lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 26 Jun 2008 12:03:08 +0200 (CEST)
From:	Jiri Kosina <jkosina@...e.cz>
To:	"Rafael J. Wysocki" <rjw@...k.pl>
cc:	Stephen Rothwell <sfr@...b.auug.org.au>,
	kernel-testers@...r.kernel.org, linux-next@...r.kernel.org,
	LKML <linux-kernel@...r.kernel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Rusty Russell <rusty@...tcorp.com.au>
Subject: Re: linux-next: Tree for June 25

On Thu, 26 Jun 2008, Rafael J. Wysocki wrote:

> BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> IP: [<ffffffff80264230>] find_symbol+0x230/0x260
> PGD 5c817067 PUD 5cccf067 PMD 0
> Oops: 0002 [1] SMP DEBUG_PAGEALLOC
> last sysfs file:
> CPU 0
> Modules linked in:
> Pid: 912, comm: modprobe Not tainted 2.6.26-rc7-next #4
> RIP: 0010:[<ffffffff80264230>]  [<ffffffff80264230>] find_symbol+0x230/0x260
> RSP: 0018:ffff81005cbddc68  EFLAGS: 00010202
> RAX: 0000000000000000 RBX: 000000000000003d RCX: ffffffff805b8568
> RDX: 0000000000000000 RSI: ffffffff80573e0f RDI: ffffffff805c0bcc
> RBP: ffff81005cbddda8 R08: ffff81005cbddd48 R09: 0000000000000001
> R10: 0000000000000000 R11: 000000000000003c R12: fffffffffffffff2
> R13: 00000000000b2507 R14: 00000000006181e0 R15: ffffc20000689240
> FS:  00007f5820fed6f0(0000) GS:ffffffff80613f40(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: 0000000000000000 CR3: 000000005c87f000 CR4: 00000000000006e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process modprobe (pid: 912, threadinfo ffff81005cbdc000, task ffff81005c9f6840)
> Stack:  ffff81005c9f6840 0000000000000000 0000000000000000 00000000006180f8
> ffff81005cbddf40 0000000000000000 ffff81005c9f6840 ffffffff8049728f
> 00000000000b2507 00000000006181e0 ffff81005cbddcd8 ffffffff8025c70a
> Call Trace:
> [<ffffffff8049728f>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [<ffffffff8025c70a>] ? trace_hardirqs_on_caller+0xca/0x160
> [<ffffffff8049728f>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [<ffffffff8020f167>] ? do_softirq+0x47/0xa0
> [<ffffffff8020bc9f>] ? restore_args+0x0/0x30
> [<ffffffff80263c80>] ? struct_module+0x0/0x10
> [<ffffffff802648f3>] ? find_sec+0x53/0x70
> [<ffffffff80265c04>] sys_init_module+0x6b4/0x1e00
> [<ffffffff802afc11>] ? do_sync_read+0xf1/0x130
> [<ffffffff802505e0>] ? autoremove_wake_function+0x0/0x40
> [<ffffffff80323791>] ? security_file_permission+0x11/0x20
> [<ffffffff8049728f>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [<ffffffff8025c70a>] ? trace_hardirqs_on_caller+0xca/0x160
> [<ffffffff8049728f>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [<ffffffff8020b65b>] system_call_after_swapgs+0x7b/0x80
>
>
> Code: 49 8b 43 08 0f 18 08 49 8d 43 08 48 3d c0 a5 5d 80 0f 85 47 fe ff ff 48 c7 c0 fe ff ff ff eb 20 48 8b 45 b0 48 8b 95 e8 fe ff ff <48> 89 02 48
> RIP  [<ffffffff80264230>] find_symbol+0x230/0x260
> RSP <ffff81005cbddc68>
> CR2: 0000000000000000
> ---[ end trace 81cec6311b0e1cee ]---

I guess this got in through Rusty's tree, right?

Does the patch below fix it please?



From: Jiri Kosina <jkosina@...e.cz>
Subject: [PATCH] module: fix NULL pointer dereference in find_symbol()

The patch that introduces each_symbol() iterator forgets to
test the NULL value of the output parameters (which the original
code did).

This patch restores the correct checks.

Signed-off-by: Jiri Kosina <jkosina@...e.cz>
---
  kernel/module.c |    6 ++++--
  1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index 880409f..a3354ca 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -304,8 +304,10 @@ static unsigned long find_symbol(const char *name,
  	fsa.warn = warn;

  	if (each_symbol(find_symbol_in_section, &fsa)) {
-		*owner = fsa.owner;
-		*crc = fsa.crc;
+		if (owner)
+			*owner = fsa.owner;
+		if (crc)
+			*crc = fsa.crc;
  		return fsa.value;
  	}

-- 
Jiri Kosina
SUSE Labs

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ