lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20171221115701.GC1930@nanopsycho>
Date:   Thu, 21 Dec 2017 12:57:01 +0100
From:   Jiri Pirko <jiri@...nulli.us>
To:     Prashant Bhole <bhole_prashant_q7@....ntt.co.jp>
Cc:     Cong Wang <xiyou.wangcong@...il.com>, netdev@...r.kernel.org
Subject: Re: null-ptr-deref in tcf_block_put

Thu, Dec 21, 2017 at 10:39:56AM CET, bhole_prashant_q7@....ntt.co.jp wrote:
>
>Hi,
>Recently I tried tools/testing/selftests/net/rtnetlink.sh with KASAN enabled
>and encountered following BUG.
>
>kernel: ==================================================================
>kernel: BUG: KASAN: null-ptr-deref in tcf_block_put+0x8c/0xc0
>kernel: Read of size 8 at addr 0000000000000018 by task tc/2966
>kernel:
>kernel: CPU: 0 PID: 2966 Comm: tc Not tainted 4.15.0-rc3+ #24
>kernel: Hardware name: Hewlett-Packard HP Z440 Workstation/212B, BIOS M60
>v02.34 05/18/2017
>kernel: Call Trace:
>kernel:  dump_stack+0xaf/0x127
>kernel:  ? _atomic_dec_and_lock+0x159/0x159
>kernel:  ? tcf_block_put_ext+0x215/0x270
>kernel:  kasan_report+0x15f/0x360
>kernel:  ? tcf_block_put+0x8c/0xc0
>kernel:  tcf_block_put+0x8c/0xc0
>kernel:  ? tcf_block_put_ext+0x270/0x270
>kernel:  ? kfree+0x9c/0x1b0
>kernel:  htb_destroy_class.isra.17+0x54/0x70 [sch_htb]
>kernel:  htb_destroy+0x122/0x200 [sch_htb]
>kernel:  qdisc_destroy+0xa4/0x2a0
>kernel:  ? rtnetlink_send+0x94/0xa0
>kernel:  qdisc_graft+0x530/0x650
>kernel:  tc_get_qdisc+0x235/0x370
>kernel:  ? tc_ctl_tclass+0x5f0/0x5f0
>kernel:  ? security_capable+0x2d/0x70
>kernel:  rtnetlink_rcv_msg+0x69c/0x790
>kernel:  ? rtnl_calcit.isra.26+0x250/0x250
>kernel:  ? depot_save_stack+0x12d/0x470
>kernel:  ? save_stack+0x89/0xb0
>kernel:  ? kasan_kmalloc+0xa0/0xd0
>kernel:  ? __kmalloc_node_track_caller+0x192/0x2d0
>kernel:  ? __kmalloc_reserve.isra.39+0x2e/0x80
>kernel:  ? __alloc_skb+0xf9/0x3a0
>kernel:  ? netlink_sendmsg+0x558/0x680
>kernel:  ? sock_sendmsg+0x6b/0x80
>kernel:  ? ___sys_sendmsg+0x49a/0x500
>kernel:  ? __sys_sendmsg+0xb5/0x150
>kernel:  ? entry_SYSCALL_64_fastpath+0x1a/0x7d
>kernel:  ? __alloc_skb+0xc9/0x3a0
>kernel:  ? netlink_sendmsg+0x558/0x680
>kernel:  ? sock_sendmsg+0x6b/0x80
>kernel:  ? ___sys_sendmsg+0x49a/0x500
>kernel:  ? __sys_sendmsg+0xb5/0x150
>kernel:  ? entry_SYSCALL_64_fastpath+0x1a/0x7d
>kernel:  ? lru_cache_add+0x145/0x210
>kernel:  ? lru_cache_add_file+0x10/0x10
>kernel:  ? mem_cgroup_low+0x140/0x140
>kernel:  ? netlink_compare+0x53/0x70
>kernel:  ? __netlink_lookup+0x2d3/0x3e0
>kernel:  ? netlink_broadcast+0x20/0x20
>kernel:  ? memcg_kmem_get_cache+0x4e0/0x4e0
>kernel:  ? netlink_deliver_tap+0x10b/0x530
>kernel:  ? kasan_kmalloc+0xa0/0xd0
>kernel:  ? netlink_has_listeners+0x170/0x170
>kernel:  ? __kmalloc_node_track_caller+0x231/0x2d0
>kernel:  ? iov_iter_advance+0x176/0x7a0
>kernel:  netlink_rcv_skb+0x122/0x230
>kernel:  ? rtnl_calcit.isra.26+0x250/0x250
>kernel:  ? netlink_ack+0x4b0/0x4b0
>kernel:  ? netlink_trim+0x123/0x1c0
>kernel:  ? alloc_pages_vma+0x93/0x260
>kernel:  netlink_unicast+0x2c2/0x360
>kernel:  ? netlink_attachskb+0x3f0/0x3f0
>kernel:  ? import_iovec+0x128/0x1d0
>kernel:  netlink_sendmsg+0x528/0x680
>kernel:  ? netlink_unicast+0x360/0x360
>kernel:  ? netlink_unicast+0x360/0x360
>kernel:  sock_sendmsg+0x6b/0x80
>kernel:  ___sys_sendmsg+0x49a/0x500
>kernel:  ? copy_msghdr_from_user+0x260/0x260
>kernel:  ? netlink_sendmsg+0x2b2/0x680
>kernel:  ? netlink_unicast+0x360/0x360
>kernel:  ? mem_cgroup_from_task+0x9c/0xe0
>kernel:  ? mem_cgroup_reset+0x190/0x190
>kernel:  ? __fget_light+0x17e/0x200
>kernel:  ? expand_files+0x570/0x570
>kernel:  ? handle_mm_fault+0x1ca/0x380
>kernel:  ? __handle_mm_fault+0x1f10/0x1f10
>kernel:  ? vmacache_find+0xe6/0x110
>kernel:  ? __do_page_fault+0x5c5/0x6d0
>kernel:  ? __sys_sendmsg+0xb5/0x150
>kernel:  __sys_sendmsg+0xb5/0x150
>kernel:  ? SyS_shutdown+0x160/0x160
>kernel:  ? kmem_cache_free+0x7c/0x1f0
>kernel:  ? __do_page_fault+0x6d0/0x6d0
>kernel:  ? do_sys_open+0x1f0/0x380
>kernel:  entry_SYSCALL_64_fastpath+0x1a/0x7d
>
>
>
>After some investigation I found this commit:
>[1] https://patchwork.ozlabs.org/patch/833596 which fixed this bug.
>
>But recently accepted commit:
>[2] https://patchwork.ozlabs.org/patch/849101/ reverted it.

Oops. Sending the fix. We need to check in both. 
Thanks!


>
>So I tried same fix in [1] on top of latest net-next. The bug did not
>reproduce.
>
>
>-Prashant
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ