| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <MEYP282MB23129373641D74DE831E07E9C6342@MEYP282MB2312.AUSP282.PROD.OUTLOOK.COM> Date: Sun, 1 Dec 2024 09:42:08 +0800 From: Levi Zim <rsworktech@...look.com> To: John Fastabend <john.fastabend@...il.com>, Jakub Sitnicki <jakub@...udflare.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, David Ahern <dsahern@...nel.org> Cc: netdev@...r.kernel.org, bpf@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH net 0/2] Fix NPE discovered by running bpf kselftest On 2024-11-30 21:38, Levi Zim via B4 Relay wrote: > I found that bpf kselftest sockhash::test_txmsg_cork_hangs in > test_sockmap.c triggers a kernel NULL pointer dereference: > > BUG: kernel NULL pointer dereference, address: 0000000000000008 > ? __die_body+0x6e/0xb0 > ? __die+0x8b/0xa0 > ? page_fault_oops+0x358/0x3c0 > ? local_clock+0x19/0x30 > ? lock_release+0x11b/0x440 > ? kernelmode_fixup_or_oops+0x54/0x60 > ? __bad_area_nosemaphore+0x4f/0x210 > ? mmap_read_unlock+0x13/0x30 > ? bad_area_nosemaphore+0x16/0x20 > ? do_user_addr_fault+0x6fd/0x740 > ? prb_read_valid+0x1d/0x30 > ? exc_page_fault+0x55/0xd0 > ? asm_exc_page_fault+0x2b/0x30 > ? splice_to_socket+0x52e/0x630 > ? shmem_file_splice_read+0x2b1/0x310 > direct_splice_actor+0x47/0x70 > splice_direct_to_actor+0x133/0x300 > ? do_splice_direct+0x90/0x90 > do_splice_direct+0x64/0x90 > ? __ia32_sys_tee+0x30/0x30 > do_sendfile+0x214/0x300 > __se_sys_sendfile64+0x8e/0xb0 > __x64_sys_sendfile64+0x25/0x30 > x64_sys_call+0xb82/0x2840 > do_syscall_64+0x75/0x110 > entry_SYSCALL_64_after_hwframe+0x4b/0x53 > > This is caused by tcp_bpf_sendmsg() returning a larger value(12289) than > size(8192), which causes the while loop in splice_to_socket() to release > an uninitialized pipe buf. > > The underlying cause is that this code assumes sk_msg_memcopy_from_iter() > will copy all bytes upon success but it actually might only copy part of > it. I am not sure what Fixes tag I should put. Git blame leads me to a refactor commit and I am not familiar with this part of code base. Any suggestions? > > This series change sk_msg_memcopy_from_iter() to return copied bytes on > success and tcp_bpf_sendmsg() to use the real copied bytes instead of > assuming all bytes gets copied. > > Signed-off-by: Levi Zim <rsworktech@...look.com> > --- > Levi Zim (2): > skmsg: return copied bytes in sk_msg_memcopy_from_iter > tcp_bpf: fix copied value in tcp_bpf_sendmsg > > net/core/skmsg.c | 5 +++-- > net/ipv4/tcp_bpf.c | 8 ++++---- > 2 files changed, 7 insertions(+), 6 deletions(-) > --- > base-commit: f1cd565ce57760923d5e0fbd9e9914b415c0620a > change-id: 20241130-tcp-bpf-sendmsg-ff3c9d84e693 > > Best regards,
Powered by blists - more mailing lists