lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89iJyLWy6WEa_1p+jKpGBfq=h=TX=_7p_-_i4j6mHcMXbgA@mail.gmail.com>
Date:   Mon, 30 Oct 2023 09:59:54 +0100
From:   Eric Dumazet <edumazet@...gle.com>
To:     Bragatheswaran Manickavel <bragathemanick0908@...il.com>
Cc:     davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
        dccp@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        syzbot+c71bc336c5061153b502@...kaller.appspotmail.com
Subject: Re: [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet

On Sat, Oct 28, 2023 at 4:41 PM Bragatheswaran Manickavel
<bragathemanick0908@...il.com> wrote:
>
> ccid_hc_tx_send_packet might be called with a NULL ccid pointer
> leading to a NULL pointer dereference
>
> Below mentioned commit has similarly changes
> commit 276bdb82dedb ("dccp: check ccid before dereferencing")
>
> Reported-by: syzbot+c71bc336c5061153b502@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c71bc336c5061153b502
> Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@...il.com>
> ---
>  net/dccp/ccid.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
> index 105f3734dadb..1015dc2b9392 100644
> --- a/net/dccp/ccid.h
> +++ b/net/dccp/ccid.h
> @@ -163,7 +163,7 @@ static inline int ccid_packet_dequeue_eval(const int return_code)
>  static inline int ccid_hc_tx_send_packet(struct ccid *ccid, struct sock *sk,
>                                          struct sk_buff *skb)
>  {
> -       if (ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
> +       if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
>                 return ccid->ccid_ops->ccid_hc_tx_send_packet(sk, skb);
>         return CCID_PACKET_SEND_AT_ONCE;
>  }
> --
> 2.34.1
>

If you are willing to fix dccp, I would make sure that some of
lockless accesses to dccps_hc_tx_ccid
are also double checked and fixed.

do_dccp_getsockopt() and dccp_get_info()

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ