vsock/virtio: Fix data loss/disclosure due to joining of non-linear skb

[PATCH net v2 0/2] vsock/virtio: Fix data loss/disclosure due to joining of non-linear skb

Michal Luczaj posted 2 patches 3 weeks, 5 days ago

Download series mbox

net/vmw_vsock/virtio_transport_common.c   |  6 ++-
tools/testing/vsock/vsock_test.c          |  5 +++
tools/testing/vsock/vsock_test_zerocopy.c | 74 +++++++++++++++++++++++++++++++
tools/testing/vsock/vsock_test_zerocopy.h |  3 ++
4 files changed, 86 insertions(+), 2 deletions(-)

Expand all Fold all

[PATCH net v2 0/2] vsock/virtio: Fix data loss/disclosure due to joining of non-linear skb

Posted by Michal Luczaj 3 weeks, 5 days ago

Loopback transport coalesces some skbs too eagerly. Handling a zerocopy
(non-linear) skb as a linear one leads to skb data loss and kernel memory
disclosure.

Plug the loss/leak by allowing only linear skb join. Provide a test.

Signed-off-by: Michal Luczaj <mhal@rbox.co>
---
Changes in v2:
- Point out virtio transports affected/unaffected [Stefano]
- Move and comment skb_is_nonlinear() check [Stefano]
- Describe test logic in detail, mention "virtio" in the name [Stefano]
- Test: call poll() with a proper timeout, drop recv_verify()
- Link to v1: https://lore.kernel.org/r/20260108-vsock-recv-coalescence-v1-0-26f97bb9a99b@rbox.co

---
Michal Luczaj (2):
      vsock/virtio: Coalesce only linear skb
      vsock/test: Add test for a linear and non-linear skb getting coalesced

 net/vmw_vsock/virtio_transport_common.c   |  6 ++-
 tools/testing/vsock/vsock_test.c          |  5 +++
 tools/testing/vsock/vsock_test_zerocopy.c | 74 +++++++++++++++++++++++++++++++
 tools/testing/vsock/vsock_test_zerocopy.h |  3 ++
 4 files changed, 86 insertions(+), 2 deletions(-)
---
base-commit: ffe4ccd359d006eba559cb1a3c6113144b7fb38c
change-id: 20260103-vsock-recv-coalescence-38178fafd10c

Best regards,
-- 
Michal Luczaj <mhal@rbox.co>