Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932698AbcK2QSd (ORCPT ); Tue, 29 Nov 2016 11:18:33 -0500 Received: from mail-pf0-f194.google.com ([209.85.192.194]:36219 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753639AbcK2QPR (ORCPT ); Tue, 29 Nov 2016 11:15:17 -0500 Message-ID: <1480436114.18162.143.camel@edumazet-glaptop3.roam.corp.google.com> Subject: Re: net: GPF in eth_header From: Eric Dumazet To: Andrey Konovalov Cc: syzkaller , Dmitry Vyukov , David Miller , Tom Herbert , Alexander Duyck , Hannes Frederic Sowa , Jiri Benc , Sabrina Dubroca , netdev , LKML Date: Tue, 29 Nov 2016 08:15:14 -0800 In-Reply-To: References: <1480431501.18162.131.camel@edumazet-glaptop3.roam.corp.google.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1006 Lines: 28 On Tue, 2016-11-29 at 16:31 +0100, Andrey Konovalov wrote: = > The issue is not with skb_network_offset(), but with __skb_pull() > using skb_network_offset() as an argument. > No. The issue can happen with _any_ __skb_pull() with a 'negative' argument, on 64bit arches. skb_network_offset() is only one of the many cases this could happen if a bug is added at some random place, including memory corruption from a different kernel layer, or buggy hardware. > I'm not sure what would be the beast way to fix this, to add a check > before every __skb_pull(skb_network_offset()), to fix __skb_pull() to > work with signed ints, to add BUG_ON()'s in __skb_pull, or something > else. > > What I meant is that you fixed this very instance of the bug, and I'm > pointing out that a similar one might hit us again. As I said, adding a check in skb_network_offset() would not be generic enough. Sure, we can be proactive and add tests everywhere in the kernel, but we also want to keep it reasonably fast.