On Fri, Mar 4, 2016 at 10:54 AM, Alan Cox <a...@linux.intel.com> wrote: >> > A quick search for ethhdr in drivers/net/ethernet shows, for >> > instance, >> > bnx2x_select_queue casting skb->data to an ethernet header. Reading >> > nonsense in that particular function is quite safe and given the >> > skbuff layout (skb_shared_info) code will never read beyond an >> > allocated region. But that was just the first occurrence I found. >> > efx_tso_check_protocol is another example. > > So would always allocating that much space be a good mitigation in > general
Agreed. The existing packet allocation path does that by relying on LL_RESERVED_SPACE on allocation, not only packet length. I won't modify that. But I should perhaps zero up to hard_header_len on variable length headers. > and perhaps then making the logic check validate() IFF > CAP_SYS_RAWIO is not set. > > A user with CAP_SYS_RAWIO already has the power to control the device > by banging registers so the check is not a security loss. One concern is namespaces. I'll use capable(CAP_SYS_RAWIO), not ns_capable. Need to add an ax25_validate implemention and run some tests before I send out the patch. Thanks, Willem