| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140204105957.GA3067@minipsycho.brq.redhat.com> Date: Tue, 4 Feb 2014 11:59:57 +0100 From: Jiri Pirko <jiri@...nulli.us> To: Fernando Luis Vázquez Cao <fernando_b1@....ntt.co.jp> Cc: "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org, dev@...nvswitch.org, Jesse Gross <jesse@...ira.com> Subject: Re: [PATCH] rtnetlink: fix oops in rtnl_link_get_slave_info_data_size Tue, Feb 04, 2014 at 11:35:02AM CET, fernando_b1@....ntt.co.jp wrote: >We should check whether rtnetlink link operations >are defined before calling get_slave_size(). > >Without this, the following oops can occur when >adding a tap device to OVS. > >[ 87.839553] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8 >[ 87.839595] IP: [<ffffffff813d47c0>] if_nlmsg_size+0xf0/0x220 >[...] >[ 87.840651] Call Trace: >[ 87.840664] [<ffffffff813d694b>] ? rtmsg_ifinfo+0x2b/0x100 >[ 87.840688] [<ffffffff813c8340>] ? __netdev_adjacent_dev_insert+0x150/0x1a0 >[ 87.840718] [<ffffffff813d6a50>] ? rtnetlink_event+0x30/0x40 >[ 87.840742] [<ffffffff814b4144>] ? notifier_call_chain+0x44/0x70 >[ 87.840768] [<ffffffff813c8946>] ? __netdev_upper_dev_link+0x3c6/0x3f0 >[ 87.840798] [<ffffffffa0678d6c>] ? netdev_create+0xcc/0x160 [openvswitch] >[ 87.840828] [<ffffffffa06781ea>] ? ovs_vport_add+0x4a/0xd0 [openvswitch] >[ 87.840857] [<ffffffffa0670139>] ? new_vport+0x9/0x50 [openvswitch] >[ 87.840884] [<ffffffffa067279e>] ? ovs_vport_cmd_new+0x11e/0x210 [openvswitch] >[ 87.840915] [<ffffffff813f3efa>] ? genl_family_rcv_msg+0x19a/0x360 >[ 87.840941] [<ffffffff813f40c0>] ? genl_family_rcv_msg+0x360/0x360 >[ 87.840967] [<ffffffff813f4139>] ? genl_rcv_msg+0x79/0xc0 >[ 87.840991] [<ffffffff813b6cf9>] ? __kmalloc_reserve.isra.25+0x29/0x80 >[ 87.841018] [<ffffffff813f2389>] ? netlink_rcv_skb+0xa9/0xc0 >[ 87.841042] [<ffffffff813f27cf>] ? genl_rcv+0x1f/0x30 >[ 87.841064] [<ffffffff813f1988>] ? netlink_unicast+0xe8/0x1e0 >[ 87.841088] [<ffffffff813f1d9a>] ? netlink_sendmsg+0x31a/0x750 >[ 87.841113] [<ffffffff813aee96>] ? sock_sendmsg+0x86/0xc0 >[ 87.841136] [<ffffffff813c960d>] ? __netdev_update_features+0x4d/0x200 >[ 87.841163] [<ffffffff813ca94e>] ? ethtool_get_value+0x2e/0x50 >[ 87.841188] [<ffffffff813af269>] ? ___sys_sendmsg+0x359/0x370 >[ 87.841212] [<ffffffff813da686>] ? dev_ioctl+0x1a6/0x5c0 >[ 87.841236] [<ffffffff8109c210>] ? autoremove_wake_function+0x30/0x30 >[ 87.841264] [<ffffffff813ac59d>] ? sock_do_ioctl+0x3d/0x50 >[ 87.841288] [<ffffffff813aca68>] ? sock_ioctl+0x1e8/0x2c0 >[ 87.841312] [<ffffffff811934bf>] ? do_vfs_ioctl+0x2cf/0x4b0 >[ 87.841335] [<ffffffff813afeb9>] ? __sys_sendmsg+0x39/0x70 >[ 87.841362] [<ffffffff814b86f9>] ? system_call_fastpath+0x16/0x1b >[ 87.841386] Code: c0 74 10 48 89 ef ff d0 83 c0 07 83 e0 fc 48 98 49 01 c7 48 89 ef e8 d0 d6 fe ff 48 85 c0 0f 84 df 00 00 00 48 8b 90 08 07 00 00 <48> 8b 8a a8 00 00 00 31 d2 48 85 c9 74 0c 48 89 ee 48 89 c7 ff >[ 87.841529] RIP [<ffffffff813d47c0>] if_nlmsg_size+0xf0/0x220 >[ 87.841555] RSP <ffff880221aa5950> >[ 87.841569] CR2: 00000000000000a8 >[ 87.851442] ---[ end trace e42ab217691b4fc2 ]--- > >Signed-off-by: Fernando Luis Vazquez Cao <fernando@....ntt.co.jp> >--- > >diff -urNp linux-3.14-rc1-orig/net/core/rtnetlink.c linux-3.14-rc1/net/core/rtnetlink.c >--- linux-3.14-rc1-orig/net/core/rtnetlink.c 2014-02-04 19:13:08.849827354 +0900 >+++ linux-3.14-rc1/net/core/rtnetlink.c 2014-02-04 19:04:20.130714042 +0900 >@@ -374,7 +374,7 @@ static size_t rtnl_link_get_slave_info_d > if (!master_dev) > return 0; > ops = master_dev->rtnl_link_ops; >- if (!ops->get_slave_size) >+ if (!ops || !ops->get_slave_size) > return 0; > /* IFLA_INFO_SLAVE_DATA + nested data */ > return nla_total_size(sizeof(struct nlattr)) + > > Oops. Acked-by: Jiri Pirko <jiri@...nulli.us> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists