| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMUH3-WyNR+2tsKgZ2qMNR=p+2Q3WDjcPrQcVSZfVSVyPA1qoA@mail.gmail.com>
Date: Mon, 3 Aug 2015 22:34:02 -0700
From: Brenden Blanco <bblanco@...mgrid.com>
To: netdev@...r.kernel.org, herbert@...dor.apana.org.au
Cc: davem@...emloft.net, khlebnikov@...dex-team.ru
Subject: Re: BUG: null dereference in __skb_recv_datagram
> [ 318.244596] BUG: unable to handle kernel NULL pointer dereference
> at 000000000000008e
> [ 318.245182] IP: [<ffffffff81455e7c>] __skb_recv_datagram+0xbc/0x5a0
Replying to myself, and adding commit interested parties...
I went through the git log for the function in question, and
positively identified that the following commit introduces the crash:
738ac1e net: Clone skb before setting peeked flag
Null dereference is at line 224 of net/core/datagram.c (according to
my objdump dis-assembly):
spin_lock_irqsave(&queue->lock, cpu_flags);
skb_queue_walk(queue, skb) {
last = skb;
*peeked = skb->peeked;
^-----------------------------------
if (flags & MSG_PEEK) {
if (_off >= skb->len && (skb->len || _off ||
skb->peeked)) {
Beyond that, I'm probably out of my comfort zone, so if anyone has a
bright idea of a patch to try, I will gladly test it.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists