lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 21 Feb 2019 13:19:55 -0800 (PST)
From:   David Miller <davem@...emloft.net>
To:     alan.maguire@...cle.com
Cc:     netdev@...r.kernel.org, kuznet@....inr.ac.ru,
        yoshfuji@...ux-ipv6.org, ast@...nel.org, daniel@...earbox.net,
        kafai@...com, songliubraving@...com, yhs@...com
Subject: Re: [PATCH net] iptunnel: NULL pointer deref for ip_md_tunnel_xmit

From: Alan Maguire <alan.maguire@...cle.com>
Date: Mon, 18 Feb 2019 12:36:40 +0000 (GMT)

> Naresh Kamboju noted the following oops during execution of selftest
> tools/testing/selftests/bpf/test_tunnel.sh on x86_64:
 ...
> I'm also seeing the same failure on x86_64, and it reproduces
> consistently.
> 
> From poking around it looks like the skb's dst entry is being used
> to calculate the mtu in:
> 
> mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu;
> 
> ...but because that dst_entry  has an "ops" value set to md_dst_ops,
> the various ops (including mtu) are not set:
> 
> crash> struct sk_buff._skb_refdst ffff928f87447700 -x
>       _skb_refdst = 0xffffcd6fbf5ea590
> crash> struct dst_entry.ops 0xffffcd6fbf5ea590
>   ops = 0xffffffffa0193800
> crash> struct dst_ops.mtu 0xffffffffa0193800
>   mtu = 0x0
> crash>
> 
> I confirmed that the dst entry also has dst->input set to
> dst_md_discard, so it looks like it's an entry that's been
> initialized via __metadata_dst_init alright.
> 
> I think the fix here is to use skb_valid_dst(skb) - it checks
> for  DST_METADATA also, and with that fix in place, the
> problem - which was previously 100% reproducible - disappears.
> 
> The below patch resolves the panic and all bpf tunnel tests pass
> without incident.
> 
> Fixes: c8b34e680a09 ("ip_tunnel: Add tnl_update_pmtu in ip_md_tunnel_xmit")
> 
> Reported-by: Naresh Kamboju <naresh.kamboju@...aro.org>
> Signed-off-by: Alan Maguire <alan.maguire@...cle.com>
> Acked-by: Alexei Starovoitov <ast@...nel.org>

This doesn't apply cleanly to the current 'net' tree.

Also, please do not insert an empty line between the Fixes: and other
tags.  All tags are equal and should be placed together as an
uninterrupted group.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ