| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <403f72a5-1bda-f747-ac15-59340030a5e5@lab.ntt.co.jp> Date: Thu, 21 Dec 2017 18:39:56 +0900 From: Prashant Bhole <bhole_prashant_q7@....ntt.co.jp> To: Cong Wang <xiyou.wangcong@...il.com>, Jiri Pirko <jiri@...nulli.us> Cc: netdev@...r.kernel.org Subject: null-ptr-deref in tcf_block_put Hi, Recently I tried tools/testing/selftests/net/rtnetlink.sh with KASAN enabled and encountered following BUG. kernel: ================================================================== kernel: BUG: KASAN: null-ptr-deref in tcf_block_put+0x8c/0xc0 kernel: Read of size 8 at addr 0000000000000018 by task tc/2966 kernel: kernel: CPU: 0 PID: 2966 Comm: tc Not tainted 4.15.0-rc3+ #24 kernel: Hardware name: Hewlett-Packard HP Z440 Workstation/212B, BIOS M60 v02.34 05/18/2017 kernel: Call Trace: kernel: dump_stack+0xaf/0x127 kernel: ? _atomic_dec_and_lock+0x159/0x159 kernel: ? tcf_block_put_ext+0x215/0x270 kernel: kasan_report+0x15f/0x360 kernel: ? tcf_block_put+0x8c/0xc0 kernel: tcf_block_put+0x8c/0xc0 kernel: ? tcf_block_put_ext+0x270/0x270 kernel: ? kfree+0x9c/0x1b0 kernel: htb_destroy_class.isra.17+0x54/0x70 [sch_htb] kernel: htb_destroy+0x122/0x200 [sch_htb] kernel: qdisc_destroy+0xa4/0x2a0 kernel: ? rtnetlink_send+0x94/0xa0 kernel: qdisc_graft+0x530/0x650 kernel: tc_get_qdisc+0x235/0x370 kernel: ? tc_ctl_tclass+0x5f0/0x5f0 kernel: ? security_capable+0x2d/0x70 kernel: rtnetlink_rcv_msg+0x69c/0x790 kernel: ? rtnl_calcit.isra.26+0x250/0x250 kernel: ? depot_save_stack+0x12d/0x470 kernel: ? save_stack+0x89/0xb0 kernel: ? kasan_kmalloc+0xa0/0xd0 kernel: ? __kmalloc_node_track_caller+0x192/0x2d0 kernel: ? __kmalloc_reserve.isra.39+0x2e/0x80 kernel: ? __alloc_skb+0xf9/0x3a0 kernel: ? netlink_sendmsg+0x558/0x680 kernel: ? sock_sendmsg+0x6b/0x80 kernel: ? ___sys_sendmsg+0x49a/0x500 kernel: ? __sys_sendmsg+0xb5/0x150 kernel: ? entry_SYSCALL_64_fastpath+0x1a/0x7d kernel: ? __alloc_skb+0xc9/0x3a0 kernel: ? netlink_sendmsg+0x558/0x680 kernel: ? sock_sendmsg+0x6b/0x80 kernel: ? ___sys_sendmsg+0x49a/0x500 kernel: ? __sys_sendmsg+0xb5/0x150 kernel: ? entry_SYSCALL_64_fastpath+0x1a/0x7d kernel: ? lru_cache_add+0x145/0x210 kernel: ? lru_cache_add_file+0x10/0x10 kernel: ? mem_cgroup_low+0x140/0x140 kernel: ? netlink_compare+0x53/0x70 kernel: ? __netlink_lookup+0x2d3/0x3e0 kernel: ? netlink_broadcast+0x20/0x20 kernel: ? memcg_kmem_get_cache+0x4e0/0x4e0 kernel: ? netlink_deliver_tap+0x10b/0x530 kernel: ? kasan_kmalloc+0xa0/0xd0 kernel: ? netlink_has_listeners+0x170/0x170 kernel: ? __kmalloc_node_track_caller+0x231/0x2d0 kernel: ? iov_iter_advance+0x176/0x7a0 kernel: netlink_rcv_skb+0x122/0x230 kernel: ? rtnl_calcit.isra.26+0x250/0x250 kernel: ? netlink_ack+0x4b0/0x4b0 kernel: ? netlink_trim+0x123/0x1c0 kernel: ? alloc_pages_vma+0x93/0x260 kernel: netlink_unicast+0x2c2/0x360 kernel: ? netlink_attachskb+0x3f0/0x3f0 kernel: ? import_iovec+0x128/0x1d0 kernel: netlink_sendmsg+0x528/0x680 kernel: ? netlink_unicast+0x360/0x360 kernel: ? netlink_unicast+0x360/0x360 kernel: sock_sendmsg+0x6b/0x80 kernel: ___sys_sendmsg+0x49a/0x500 kernel: ? copy_msghdr_from_user+0x260/0x260 kernel: ? netlink_sendmsg+0x2b2/0x680 kernel: ? netlink_unicast+0x360/0x360 kernel: ? mem_cgroup_from_task+0x9c/0xe0 kernel: ? mem_cgroup_reset+0x190/0x190 kernel: ? __fget_light+0x17e/0x200 kernel: ? expand_files+0x570/0x570 kernel: ? handle_mm_fault+0x1ca/0x380 kernel: ? __handle_mm_fault+0x1f10/0x1f10 kernel: ? vmacache_find+0xe6/0x110 kernel: ? __do_page_fault+0x5c5/0x6d0 kernel: ? __sys_sendmsg+0xb5/0x150 kernel: __sys_sendmsg+0xb5/0x150 kernel: ? SyS_shutdown+0x160/0x160 kernel: ? kmem_cache_free+0x7c/0x1f0 kernel: ? __do_page_fault+0x6d0/0x6d0 kernel: ? do_sys_open+0x1f0/0x380 kernel: entry_SYSCALL_64_fastpath+0x1a/0x7d After some investigation I found this commit: [1] https://patchwork.ozlabs.org/patch/833596 which fixed this bug. But recently accepted commit: [2] https://patchwork.ozlabs.org/patch/849101/ reverted it. So I tried same fix in [1] on top of latest net-next. The bug did not reproduce. -Prashant
Powered by blists - more mailing lists