| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 02 Nov 2011 03:16:05 +0100 From: Eric Dumazet <eric.dumazet@...il.com> To: Dave Jones <davej@...hat.com> Cc: netdev@...r.kernel.org, Matthew Daley <mattjd@...il.com> Subject: Re: Fix NULL dereference in x25_recvmsg Le mardi 01 novembre 2011 à 21:53 -0400, Dave Jones a écrit : > commit cb101ed2 in 3.0 introduced a bug in x25_recvmsg() > When passed bogus junk from userspace, x25->neighbour can be NULL, > as shown in this oops.. > > BUG: unable to handle kernel NULL pointer dereference at 000000000000001c > IP: [<ffffffffa05482bd>] x25_recvmsg+0x4d/0x280 [x25] > PGD 1015f3067 PUD 105072067 PMD 0 > Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC > CPU 0 > Pid: 27928, comm: iknowthis Not tainted 3.1.0+ #2 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H > RIP: 0010:[<ffffffffa05482bd>] [<ffffffffa05482bd>] x25_recvmsg+0x4d/0x280 [x25] > RSP: 0018:ffff88010c0b7cc8 EFLAGS: 00010282 > RAX: 0000000000000000 RBX: ffff88010c0b7d78 RCX: 0000000000000c02 > RDX: ffff88010c0b7d78 RSI: ffff88011c93dc00 RDI: ffff880103f667b0 > RBP: ffff88010c0b7d18 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: ffff880103f667b0 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > FS: 00007f479ce7f700(0000) GS:ffff88012a600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > CR2: 000000000000001c CR3: 000000010529e000 CR4: 00000000000006f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Process iknowthis (pid: 27928, threadinfo ffff88010c0b6000, task ffff880103faa4f0) > Stack: > 0000000000000c02 0000000000000c02 ffff88010c0b7d18 ffffff958153cb37 > ffffffff8153cb60 0000000000000c02 ffff88011c93dc00 0000000000000000 > 0000000000000c02 ffff88010c0b7e10 ffff88010c0b7de8 ffffffff815372c2 > Call Trace: > [<ffffffff8153cb60>] ? sock_update_classid+0xb0/0x180 > [<ffffffff815372c2>] sock_aio_read.part.10+0x142/0x150 > [<ffffffff812d6752>] ? inode_has_perm+0x62/0xa0 > [<ffffffff815372fd>] sock_aio_read+0x2d/0x40 > [<ffffffff811b05e2>] do_sync_read+0xd2/0x110 > [<ffffffff812d3796>] ? security_file_permission+0x96/0xb0 > [<ffffffff811b0a91>] ? rw_verify_area+0x61/0x100 > [<ffffffff811b103d>] vfs_read+0x16d/0x180 > [<ffffffff811b109d>] sys_read+0x4d/0x90 > [<ffffffff81657282>] system_call_fastpath+0x16/0x1b > Code: 8b 66 20 4c 8b 32 48 89 d3 48 89 4d b8 45 89 c7 c7 45 cc 95 ff ff ff 4d 85 e4 0f 84 ed 01 00 00 49 8b 84 24 18 05 00 00 4c 89 e7 > 78 1c 01 45 19 ed 31 f6 e8 d5 37 ff e0 41 0f b6 44 24 0e 41 > > Signed-off-by: Dave Jones <davej@...hat.com> > > diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c > index 5f03e4e..291b2e0 100644 > --- a/net/x25/af_x25.c > +++ b/net/x25/af_x25.c > @@ -1261,13 +1261,17 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock, > struct x25_sock *x25 = x25_sk(sk); > struct sockaddr_x25 *sx25 = (struct sockaddr_x25 *)msg->msg_name; > size_t copied; > - int qbit, header_len = x25->neighbour->extended ? > - X25_EXT_MIN_LEN : X25_STD_MIN_LEN; > - > + int qbit, header_len; > struct sk_buff *skb; > unsigned char *asmptr; > int rc = -ENOTCONN; > > + if (x25->neighbour == NULL) > + return rc; > + > + header_len = x25->neighbour->extended ? > + X25_EXT_MIN_LEN : X25_STD_MIN_LEN; > + > lock_sock(sk); BTW, you probably want to check x25->neighbour while sk is locked, not before. lock_sock(sk); if (x25->neighbour == NULL) goto out; header_len = x25->neighbour->extended ? X25_EXT_MIN_LEN : X25_STD_MIN_LEN; -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists