lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <f5d64db9-bfa7-4886-3897-7dd4f878084e@linux.vnet.ibm.com>
Date:   Tue, 27 Feb 2018 15:23:17 +0100
From:   Ursula Braun <ubraun@...ux.vnet.ibm.com>
To:     Davide Caratti <dcaratti@...hat.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        linux-s390@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH net] af_smc: fix NULL pointer dereference on
 sock_create_kern() error path



On 02/27/2018 02:49 PM, Davide Caratti wrote:
> when sock_create_kern(..., a) returns an error, 'a' might not be a valid
> pointer, so it shouldn't be dereferenced to read a->sk->sk_sndbuf and
> and a->sk->sk_rcvbuf; not doing that caused the following crash:
> 
> general protection fault: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>     (ftrace buffer empty)
> Modules linked in:
> CPU: 0 PID: 4254 Comm: syzkaller919713 Not tainted 4.16.0-rc1+ #18
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:smc_create+0x14e/0x300 net/smc/af_smc.c:1410
> RSP: 0018:ffff8801b06afbc8 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffff8801b63457c0 RCX: ffffffff85a3e746
> RDX: 0000000000000004 RSI: 00000000ffffffff RDI: 0000000000000020
> RBP: ffff8801b06afbf0 R08: 00000000000007c0 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: ffff8801b6345c08 R14: 00000000ffffffe9 R15: ffffffff8695ced0
> FS:  0000000001afb880(0000) GS:ffff8801db200000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020000040 CR3: 00000001b0721004 CR4: 00000000001606f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   __sock_create+0x4d4/0x850 net/socket.c:1285
>   sock_create net/socket.c:1325 [inline]
>   SYSC_socketpair net/socket.c:1409 [inline]
>   SyS_socketpair+0x1c0/0x6f0 net/socket.c:1366
>   do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
>   entry_SYSCALL_64_after_hwframe+0x26/0x9b
> RIP: 0033:0x4404b9
> RSP: 002b:00007fff44ab6908 EFLAGS: 00000246 ORIG_RAX: 0000000000000035
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004404b9
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000000002b
> RBP: 00007fff44ab6910 R08: 0000000000000002 R09: 00007fff44003031
> R10: 0000000020000040 R11: 0000000000000246 R12: ffffffffffffffff
> R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000
> Code: 48 c1 ea 03 80 3c 02 00 0f 85 b3 01 00 00 4c 8b a3 48 04 00 00 48
> b8
> 00 00 00 00 00 fc ff df 49 8d 7c 24 20 48 89 fa 48 c1 ea 03 <80> 3c 02
> 00
> 0f 85 82 01 00 00 4d 8b 7c 24 20 48 b8 00 00 00 00
> RIP: smc_create+0x14e/0x300 net/smc/af_smc.c:1410 RSP: ffff8801b06afbc8
> 
> Fixes: cd6851f30386 smc: remote memory buffers (RMBs)
> Reported-and-tested-by: syzbot+aa0227369be2dcc26ebe@...kaller.appspotmail.com
> Signed-off-by: Davide Caratti <dcaratti@...hat.com>
> ---
>  net/smc/af_smc.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
> index da1a5cdefd13..8cc97834d4f6 100644
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -1406,8 +1406,10 @@ static int smc_create(struct net *net, struct socket *sock, int protocol,
>  	smc->use_fallback = false; /* assume rdma capability first */
>  	rc = sock_create_kern(net, PF_INET, SOCK_STREAM,
>  			      IPPROTO_TCP, &smc->clcsock);
> -	if (rc)
> +	if (rc) {
>  		sk_common_release(sk);
> +		goto out;
> +	}
>  	smc->sk.sk_sndbuf = max(smc->clcsock->sk->sk_sndbuf, SMC_BUF_MIN_SIZE);
>  	smc->sk.sk_rcvbuf = max(smc->clcsock->sk->sk_rcvbuf, SMC_BUF_MIN_SIZE);
> 

Thanks Davide, I add your patch to our local repository; it will be part of my next patch set
to be sent to Dave Miller.

Regards, Ursula

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ