Unfortunately commit
net: validate untrusted gso packets without csum offload d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
needs follow-up
net: avoid false positives in untrusted gso validation http://patchwork.ozlabs.org/patch/1044429/
It rejects illegal packets injected from userspace, including at least one that can crash the kernel. But I'm afraid it has false positives.
I would suggest holding back on the backport to stable branches until both patches can go in together.
If the second patch is not accepted, the alternative will be to revert this filter-based approach completely and fix the narrow kernel crash (but I'm afraid that syzkaller will just find others..)
Apologies for the mess,
Willem
On Thu, Feb 21, 2019 at 10:38:16AM -0500, Willem de Bruijn wrote:
Unfortunately commit
net: validate untrusted gso packets without csum offload d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
needs follow-up
net: avoid false positives in untrusted gso validation http://patchwork.ozlabs.org/patch/1044429/
It rejects illegal packets injected from userspace, including at least one that can crash the kernel. But I'm afraid it has false positives.
I would suggest holding back on the backport to stable branches until both patches can go in together.
If the second patch is not accepted, the alternative will be to revert this filter-based approach completely and fix the narrow kernel crash (but I'm afraid that syzkaller will just find others..)
Apologies for the mess,
Ok, I will go drop this patch from all of the stable queues. Can you remind me when your fixup hits Linus's tree so that I can queue up both patches?
thanks,
greg k-h
On Thu, Feb 21, 2019 at 11:18 AM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
On Thu, Feb 21, 2019 at 10:38:16AM -0500, Willem de Bruijn wrote:
Unfortunately commit
net: validate untrusted gso packets without csum offload d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
needs follow-up
net: avoid false positives in untrusted gso validation http://patchwork.ozlabs.org/patch/1044429/
It rejects illegal packets injected from userspace, including at least one that can crash the kernel. But I'm afraid it has false positives.
I would suggest holding back on the backport to stable branches until both patches can go in together.
If the second patch is not accepted, the alternative will be to revert this filter-based approach completely and fix the narrow kernel crash (but I'm afraid that syzkaller will just find others..)
Apologies for the mess,
Ok, I will go drop this patch from all of the stable queues. Can you remind me when your fixup hits Linus's tree so that I can queue up both patches?
Thanks Greg.
Okay, I'll reply to this thread with the follow-up commit SHA1.
On Thu, Feb 21, 2019 at 11:41 AM Willem de Bruijn willemdebruijn.kernel@gmail.com wrote:
On Thu, Feb 21, 2019 at 11:18 AM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
On Thu, Feb 21, 2019 at 10:38:16AM -0500, Willem de Bruijn wrote:
Unfortunately commit
net: validate untrusted gso packets without csum offload d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
needs follow-up
net: avoid false positives in untrusted gso validation http://patchwork.ozlabs.org/patch/1044429/
It rejects illegal packets injected from userspace, including at least one that can crash the kernel. But I'm afraid it has false positives.
I would suggest holding back on the backport to stable branches until both patches can go in together.
If the second patch is not accepted, the alternative will be to revert this filter-based approach completely and fix the narrow kernel crash (but I'm afraid that syzkaller will just find others..)
Apologies for the mess,
Ok, I will go drop this patch from all of the stable queues. Can you remind me when your fixup hits Linus's tree so that I can queue up both patches?
Thanks Greg.
Okay, I'll reply to this thread with the follow-up commit SHA1.
Both patches have now landed in linus's tree
this patch
net: validate untrusted gso packets without csum offload d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
and its fix
net: avoid false positives in untrusted gso validation 9e8db5913264d3967b93c765a6a9e464d9c473db
Thanks
Willem
On Sun, Feb 24, 2019 at 05:53:16PM -0500, Willem de Bruijn wrote:
On Thu, Feb 21, 2019 at 11:41 AM Willem de Bruijn willemdebruijn.kernel@gmail.com wrote:
On Thu, Feb 21, 2019 at 11:18 AM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
On Thu, Feb 21, 2019 at 10:38:16AM -0500, Willem de Bruijn wrote:
Unfortunately commit
net: validate untrusted gso packets without csum offload d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
needs follow-up
net: avoid false positives in untrusted gso validation http://patchwork.ozlabs.org/patch/1044429/
It rejects illegal packets injected from userspace, including at least one that can crash the kernel. But I'm afraid it has false positives.
I would suggest holding back on the backport to stable branches until both patches can go in together.
If the second patch is not accepted, the alternative will be to revert this filter-based approach completely and fix the narrow kernel crash (but I'm afraid that syzkaller will just find others..)
Apologies for the mess,
Ok, I will go drop this patch from all of the stable queues. Can you remind me when your fixup hits Linus's tree so that I can queue up both patches?
Thanks Greg.
Okay, I'll reply to this thread with the follow-up commit SHA1.
Both patches have now landed in linus's tree
this patch
net: validate untrusted gso packets without csum offload d5be7f632bad0f489879eed0ff4b99bd7fe0b74c
and its fix
net: avoid false positives in untrusted gso validation 9e8db5913264d3967b93c765a6a9e464d9c473db
Thanks for letting me know, now queued up.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Willem de Bruijn