lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 01 Apr 2019 14:59:55 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     jslaby@...e.cz
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        mkubecek@...e.cz
Subject: Re: [PATCH] kcm: switch order of device registration to fix a crash

From: Jiri Slaby <jslaby@...e.cz>
Date: Fri, 29 Mar 2019 12:19:46 +0100

> When kcm is loaded while many processes try to create a KCM socket, a
> crash occurs:
>  BUG: unable to handle kernel NULL pointer dereference at 000000000000000e
>  IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
>  PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0
>  Oops: 0002 [#1] SMP KASAN PTI
>  CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased)
>  RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
>  RSP: 0018:ffff88000d487a00 EFLAGS: 00010246
>  RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719
>  ...
>  CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0
>  Call Trace:
>   kcm_create+0x600/0xbf0 [kcm]
>   __sock_create+0x324/0x750 net/socket.c:1272
>  ...
> 
> This is due to race between sock_create and unfinished
> register_pernet_device. kcm_create tries to do "net_generic(net,
> kcm_net_id)". but kcm_net_id is not initialized yet.
> 
> So switch the order of the two to close the race.
> 
> This can be reproduced with mutiple processes doing socket(PF_KCM, ...)
> and one process doing module removal.
> 
> Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
> Reviewed-by: Michal Kubecek <mkubecek@...e.cz>
> Signed-off-by: Jiri Slaby <jslaby@...e.cz>

Applied and queued up for -stable, thanks.

Powered by blists - more mailing lists