Re: [Patch net] net: remove the bogus overflow debug check in pskb_may_pull()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote:
> On 6/7/24 23:32, Kuniyuki Iwashima wrote:
> > From: Cong Wang <xiyou.wangcong@xxxxxxxxx>
> > Date: Fri, 7 Jun 2024 09:14:04 -0700
> > > On Fri, Jun 07, 2024 at 01:27:47AM +0200, Florian Westphal wrote:
> > > > Cong Wang <xiyou.wangcong@xxxxxxxxx> wrote:
> > > > > From: Cong Wang <cong.wang@xxxxxxxxxxxxx>
> > > > > 
> > > > > Commit 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push
> > > > > helpers") introduced an overflow debug check for pull/push helpers.
> > > > > For __skb_pull() this makes sense because its callers rarely check its
> > > > > return value. But for pskb_may_pull() it does not make sense, since its
> > > > > return value is properly taken care of. Remove the one in
> > > > > pskb_may_pull(), we can continue rely on its return value.
> > > > See 025f8ad20f2e3264d11683aa9cbbf0083eefbdcd which would not exist
> > > > without this check, I would not give up yet.
> > > What's the point of that commit?
> > 4b911a9690d7 would be better example.  The warning actually found a
> > bug in NSH GSO.
> > 
> > Here's splats triggered by syzkaller using NSH over various tunnels.
> > https://lore.kernel.org/netdev/20240415222041.18537-2-kuniyu@xxxxxxxxxx/
> 
> 
> Right. We discussed this before. I guess I forgot to send the fix.
> Florian could you submit the suggestion I made before ?
> 
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 358870408a51e61f3cbc552736806e4dfee1ec39..da7aae6fd8ba557c66699d1cfebd47f18f442aa2
> 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -1662,6 +1662,11 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp);
>  static inline int __bpf_try_make_writable(struct sk_buff *skb,
>                        unsigned int write_len)
>  {
> +#if defined(CONFIG_DEBUG_NET)
> +    /* Avoid a splat in pskb_may_pull_reason() */
> +    if (write_len > INT_MAX)
> +        return -EINVAL;
> +#endif
>      return skb_ensure_writable(skb, write_len);
>  }

Makes sense, I'll probably not get to this before Friday though, so if
anyone else wants to do this: go right ahead.
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux