lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bf358fc5-c0e1-070f-b073-1675e3d13fd8@gmail.com>
Date:   Sat, 12 Oct 2019 03:49:49 -0700
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     David Howells <dhowells@...hat.com>, netdev@...r.kernel.org
Cc:     linux-afs@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] rxrpc: Fix possible NULL pointer access in ICMP
 handling



On 10/10/19 7:52 AM, David Howells wrote:
> If an ICMP packet comes in on the UDP socket backing an AF_RXRPC socket as
> the UDP socket is being shut down, rxrpc_error_report() may get called to
> deal with it after sk_user_data on the UDP socket has been cleared, leading
> to a NULL pointer access when this local endpoint record gets accessed.
> 
> Fix this by just returning immediately if sk_user_data was NULL.
> 
> The oops looks like the following:
> 
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> ...
> RIP: 0010:rxrpc_error_report+0x1bd/0x6a9
> ...
> Call Trace:
>  ? sock_queue_err_skb+0xbd/0xde
>  ? __udp4_lib_err+0x313/0x34d
>  __udp4_lib_err+0x313/0x34d
>  icmp_unreach+0x1ee/0x207
>  icmp_rcv+0x25b/0x28f
>  ip_protocol_deliver_rcu+0x95/0x10e
>  ip_local_deliver+0xe9/0x148
>  __netif_receive_skb_one_core+0x52/0x6e
>  process_backlog+0xdc/0x177
>  net_rx_action+0xf9/0x270
>  __do_softirq+0x1b6/0x39a
>  ? smpboot_register_percpu_thread+0xce/0xce
>  run_ksoftirqd+0x1d/0x42
>  smpboot_thread_fn+0x19e/0x1b3
>  kthread+0xf1/0xf6
>  ? kthread_delayed_work_timer_fn+0x83/0x83
>  ret_from_fork+0x24/0x30
> 
> Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
> Reported-by: syzbot+611164843bd48cc2190c@...kaller.appspotmail.com
> Signed-off-by: David Howells <dhowells@...hat.com>
> ---
> 
>  net/rxrpc/peer_event.c |    3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
> index c97ebdc043e4..61451281d74a 100644
> --- a/net/rxrpc/peer_event.c
> +++ b/net/rxrpc/peer_event.c
> @@ -151,6 +151,9 @@ void rxrpc_error_report(struct sock *sk)
>  	struct rxrpc_peer *peer;
>  	struct sk_buff *skb;
>  
> +	if (unlikely(!local))
> +		return;
> +
>  	_enter("%p{%d}", sk, local->debug_id);
>  
>  	/* Clear the outstanding error value on the socket so that it doesn't
> 

Okay, but we also need this.

diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
index c97ebdc043e44525eaecdd54bc447c1895bdca74..38db10e61f7a5cb50f9ee036b5e16ec284e723ac 100644
--- a/net/rxrpc/peer_event.c
+++ b/net/rxrpc/peer_event.c
@@ -145,9 +145,9 @@ static void rxrpc_adjust_mtu(struct rxrpc_peer *peer, struct sock_exterr_skb *se
  */
 void rxrpc_error_report(struct sock *sk)
 {
+       struct rxrpc_local *local = rcu_dereference_sk_user_data(sk);
        struct sock_exterr_skb *serr;
        struct sockaddr_rxrpc srx;
-       struct rxrpc_local *local = sk->sk_user_data;
        struct rxrpc_peer *peer;
        struct sk_buff *skb;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ