lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 31 May 2021 23:28:58 +0800
From:   Changbin Du <changbin.du@...il.com>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     Changbin Du <changbin.du@...il.com>,
        "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] net: fix oops in socket ioctl cmd SIOCGSKNS when NET_NS
 is disabled

On Sat, May 29, 2021 at 11:27:35AM -0700, Jakub Kicinski wrote:
> On Sat, 29 May 2021 14:05:26 +0800 Changbin Du wrote:
> > When NET_NS is not enabled, socket ioctl cmd SIOCGSKNS should do nothing
> > but acknowledge userspace it is not supported. Otherwise, kernel would
> > panic wherever nsfs trys to access ns->ops since the proc_ns_operations
> > is not implemented in this case.
> > 
> > [7.670023] Unable to handle kernel NULL pointer dereference at virtual address 00000010
> > [7.670268] pgd = 32b54000
> > [7.670544] [00000010] *pgd=00000000
> > [7.671861] Internal error: Oops: 5 [#1] SMP ARM
> > [7.672315] Modules linked in:
> > [7.672918] CPU: 0 PID: 1 Comm: systemd Not tainted 5.13.0-rc3-00375-g6799d4f2da49 #16
> > [7.673309] Hardware name: Generic DT based system
> > [7.673642] PC is at nsfs_evict+0x24/0x30
> > [7.674486] LR is at clear_inode+0x20/0x9c
> > 
> > Signed-off-by: Changbin Du <changbin.du@...il.com>
> > Cc: <stable@...r.kernel.org> # v4.9
> 
> Please provide a Fixes tag.
>
Now it will be fixed by nsfs side. And the code has been changed to many times..

> > diff --git a/net/socket.c b/net/socket.c
> > index 27e3e7d53f8e..644b46112d35 100644
> > --- a/net/socket.c
> > +++ b/net/socket.c
> > @@ -1149,11 +1149,15 @@ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
> >  			mutex_unlock(&vlan_ioctl_mutex);
> >  			break;
> >  		case SIOCGSKNS:
> > +#ifdef CONFIG_NET_NS
> >  			err = -EPERM;
> >  			if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
> >  				break;
> >  
> >  			err = open_related_ns(&net->ns, get_net_ns);
> 
> There's a few more places with this exact code. Can we please add the
> check in get_net_ns? That should fix all callers.
> 
> > +#else
> > +			err = -ENOTSUPP;
> 
> EOPNOTSUPP, you shouldn't return ENOTSUPP to user space.
>
Thanks for pointing out. Will change it.

> > +#endif
> >  			break;
> >  		case SIOCGSTAMP_OLD:
> >  		case SIOCGSTAMPNS_OLD:
> 

-- 
Cheers,
Changbin Du

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ