| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 27 Jan 2019 10:41:42 -0800 (PST)
From: David Miller <davem@...emloft.net>
To: dvyukov@...il.com
Cc: f6bvp@...e.fr, linux-hams@...r.kernel.org, netdev@...r.kernel.org,
dvyukov@...gle.com,
syzbot+1a2c456a1ea08fa5b5f7@...kaller.appspotmail.com,
ralf@...ux-mips.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net/rose: fix NULL ax25_cb kernel panic
From: Dmitry Vyukov <dvyukov@...il.com>
Date: Fri, 25 Jan 2019 11:46:40 +0100
> From: Bernard Pidoux <f6bvp@...e.fr>
>
> When an internally generated frame is handled by rose_xmit(),
> rose_route_frame() is called:
>
> if (!rose_route_frame(skb, NULL)) {
> dev_kfree_skb(skb);
> stats->tx_errors++;
> return NETDEV_TX_OK;
> }
>
> We have the same code sequence in Net/Rom where an internally generated
> frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
> However, in this function NULL argument is tested while it is not in
> rose_route_frame().
> Then kernel panic occurs later on when calling ax25cmp() with a NULL
> ax25_cb argument as reported many times and recently with syzbot.
>
> We need to test if ax25 is NULL before using it.
>
> Testing:
> Built kernel with CONFIG_ROSE=y.
>
> Signed-off-by: Bernard Pidoux <f6bvp@...e.fr>
> Acked-by: Dmitry Vyukov <dvyukov@...gle.com>
> Reported-by: syzbot+1a2c456a1ea08fa5b5f7@...kaller.appspotmail.com
Applied and queued up for -stable, thanks.
Powered by blists - more mailing lists