| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Nov 2014 07:58:41 +0000
From: ¹Ú¼öÇö <suhyun.park@...lab.com>
To: Toshiaki Makita <makita.toshiaki@....ntt.co.jp>,
Stephen Hemminger <stephen@...workplumber.org>,
"David S. Miller" <davem@...emloft.net>
CC: "bridge@...ts.linux-foundation.org"
<bridge@...ts.linux-foundation.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] bridge: missing null bridge device check causing null
pointer dereference (bugfix)
>-----Original Message-----
>From: Toshiaki Makita [mailto:makita.toshiaki@....ntt.co.jp]
>Sent: Thursday, November 06, 2014 4:07 PM
>To: ¹Ú¼öÇö; Stephen Hemminger; David S. Miller
>Cc: bridge@...ts.linux-foundation.org; netdev@...r.kernel.org; linux-
>kernel@...r.kernel.org
>Subject: Re: [PATCH] bridge: missing null bridge device check causing null
>pointer dereference (bugfix)
>
>On 2014/11/06 15:26, Su-Hyun Park wrote:
>> the bridge device can be null if the bridge is being deleted while
>> processing the packet, which causes the null pointer dereference in
>switch statement.
>
>How can this happen??
>It is guarded by rcu.
>netdev_rx_handler_unregister() ensures rx_handler_data is non NULL.
>
The RCU protect rx_handler_data, not the bridge member port. It can be NULL according to below code.
static inline struct net_bridge_port *br_port_get_rcu(const struct net_device *dev) {
struct net_bridge_port *port = rcu_dereference(dev->rx_handler_data);
return br_port_exists(dev) ? port : NULL;
}
The crash happens at the below switch statement in br_handle_frame, where p is NULL.
switch (p->state)
>>
>> crash dump snippet:
>>
>> <1>BUG: unable to handle kernel NULL pointer dereference at
>> 0000000000000021
>> <1>IP: [<ffffffff814179f6>] br_handle_frame+0xe6/0x270
>>
>> <0>Code: 4c 0f 44 f0 89 f8 66 33 15 32 52 24 00 66 33 05 29 52 24 00
>> 09 c2 89
>> f0 66 33 05 22 52 24 00 80 e4 f0 66 09 c2 0f 84 eb 00 00 00 <41> 0f b6
>> 46 21 3c 02 74 61 3c 03 74 1d 48 89 df e8 d5 bc f0 ff
>> ---
>> net/bridge/br_input.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index
>> 6fd5522..7e899ca 100644
>> --- a/net/bridge/br_input.c
>> +++ b/net/bridge/br_input.c
>> @@ -176,6 +176,8 @@ rx_handler_result_t br_handle_frame(struct sk_buff
>**pskb)
>> return RX_HANDLER_CONSUMED;
>>
>> p = br_port_get_rcu(skb->dev);
>> + if (!p)
>> + goto drop;
>>
>> if (unlikely(is_link_local_ether_addr(dest))) {
>> u16 fwd_mask = p->br->group_fwd_mask_required;
>>
>
Powered by blists - more mailing lists