lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1507088831.8061.41.camel@edumazet-glaptop3.roam.corp.google.com>
Date:   Tue, 03 Oct 2017 20:47:11 -0700
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     Vinicius Costa Gomes <vinicius.gomes@...el.com>
Cc:     netdev@...r.kernel.org, intel-wired-lan@...ts.osuosl.org,
        Jesus Sanchez-Palencia <jesus.sanchez-palencia@...el.com>,
        jhs@...atatu.com, xiyou.wangcong@...il.com, jiri@...nulli.us,
        andre.guedes@...el.com, ivan.briano@...el.com,
        boon.leong.ong@...el.com, richardcochran@...il.com,
        henrik@...tad.us, levipearson@...il.com, rodney.cummings@...com
Subject: Re: [next-queue PATCH v3 2/4] net/sched: Fix accessing invalid
 dev_queue

On Tue, 2017-10-03 at 16:44 -0700, Vinicius Costa Gomes wrote:
> From: Jesus Sanchez-Palencia <jesus.sanchez-palencia@...el.com>
> 
> In qdisc_alloc() the dev_queue pointer was used without any checks being
> performed. If qdisc_create() gets a null dev_queue pointer, it just
> passes it along to qdisc_alloc(), leading to a crash. That happens if a
> root qdisc implements select_queue() and returns a null dev_queue
> pointer for an "invalid handle", for example.
> 
> One way to reproduce that is:
> 
> 1) Setup mqprio
> $ tc qdisc replace dev enp3s0 parent root mqprio num_tc 3 \
>      	   map 2 2 1 0 2 2 2 2 2 2 2 2 2 2 2 2 queues 1@0 1@1 2@2 hw 0
> 
> 2) Replace the first inner qdisc
> $ tc qdisc replace dev enp3s0 parent 8001:1 pfifo_fast
> 
> This will lead to the following crash:

When was this bug added ?

If this is a consequence of your prior patch (1/4), then this must come
before it.

No need to add a stack trace for a not existing bug.
Instead, explain in the changelog that it is a prep work.

We try to not break the tree on purpose, so that future bisection will
not hit a point where the kernel crashes.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ