 +++++++++++++++++++++++++++++++----------------- net/ipv4/ah4.c | 8 ++++-- net/ipv4/esp4.c | 30 ++++++++++++++-------- net/ipv6/ah6.c | 8 ++++-- net/ipv6/esp6.c | 31 +++++++++++++++-------- net/rxrpc/rxkad.c | 13 +++++++--- 8 files changed, 119 insertions(+), 53 deletions(-) -- 2.12.2
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.