lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1485446279.5145.141.camel@edumazet-glaptop3.roam.corp.google.com>
Date:   Thu, 26 Jan 2017 07:57:59 -0800
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     Roy Keene <lkml@...ene.org>
Cc:     netdev@...r.kernel.org, netfilter-devel@...r.kernel.org
Subject: Re: ip_rcv_finish() NULL pointer kernel panic

On Thu, 2017-01-26 at 09:32 -0600, Roy Keene wrote:
> This bug appears to have existed for a long time:
> 
>  	https://www.spinics.net/lists/netdev/msg222459.html
> 
>  	http://www.kernelhub.org/?p=2&msg=823752
> 
> Though possibly with different things not setting the "input" function 
> pointer in the "struct dst_entry".
> 
> include/net/dst.h:
>   496 static inline int dst_input(struct sk_buff *skb) {
>   498         return skb_dst(skb)->input(skb);
>   499 }
> 
> Is there any reason not to check to see if this pointer is NULL before 
> blindly calling it ?

Sure. It can not be NULL at this point.

Just look at the code in ip_rcv_finish() :

It first make sure to get a valid dst.

Something is broken, probably in bridge netfilter code.

I suspect the dst here points to &br->fake_rtable, and this is not
expected.

br_drop_fake_rtable() should have been called somewhere ...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ