lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <875z5kceh9.fsf@x220.int.ebiederm.org>
Date:   Wed, 02 Dec 2020 11:19:46 -0600
From:   ebiederm@...ssion.com (Eric W. Biederman)
To:     Alakesh Haloi <alakesh.haloi@...il.com>
Cc:     linux-kernel@...r.kernel.org,
        Christian Brauner <christian.brauner@...ntu.com>,
        Oleg Nesterov <oleg@...hat.com>,
        Kees Cook <keescook@...omium.org>,
        Sargun Dhillon <sargun@...gun.me>,
        Minchan Kim <minchan@...nel.org>,
        Bernd Edlinger <bernd.edlinger@...mail.de>
Subject: Re: [PATCH] pid: add null pointer check in pid_nr_ns()

Alakesh Haloi <alakesh.haloi@...il.com> writes:

> There has been at least one occurrence where a null pointer derefernce
> panic was seen with following stack trace.
>
>  #0 [ffffff800bcd3800] machine_kexec at ffffff8008095fb4
>  #1 [ffffff800bcd3860] __crash_kexec at ffffff8008122a30
>  #2 [ffffff800bcd39f0] panic at ffffff80080aa054
>  #3 [ffffff800bcd3ae0] die at ffffff800808aee8
>  #4 [ffffff800bcd3b20] die_kernel_fault at ffffff8008099520
>  #5 [ffffff800bcd3b50] __do_kernel_fault at ffffff8008098e50
>  #6 [ffffff800bcd3b80] do_translation_fault at ffffff800809929c
>  #7 [ffffff800bcd3b90] do_mem_abort at ffffff8008081204
>  #8 [ffffff800bcd3d90] el1_ia at ffffff800808304c
>      PC: ffffff80080c20ec  [pid_nr_ns+4]
>      LR: ffffff80080c231c  [__task_pid_nr_ns+72]
>      SP: ffffff800bcd3da0  PSTATE: 60000005
>     X29: ffffff800bcd3da0  X28: ffffffc00691c380  X27: 0000000000000001
>     X26: 00000000004ce8e8  X25: 00000000004ce8d0  X24: ffffffc00691c3e0
>     X23: ffffffc004e8c000  X22: 0000000000000000  X21: ffffffc00b042ed2
>     X20: ffffff800876a4f0  X19: 0000000000000000  X18: 0000000000000000
>     X17: 0000000000000001  X16: 0000000000000000  X15: 0000000000000000
>     X14: 0000000400000003  X13: 0000000000000008  X12: fefefefefefefeff
>     X11: 0000000000000000  X10: 0000007fffffffff   X9: 00000000004ce8b0
>      X8: 00000000004ce8b0   X7: 0000000000000000   X6: ffffffc00b042ed2
>      X5: ffffffc00b042ed2   X4: 0000000000020008   X3: 53206e69616c702f
>      X2: ffffff800876a4f0   X1: ffffff800876a4f0   X0: 53206e69616c702f
>  #9 [ffffff800bcd3da0] pid_nr_ns at ffffff80080c20e8

I just skimmed through the callers of pid_nr_ns and now I am very
puzzled. I don't see any of them where the namespace can be passed as
NULL.

So I really suspect you have a larger but somewhere in the caller of
pid_nr_ns.  Perhaps the memory was stomped and you were lucky it was
NULL.

Without some more details I really don't think testing for a NULL
namespace is useful or productive.  At best it will mask bugs in the
callers

Eric

> Signed-off-by: Alakesh Haloi <alakesh.haloi@...il.com>
> Cc: stable@...r.kernel.org
> ---
>  kernel/pid.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/pid.c b/kernel/pid.c
> index a96bc4bf4f86..3767b9e1431d 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -474,7 +474,7 @@ pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
>  	struct upid *upid;
>  	pid_t nr = 0;
>  
> -	if (pid && ns->level <= pid->level) {
> +	if (pid && ns && ns->level <= pid->level) {
>  		upid = &pid->numbers[ns->level];
>  		if (upid->ns == ns)
>  			nr = upid->nr;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ