lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250114144932.7d2ba3c9@kernel.org>
Date: Tue, 14 Jan 2025 14:49:32 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Paul Fertser <fercerpav@...il.com>
Cc: Eddie James <eajames@...ux.ibm.com>, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org, horms@...nel.org, pabeni@...hat.com,
 edumazet@...gle.com, davem@...emloft.net, sam@...dozajonas.com
Subject: Re: [PATCH] net/ncsi: Fix NULL pointer derefence if CIS arrives
 before SP

Hi Paul!

Any thoughts on this fix?

On Fri, 10 Jan 2025 13:41:33 -0600 Eddie James wrote:
> If a Clear Initial State response packet is received before the
> Select Package response, then the channel set up will dereference
> the NULL package pointer. Fix this by setting up the package
> in the CIS handler if it's not found.
> 
> [    9.289221] 8<--- cut here ---
> [    9.289244] Unable to handle kernel NULL pointer dereference at virtual address 00000018 when read
> [    9.289306] [00000018] *pgd=00000000
> [    9.289333] Internal error: Oops: 5 [#1] SMP ARM
> [    9.289367] CPU: 0 PID: 35 Comm: kworker/0:2 Not tainted 6.6.69-f1d562d-gf1d562dd8fa4 #1
> [    9.289423] Hardware name: Generic DT based system
> [    9.289457] Workqueue:  0x0 (events)
> [    9.289486] PC is at _raw_spin_lock_irqsave+0x10/0x4c
> [    9.289525] LR is at ncsi_add_channel+0xd0/0x174
> [    9.289561] pc : [<808d1018>]    lr : [<808907bc>]    psr: 40000193
> [    9.289605] sp : b4801e20  ip : 8695e000  fp : 80d6c2a8
> [    9.289642] r10: 80d6c2a8  r9 : 8136a4dc  r8 : 00000018
> [    9.289680] r7 : 00000000  r6 : 00000000  r5 : 8695dc00  r4 : 00000000
> [    9.289725] r3 : 00000005  r2 : 00000018  r1 : 8089202c  r0 : 40000113
> [    9.289770] Flags: nZcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
> [    9.289821] Control: 10c5387d  Table: 81adc06a  DAC: 00000051
> [    9.289861] Register r0 information: non-paged memory
> [    9.289898] Register r1 information: non-slab/vmalloc memory
> [    9.289939] Register r2 information: non-paged memory
> [    9.289976] Register r3 information: non-paged memory
> [    9.290012] Register r4 information: NULL pointer
> [    9.290046] Register r5 information: slab kmalloc-1k start 8695dc00 pointer offset 0 size 1024
> [    9.290111] Register r6 information: NULL pointer
> [    9.290145] Register r7 information: NULL pointer
> [    9.290180] Register r8 information: non-paged memory
> [    9.290216] Register r9 information: non-slab/vmalloc memory
> [    9.290257] Register r10 information: non-slab/vmalloc memory
> [    9.290298] Register r11 information: non-slab/vmalloc memory
> [    9.290339] Register r12 information: slab kmalloc-1k start 8695e000 pointer offset 0 size 1024
> [    9.290404] Process kworker/0:2 (pid: 35, stack limit = 0x401e97d3)
> [    9.290448] Stack: (0xb4801e20 to 0xb4802000)
> [    9.290482] 1e20: 00000000 81099810 81be7150 81368000 00000000 000024a8 81be7150 8088efc4
> [    9.290540] 1e40: 81be7150 00000000 00000000 8ae45185 00000000 00000000 81368000 8088f4fc
> [    9.290598] 1e60: 86337300 806fce18 81368018 0000008a 00000780 00000000 86662dc2 8ae45185
> [    9.290656] 1e80: 00000780 81365800 8088f3e4 0000002a b2c44000 b2c44090 81365800 86337300
> [    9.290714] 1ea0: 00000000 8071c4d8 00000002 86337300 8136c45c 8ae45185 80115aa0 86337300
> [    9.290772] 1ec0: 0000000a 8071c584 b2c44000 b2c44090 00005800 8ae45185 81365dd8 805be000
> [    9.290830] 1ee0: 00000000 805be060 00000040 81365d80 0000002a 00000000 00000036 00000001
> [    9.290888] 1f00: 00000040 81365dd8 b4801f53 ffff8ea7 80d03d00 00000000 81365dd8 8071d010
> [    9.290946] 1f20: 81365dd8 8071d010 49514f00 b3d96100 0000012c b3d962c0 b4801f58 8071d4a4
> [    9.291004] 1f40: b4801f60 81081980 80c4e100 33148000 00c4e100 33148000 b4801f58 b4801f58
> [    9.291062] 1f60: b4801f60 b4801f60 b4801f68 8ae45185 b3d929f0 00000004 00000008 80d0308c
> [    9.291120] 1f80: 81081980 00000100 40000003 0000000c 80d03080 801206d4 80c4c790 b480900c
> [    9.291178] 1fa0: 80d03080 b4801f98 80c493c8 0000000a 00000000 80c4d380 80c4d380 ffff8ea6
> [    9.291237] 1fc0: 80d03d00 04208060 80c4c790 8016c180 80d06094 81081980 80000013 ffffffff
> [    9.291295] 1fe0: b4935f44 61c88647 81081980 81081980 b4935f08 80120c84 80134f4c 808945b8
> [    9.291351]  _raw_spin_lock_irqsave from ncsi_add_channel+0xd0/0x174
> [    9.291402]  ncsi_add_channel from ncsi_rsp_handler_cis+0x98/0xb4
> [    9.291451]  ncsi_rsp_handler_cis from ncsi_rcv_rsp+0x118/0x2c4
> [    9.291498]  ncsi_rcv_rsp from __netif_receive_skb_one_core+0x58/0x7c
> [    9.291547]  __netif_receive_skb_one_core from netif_receive_skb+0x2c/0xc4
> [    9.291597]  netif_receive_skb from ftgmac100_poll+0x350/0x43c
> [    9.291642]  ftgmac100_poll from __napi_poll.constprop.0+0x2c/0x180
> [    9.291690]  __napi_poll.constprop.0 from net_rx_action+0x340/0x3c0
> [    9.291736]  net_rx_action from handle_softirqs+0xf4/0x25c
> [    9.291777]  handle_softirqs from irq_exit+0x80/0xb0
> [    9.291816]  irq_exit from call_with_stack+0x18/0x20
> [    9.291857]  call_with_stack from __irq_svc+0x98/0xb0
> [    9.291898] Exception stack(0xb4935f10 to 0xb4935f58)
> [    9.291935] 5f00:                                     00000007 00000006 80d03d00 00000769
> [    9.291993] 5f20: 85963e80 b3d953c0 80d03d00 b3d953e0 61c88647 85963eac 81081980 b3d953c0
> [    9.292050] 5f40: 00000004 b4935f60 80134f28 80134f4c 80000013 ffffffff
> [    9.292096]  __irq_svc from worker_thread+0x1fc/0x4e8
> [    9.292137]  worker_thread from kthread+0xe0/0xfc
> [    9.292176]  kthread from ret_from_fork+0x14/0x28
> [    9.292213] Exception stack(0xb4935fb0 to 0xb4935ff8)
> [    9.292250] 5fa0:                                     00000000 00000000 00000000 00000000
> [    9.292308] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [    9.292365] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> [    9.292413] Code: e1a02000 e10f0000 f10c0080 f592f000 (e1923f9f)
> [    9.292455] ---[ end trace 0000000000000000 ]---
> [    9.295147] Kernel panic - not syncing: Fatal exception in interrupt
> 
> Signed-off-by: Eddie James <eajames@...ux.ibm.com>
> ---
>  net/ncsi/ncsi-rsp.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
> index e28be33bdf2c4..59d0af7183acc 100644
> --- a/net/ncsi/ncsi-rsp.c
> +++ b/net/ncsi/ncsi-rsp.c
> @@ -100,6 +100,13 @@ static int ncsi_rsp_handler_cis(struct ncsi_request *nr)
>  		if (ndp->flags & NCSI_DEV_PROBED)
>  			return -ENXIO;
>  
> +		if (!np) {
> +			id = NCSI_PACKAGE_INDEX(rsp->rsp.common.channel);
> +			np = ncsi_add_package(ndp, id);
> +			if (!np)
> +				return -ENODEV;
> +		}
> +
>  		id = NCSI_CHANNEL_INDEX(rsp->rsp.common.channel);
>  		nc = ncsi_add_channel(np, id);
>  	}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ