lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 25 Apr 2019 16:13:58 -0700
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     syzbot <syzbot+45474c076a4927533d2e@...kaller.appspotmail.com>,
        Ben Hutchings <ben@...adent.org.uk>
Cc:     David Miller <davem@...emloft.net>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Alan Cox <gnomes@...rguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jiri Slaby <jslaby@...e.com>,
        Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
        Michal Hocko <mhocko@...e.com>,
        Netdev <netdev@...r.kernel.org>,
        Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        peter@...leysoftware.com,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        vegard.nossum@...il.com
Subject: Re: BUG: unable to handle page fault for address = ADDR

On Thu, Apr 25, 2019 at 3:16 PM syzbot
<syzbot+45474c076a4927533d2e@...kaller.appspotmail.com> wrote:
>
> The bug was bisected to:
>
> commit bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20
> Author: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> Date:   Wed Apr 25 11:12:31 2018 +0000
>
>      tty: Use __GFP_NOFAIL for tty_ldisc_get()

I think this just makes slhc_init() fail more easily, but the bug was
pre-existing.

The *real* source of the bug seems to be

    4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters
completely")

from back in 2015.

We have (in drivers/net/slip/slip.c: sl_alloc_bufs())

        slcomp = slhc_init(16, 16);
        if (IS_ERR(slcomp))
                goto err_exit;
....
err_exit:
#ifdef SL_INCLUDE_CSLIP
        kfree(cbuff);
        slhc_free(slcomp);
#endif

so we do "slhc_free()" on an error pointer, which results in

    BUG: unable to handle page fault for address = fffffffffffffff4

and the fix might be something like the appended whitespace-damaged
trivial one-liner: just make slhc_free() silently ignore an error
pointer, to match the slhc_init() return behavior.

Ben? David?

                       Linus

diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index f4e93f5fc204..ea90db3c7705 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -153,7 +153,7 @@ slhc_init(int rslots, int tslots)
 void
 slhc_free(struct slcompress *comp)
 {
-       if ( comp == NULLSLCOMPR )
+       if ( IS_ERR_OR_NULL(comp) )
                return;

        if ( comp->tstate != NULLSLSTATE )

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ