lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20101208.180215.193709862.davem@davemloft.net>
Date:	Wed, 08 Dec 2010 18:02:15 -0800 (PST)
From:	David Miller <davem@...emloft.net>
To:	eric.dumazet@...il.com
Cc:	nelhage@...lice.com, netdev@...r.kernel.org
Subject: Re: NULL dereference in econet AUN-over-UDP receive

From: Eric Dumazet <eric.dumazet@...il.com>
Date: Thu, 09 Dec 2010 02:37:47 +0100

> Le mercredi 08 décembre 2010 à 19:30 -0500, Nelson Elhage a écrit :
>> While testing one of my econet reproducers on a patched kernel, I triggered a
>> NULL pointer dereference in the econet AUN-over-UDP receive path. Upon further
>> investigation, I now suspect that this code path hasn't worked at all in years.
>> 
>> A copy of the oops is below for your reference, but here's my analysis:
>> 
>> When aun_data_available receives a data packet (ah->code == 2), it calls
>> aun_incoming to process the skb. The start of aun_incoming looks like:
>> 
>> static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
>> {
>> 	struct iphdr *ip = ip_hdr(skb);
>> 	unsigned char stn = ntohl(ip->saddr) & 0xff;
>> 	struct sock *sk = NULL;
>> 	struct sk_buff *newskb;
>> ---> 	struct ec_device *edev = skb->dev->ec_ptr;    
>> 
> 
> This can be changed to use skb_dst(skb)->dev instead
> 
> struct dst *dst = skb_dst(skb);
> 
> if (dst) {
> 	dev = dst->dev;
> 	...
> }

Nelson please test if this patch fixes your crash:

econet: Fix crash in aun_incoming().

Unconditional use of skb->dev won't work here,
try to fetch the econet device via skb_dst()->dev
instead.

Suggested by Eric Dumazet.

Reported-by: Nelson Elhage <nelhage@...lice.com>
Signed-off-by: David S. Miller <davem@...emloft.net>

diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index f180371..15dcc1a 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -851,9 +851,13 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
 {
 	struct iphdr *ip = ip_hdr(skb);
 	unsigned char stn = ntohl(ip->saddr) & 0xff;
+	struct dst_entry *dst = skb_dst(skb);
+	struct ec_device *edev = NULL;
 	struct sock *sk = NULL;
 	struct sk_buff *newskb;
-	struct ec_device *edev = skb->dev->ec_ptr;
+
+	if (dst)
+		edev = dst->dev->ec_ptr;
 
 	if (! edev)
 		goto bad;
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ