lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 12 Nov 2022 20:04:23 +0800
From:   Wang Hai <wanghai38@...wei.com>
To:     <davem@...emloft.net>, <edumazet@...gle.com>, <kuba@...nel.org>,
        <pabeni@...hat.com>, <cong.wang@...edance.com>,
        <f.fainelli@...il.com>, <tom@...bertland.com>
CC:     <linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>
Subject: [PATCH net] kcm: Fix kernel NULL pointer dereference in requeue_rx_msgs

In kcm_rcv_strparser(), the skb is queued to the kcm that is currently
being reserved, and if the queue is full, unreserve_rx_kcm() will be
called. At this point, if KCM_RECV_DISABLE is set, then unreserve_rx_kcm()
will requeue received messages for the current kcm socket to other kcm
sockets. The kcm sock lock is not held during this time, and as long as
someone calls kcm_recvmsg, it will concurrently unlink the same skb, which
ill result in a null pointer reference.

cpu0 			cpu1		        cpu2
kcm_rcv_strparser
 reserve_rx_kcm
                        kcm_setsockopt
                         kcm_recv_disable
                          kcm->rx_disabled = 1;
  kcm_queue_rcv_skb
  unreserve_rx_kcm
   requeue_rx_msgs                              kcm_recvmsg
    __skb_dequeue
     __skb_unlink(skb)				  skb_unlink(skb)
                                                  //double unlink skb

There is no need to re-queue the received msg to other kcm when unreserve
kcm. Remove it.

The following is the error log:

BUG: kernel NULL pointer dereference, address: 0000000000000008
...
RIP: 0010:skb_unlink+0x40/0x50
...
Call Trace:
 kcm_recvmsg+0x143/0x180
 ____sys_recvmsg+0x16a/0x180
 ___sys_recvmsg+0x80/0xc0
 do_recvmmsg+0xc2/0x2a0
 __sys_recvmmsg+0x10c/0x160
 __x64_sys_recvmmsg+0x25/0x40
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Signed-off-by: Wang Hai <wanghai38@...wei.com>
---
 net/kcm/kcmsock.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index a5004228111d..691d40364b8f 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -333,9 +333,8 @@ static void unreserve_rx_kcm(struct kcm_psock *psock,
 		return;
 	}
 
-	if (unlikely(kcm->rx_disabled)) {
-		requeue_rx_msgs(mux, &kcm->sk.sk_receive_queue);
-	} else if (rcv_ready || unlikely(!sk_rmem_alloc_get(&kcm->sk))) {
+	if (likely(!kcm->rx_disabled) &&
+	    (rcv_ready || unlikely(!sk_rmem_alloc_get(&kcm->sk)))) {
 		/* Check for degenerative race with rx_wait that all
 		 * data was dequeued (accounted for in kcm_rfree).
 		 */
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ