| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201204183247.GA24887@ip-172-31-62-0.us-west-2.compute.internal>
Date: Fri, 4 Dec 2020 10:32:47 -0800
From: Alakesh Haloi <alakesh.haloi@...il.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: linux-kernel@...r.kernel.org,
Christian Brauner <christian.brauner@...ntu.com>,
Oleg Nesterov <oleg@...hat.com>,
Kees Cook <keescook@...omium.org>,
Sargun Dhillon <sargun@...gun.me>,
Minchan Kim <minchan@...nel.org>,
Bernd Edlinger <bernd.edlinger@...mail.de>
Subject: Re: [PATCH] pid: add null pointer check in pid_nr_ns()
On Wed, Dec 02, 2020 at 11:19:46AM -0600, Eric W. Biederman wrote:
> Alakesh Haloi <alakesh.haloi@...il.com> writes:
>
> > There has been at least one occurrence where a null pointer derefernce
> > panic was seen with following stack trace.
> >
> > #0 [ffffff800bcd3800] machine_kexec at ffffff8008095fb4
> > #1 [ffffff800bcd3860] __crash_kexec at ffffff8008122a30
> > #2 [ffffff800bcd39f0] panic at ffffff80080aa054
> > #3 [ffffff800bcd3ae0] die at ffffff800808aee8
> > #4 [ffffff800bcd3b20] die_kernel_fault at ffffff8008099520
> > #5 [ffffff800bcd3b50] __do_kernel_fault at ffffff8008098e50
> > #6 [ffffff800bcd3b80] do_translation_fault at ffffff800809929c
> > #7 [ffffff800bcd3b90] do_mem_abort at ffffff8008081204
> > #8 [ffffff800bcd3d90] el1_ia at ffffff800808304c
> > PC: ffffff80080c20ec [pid_nr_ns+4]
> > LR: ffffff80080c231c [__task_pid_nr_ns+72]
> > SP: ffffff800bcd3da0 PSTATE: 60000005
> > X29: ffffff800bcd3da0 X28: ffffffc00691c380 X27: 0000000000000001
> > X26: 00000000004ce8e8 X25: 00000000004ce8d0 X24: ffffffc00691c3e0
> > X23: ffffffc004e8c000 X22: 0000000000000000 X21: ffffffc00b042ed2
> > X20: ffffff800876a4f0 X19: 0000000000000000 X18: 0000000000000000
> > X17: 0000000000000001 X16: 0000000000000000 X15: 0000000000000000
> > X14: 0000000400000003 X13: 0000000000000008 X12: fefefefefefefeff
> > X11: 0000000000000000 X10: 0000007fffffffff X9: 00000000004ce8b0
> > X8: 00000000004ce8b0 X7: 0000000000000000 X6: ffffffc00b042ed2
> > X5: ffffffc00b042ed2 X4: 0000000000020008 X3: 53206e69616c702f
> > X2: ffffff800876a4f0 X1: ffffff800876a4f0 X0: 53206e69616c702f
> > #9 [ffffff800bcd3da0] pid_nr_ns at ffffff80080c20e8
>
> I just skimmed through the callers of pid_nr_ns and now I am very
> puzzled. I don't see any of them where the namespace can be passed as
> NULL.
>
> So I really suspect you have a larger but somewhere in the caller of
> pid_nr_ns. Perhaps the memory was stomped and you were lucky it was
> NULL.
>
> Without some more details I really don't think testing for a NULL
> namespace is useful or productive. At best it will mask bugs in the
> callers
>
> Eric
>
Thanks Eric for your time. I do not have any evidence of memory
corruption yet, but I agree with your concerns about not needing a null
check here.
--Alakesh
> > Signed-off-by: Alakesh Haloi <alakesh.haloi@...il.com>
> > Cc: stable@...r.kernel.org
> > ---
> > kernel/pid.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/kernel/pid.c b/kernel/pid.c
> > index a96bc4bf4f86..3767b9e1431d 100644
> > --- a/kernel/pid.c
> > +++ b/kernel/pid.c
> > @@ -474,7 +474,7 @@ pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
> > struct upid *upid;
> > pid_t nr = 0;
> >
> > - if (pid && ns->level <= pid->level) {
> > + if (pid && ns && ns->level <= pid->level) {
> > upid = &pid->numbers[ns->level];
> > if (upid->ns == ns)
> > nr = upid->nr;
Powered by blists - more mailing lists