lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Sat, 2 Oct 2021 15:52:52 +0300
From:   Pavel Skripkin <paskripkin@...il.com>
To:     Dongliang Mu <mudongliangabcd@...il.com>,
        Boris Pismenny <borisp@...dia.com>,
        John Fastabend <john.fastabend@...il.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Jakub Kicinski <kuba@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Dan Carpenter <dan.carpenter@...cle.com>
Cc:     netdev@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: Re: Any idea to fix the recursive call in tls_setsockopt?

On 10/2/21 11:38, Dongliang Mu wrote:

[ +CC netdev, LKML ]

> BUG: stack guard page was hit at ffffc90000b87ff8 (stack is
> ffffc90000b88000..ffffc90000b8bfff)
> kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP
> RIP: 0010:tls_setsockopt+0xe/0x650 net/tls/tls_main.c:617
> Call Trace:
>   tls_setsockopt+0x6a/0x650 net/tls/tls_main.c:621
> ......
>   tls_setsockopt+0x6a/0x650 net/tls/tls_main.c:621
>   tls_setsockopt+0x6a/0x650 net/tls/tls_main.c:621
>   __sys_setsockopt+0x1b0/0x360 net/socket.c:2176
>   __do_sys_setsockopt net/socket.c:2187 [inline]
>   __se_sys_setsockopt net/socket.c:2184 [inline]
>   __x64_sys_setsockopt+0x22/0x30 net/socket.c:2184
>   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>   entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> My local syzkaller instance finds this bug, however, I am not sure how
> to fix it. So I post the bug report here to seek help. The
> implementation of tls_setsockopt is as follows:
> 
> static int tls_setsockopt(struct sock *sk, int level, int optname,
>                            sockptr_t optval, unsigned int optlen)
> {
>          struct tls_context *ctx = tls_get_ctx(sk);
> 
>          if (level != SOL_TLS)
>                  return ctx->sk_proto->setsockopt(sk, level, optname, optval,
>                                                   optlen);
> 
>          return do_tls_setsockopt(sk, optname, optval, optlen);
> }
> 
> Since I am not familiar with this part code, the fix in my mind is to
> do a sanity check on "ctx->sk_proto->setsockopt" and make sure it is
> not tls_setsockopt.
> 
> Any comment here?
> 
> --
> My best regards to you.
> 
>       No System Is Safe!
>       Dongliang Mu
> 


With regards,
Pavel Skripkin

Powered by blists - more mailing lists