| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Oct 2020 15:37:48 +0900
From: Masahiro Fujiwara <fujiwara.masahiro@...il.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Pablo Neira Ayuso <pablo@...filter.org>,
Harald Welte <laforge@...monks.org>,
"David S. Miller" <davem@...emloft.net>,
Andreas Schultz <aschultz@...p.net>,
osmocom-net-gprs@...ts.osmocom.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] gtp: fix an use-before-init in gtp_newlink()
Hi,
Thanks for the review. Will send a new patch with the fixes soon.
----
Fujiwara
On Mon, Oct 26, 2020 at 6:05 AM Jakub Kicinski <kuba@...nel.org> wrote:
>
> On Sat, 24 Oct 2020 15:42:33 +0000 Masahiro Fujiwara wrote:
> > *_pdp_find() from gtp_encap_recv() would trigger a crash when a peer
> > sends GTP packets while creating new GTP device.
> >
> > RIP: 0010:gtp1_pdp_find.isra.0+0x68/0x90 [gtp]
> > <SNIP>
> > Call Trace:
> > <IRQ>
> > gtp_encap_recv+0xc2/0x2e0 [gtp]
> > ? gtp1_pdp_find.isra.0+0x90/0x90 [gtp]
> > udp_queue_rcv_one_skb+0x1fe/0x530
> > udp_queue_rcv_skb+0x40/0x1b0
> > udp_unicast_rcv_skb.isra.0+0x78/0x90
> > __udp4_lib_rcv+0x5af/0xc70
> > udp_rcv+0x1a/0x20
> > ip_protocol_deliver_rcu+0xc5/0x1b0
> > ip_local_deliver_finish+0x48/0x50
> > ip_local_deliver+0xe5/0xf0
> > ? ip_protocol_deliver_rcu+0x1b0/0x1b0
> >
> > gtp_encap_enable() should be called after gtp_hastable_new() otherwise
> > *_pdp_find() will access the uninitialized hash table.
>
> Looks good, minor nits:
>
> - is the time zone broken on your system? Looks like your email has
> arrived with the date far in the past, so the build systems have
> missed it. Could you double check the time on your system?
>
> > Fixes: 1e3a3abd8 ("gtp: make GTP sockets in gtp_newlink optional")
>
> The hash looks short, should be at lest 12 chars:
>
> Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
>
> > Signed-off-by: Masahiro Fujiwara <fujiwara.masahiro@...il.com>
>
> > diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
> > index 8e47d0112e5d..6c56337b02a3 100644
> > --- a/drivers/net/gtp.c
> > +++ b/drivers/net/gtp.c
> > @@ -663,10 +663,6 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev,
> >
> > gtp = netdev_priv(dev);
> >
> > - err = gtp_encap_enable(gtp, data);
> > - if (err < 0)
> > - return err;
> > -
> > if (!data[IFLA_GTP_PDP_HASHSIZE]) {
> > hashsize = 1024;
> > } else {
> > @@ -676,13 +672,18 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev,
> > }
> >
> > err = gtp_hashtable_new(gtp, hashsize);
> > + if (err < 0) {
> > + return err;
> > + }
>
> no need for braces around single statement
>
> > +
> > + err = gtp_encap_enable(gtp, data);
> > if (err < 0)
> > goto out_encap;
> >
> > err = register_netdevice(dev);
> > if (err < 0) {
> > netdev_dbg(dev, "failed to register new netdev %d\n", err);
> > - goto out_hashtable;
> > + goto out_encap;
> > }
> >
> > gn = net_generic(dev_net(dev), gtp_net_id);
> > @@ -693,11 +694,10 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev,
> >
> > return 0;
> >
> > -out_hashtable:
> > - kfree(gtp->addr_hash);
> > - kfree(gtp->tid_hash);
> > out_encap:
> > gtp_encap_disable(gtp);
>
> I'd personally move the out_hashtable: label here and keep it, just for
> clarity. Otherwise reader has to double check that gtp_encap_disable()
> can be safely called before gtp_encap_enable().
>
> Also gtp_encap_disable() could change in the future breaking this
> assumption.
>
> > + kfree(gtp->addr_hash);
> > + kfree(gtp->tid_hash);
> > return err;
> > }
> >
>
Powered by blists - more mailing lists