lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTimdN2LkEpyWV0bsdfVVvnsQOaLGYmm_0ostrjFM@mail.gmail.com>
Date:	Wed, 8 Dec 2010 23:18:22 -0500
From:	Nelson Elhage <nelhage@...lice.com>
To:	David Miller <davem@...emloft.net>
Cc:	eric.dumazet@...il.com, netdev@...r.kernel.org
Subject: Re: NULL dereference in econet AUN-over-UDP receive

Yep, that fixes the crash.

Tested-by: Nelson Elhage <nelhage@...lice.com>

On Wed, Dec 8, 2010 at 9:02 PM, David Miller <davem@...emloft.net> wrote:
> From: Eric Dumazet <eric.dumazet@...il.com>
> Date: Thu, 09 Dec 2010 02:37:47 +0100
>
>> Le mercredi 08 décembre 2010 à 19:30 -0500, Nelson Elhage a écrit :
>>> While testing one of my econet reproducers on a patched kernel, I triggered a
>>> NULL pointer dereference in the econet AUN-over-UDP receive path. Upon further
>>> investigation, I now suspect that this code path hasn't worked at all in years.
>>>
>>> A copy of the oops is below for your reference, but here's my analysis:
>>>
>>> When aun_data_available receives a data packet (ah->code == 2), it calls
>>> aun_incoming to process the skb. The start of aun_incoming looks like:
>>>
>>> static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
>>> {
>>>      struct iphdr *ip = ip_hdr(skb);
>>>      unsigned char stn = ntohl(ip->saddr) & 0xff;
>>>      struct sock *sk = NULL;
>>>      struct sk_buff *newskb;
>>> --->         struct ec_device *edev = skb->dev->ec_ptr;
>>>
>>
>> This can be changed to use skb_dst(skb)->dev instead
>>
>> struct dst *dst = skb_dst(skb);
>>
>> if (dst) {
>>       dev = dst->dev;
>>       ...
>> }
>
> Nelson please test if this patch fixes your crash:
>
> econet: Fix crash in aun_incoming().
>
> Unconditional use of skb->dev won't work here,
> try to fetch the econet device via skb_dst()->dev
> instead.
>
> Suggested by Eric Dumazet.
>
> Reported-by: Nelson Elhage <nelhage@...lice.com>
> Signed-off-by: David S. Miller <davem@...emloft.net>
>
> diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
> index f180371..15dcc1a 100644
> --- a/net/econet/af_econet.c
> +++ b/net/econet/af_econet.c
> @@ -851,9 +851,13 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
>  {
>        struct iphdr *ip = ip_hdr(skb);
>        unsigned char stn = ntohl(ip->saddr) & 0xff;
> +       struct dst_entry *dst = skb_dst(skb);
> +       struct ec_device *edev = NULL;
>        struct sock *sk = NULL;
>        struct sk_buff *newskb;
> -       struct ec_device *edev = skb->dev->ec_ptr;
> +
> +       if (dst)
> +               edev = dst->dev->ec_ptr;
>
>        if (! edev)
>                goto bad;
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ