| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 02 Dec 2020 11:19:46 -0600
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Alakesh Haloi <alakesh.haloi@...il.com>
Cc: linux-kernel@...r.kernel.org,
Christian Brauner <christian.brauner@...ntu.com>,
Oleg Nesterov <oleg@...hat.com>,
Kees Cook <keescook@...omium.org>,
Sargun Dhillon <sargun@...gun.me>,
Minchan Kim <minchan@...nel.org>,
Bernd Edlinger <bernd.edlinger@...mail.de>
Subject: Re: [PATCH] pid: add null pointer check in pid_nr_ns()
Alakesh Haloi <alakesh.haloi@...il.com> writes:
> There has been at least one occurrence where a null pointer derefernce
> panic was seen with following stack trace.
>
> #0 [ffffff800bcd3800] machine_kexec at ffffff8008095fb4
> #1 [ffffff800bcd3860] __crash_kexec at ffffff8008122a30
> #2 [ffffff800bcd39f0] panic at ffffff80080aa054
> #3 [ffffff800bcd3ae0] die at ffffff800808aee8
> #4 [ffffff800bcd3b20] die_kernel_fault at ffffff8008099520
> #5 [ffffff800bcd3b50] __do_kernel_fault at ffffff8008098e50
> #6 [ffffff800bcd3b80] do_translation_fault at ffffff800809929c
> #7 [ffffff800bcd3b90] do_mem_abort at ffffff8008081204
> #8 [ffffff800bcd3d90] el1_ia at ffffff800808304c
> PC: ffffff80080c20ec [pid_nr_ns+4]
> LR: ffffff80080c231c [__task_pid_nr_ns+72]
> SP: ffffff800bcd3da0 PSTATE: 60000005
> X29: ffffff800bcd3da0 X28: ffffffc00691c380 X27: 0000000000000001
> X26: 00000000004ce8e8 X25: 00000000004ce8d0 X24: ffffffc00691c3e0
> X23: ffffffc004e8c000 X22: 0000000000000000 X21: ffffffc00b042ed2
> X20: ffffff800876a4f0 X19: 0000000000000000 X18: 0000000000000000
> X17: 0000000000000001 X16: 0000000000000000 X15: 0000000000000000
> X14: 0000000400000003 X13: 0000000000000008 X12: fefefefefefefeff
> X11: 0000000000000000 X10: 0000007fffffffff X9: 00000000004ce8b0
> X8: 00000000004ce8b0 X7: 0000000000000000 X6: ffffffc00b042ed2
> X5: ffffffc00b042ed2 X4: 0000000000020008 X3: 53206e69616c702f
> X2: ffffff800876a4f0 X1: ffffff800876a4f0 X0: 53206e69616c702f
> #9 [ffffff800bcd3da0] pid_nr_ns at ffffff80080c20e8
I just skimmed through the callers of pid_nr_ns and now I am very
puzzled. I don't see any of them where the namespace can be passed as
NULL.
So I really suspect you have a larger but somewhere in the caller of
pid_nr_ns. Perhaps the memory was stomped and you were lucky it was
NULL.
Without some more details I really don't think testing for a NULL
namespace is useful or productive. At best it will mask bugs in the
callers
Eric
> Signed-off-by: Alakesh Haloi <alakesh.haloi@...il.com>
> Cc: stable@...r.kernel.org
> ---
> kernel/pid.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/pid.c b/kernel/pid.c
> index a96bc4bf4f86..3767b9e1431d 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -474,7 +474,7 @@ pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
> struct upid *upid;
> pid_t nr = 0;
>
> - if (pid && ns->level <= pid->level) {
> + if (pid && ns && ns->level <= pid->level) {
> upid = &pid->numbers[ns->level];
> if (upid->ns == ns)
> nr = upid->nr;
Powered by blists - more mailing lists