lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z0+qA4Lym/TWOoSh@pop-os.localdomain>
Date: Tue, 3 Dec 2024 17:01:55 -0800
From: Cong Wang <xiyou.wangcong@...il.com>
To: Levi Zim <rsworktech@...look.com>
Cc: John Fastabend <john.fastabend@...il.com>,
	Jakub Sitnicki <jakub@...udflare.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>, David Ahern <dsahern@...nel.org>,
	netdev@...r.kernel.org, bpf@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net 0/2] Fix NPE discovered by running bpf kselftest

On Sun, Dec 01, 2024 at 09:42:08AM +0800, Levi Zim wrote:
> On 2024-11-30 21:38, Levi Zim via B4 Relay wrote:
> > I found that bpf kselftest sockhash::test_txmsg_cork_hangs in
> > test_sockmap.c triggers a kernel NULL pointer dereference:

Interesting, I also ran this test recently and I didn't see such a
crash.

> > 
> > BUG: kernel NULL pointer dereference, address: 0000000000000008
> >   ? __die_body+0x6e/0xb0
> >   ? __die+0x8b/0xa0
> >   ? page_fault_oops+0x358/0x3c0
> >   ? local_clock+0x19/0x30
> >   ? lock_release+0x11b/0x440
> >   ? kernelmode_fixup_or_oops+0x54/0x60
> >   ? __bad_area_nosemaphore+0x4f/0x210
> >   ? mmap_read_unlock+0x13/0x30
> >   ? bad_area_nosemaphore+0x16/0x20
> >   ? do_user_addr_fault+0x6fd/0x740
> >   ? prb_read_valid+0x1d/0x30
> >   ? exc_page_fault+0x55/0xd0
> >   ? asm_exc_page_fault+0x2b/0x30
> >   ? splice_to_socket+0x52e/0x630
> >   ? shmem_file_splice_read+0x2b1/0x310
> >   direct_splice_actor+0x47/0x70
> >   splice_direct_to_actor+0x133/0x300
> >   ? do_splice_direct+0x90/0x90
> >   do_splice_direct+0x64/0x90
> >   ? __ia32_sys_tee+0x30/0x30
> >   do_sendfile+0x214/0x300
> >   __se_sys_sendfile64+0x8e/0xb0
> >   __x64_sys_sendfile64+0x25/0x30
> >   x64_sys_call+0xb82/0x2840
> >   do_syscall_64+0x75/0x110
> >   entry_SYSCALL_64_after_hwframe+0x4b/0x53
> > 
> > This is caused by tcp_bpf_sendmsg() returning a larger value(12289) than
> > size(8192), which causes the while loop in splice_to_socket() to release
> > an uninitialized pipe buf.
> > 
> > The underlying cause is that this code assumes sk_msg_memcopy_from_iter()
> > will copy all bytes upon success but it actually might only copy part of
> > it.
> I am not sure what Fixes tag I should put. Git blame leads me to a refactor
> commit
> and I am not familiar with this part of code base. Any suggestions?

I think it is the following commit which introduced memcopy_from_iter()
(which was renamed to sk_msg_memcopy_from_iter() later):

commit 4f738adba30a7cfc006f605707e7aee847ffefa0
Author: John Fastabend <john.fastabend@...il.com>
Date:   Sun Mar 18 12:57:10 2018 -0700

    bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data

Please double check.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ