lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1e992840-bf36-aa86-791e-8910a2aab7a5@gmail.com>
Date:   Mon, 12 Mar 2018 22:50:54 -0700
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     Josh Elsasser <jelsasser@...neta.com>, davem@...emloft.net
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Willem de Bruijn <willemb@...gle.com>,
        Alexander Potapenko <glider@...gle.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Vlad Yasevich <vyasevich@...il.com>,
        Michal Kubeček <mkubecek@...e.cz>,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/1] net: check before dereferencing netdev_ops during
 busy poll



On 03/12/2018 10:32 PM, Josh Elsasser wrote:
> init_dummy_netdev() leaves its netdev_ops pointer zeroed. This leads
> to a NULL pointer dereference when sk_busy_loop fires against an iwlwifi
> wireless adapter and checks napi->dev->netdev_ops->ndo_busy_poll.
> 
> Avoid this by ensuring napi->dev->netdev_ops is valid before following
> the pointer, avoiding the following panic when busy polling on a dummy
> netdev:
>


> 
> Fixes: 060212928670 ("net: add low latency socket poll")
> Fixes: ce6aea93f751 ("net: network drivers no longer need to implement ndo_busy_poll()") - 4.9.y
> Signed-off-by: Josh Elsasser <jelsasser@...neta.com>
> ---
>   net/core/dev.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 8898618bf341..1f50c131ed15 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -5042,7 +5042,10 @@ bool sk_busy_loop(struct sock *sk, int nonblock)
>   		goto out;
>   
>   	/* Note: ndo_busy_poll method is optional in linux-4.5 */
> -	busy_poll = napi->dev->netdev_ops->ndo_busy_poll;
> +	if (napi->dev->netdev_ops)
> +		busy_poll = napi->dev->netdev_ops->ndo_busy_poll;
> +	else
> +		busy_poll = NULL;
>   
>   	do {
>   		rc = 0;
> 
We could instead setup a non NULL netdev_ops pointer on these 'dummy' 
devices to not add a check in fast path, but I presume we do
not really care since this fix is for old kernels, and considering how 
long it took to discover this bug.

Reviewed-by: Eric Dumazet <edumazet@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ