| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Oct 2019 03:49:49 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: David Howells <dhowells@...hat.com>, netdev@...r.kernel.org
Cc: linux-afs@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] rxrpc: Fix possible NULL pointer access in ICMP
handling
On 10/10/19 7:52 AM, David Howells wrote:
> If an ICMP packet comes in on the UDP socket backing an AF_RXRPC socket as
> the UDP socket is being shut down, rxrpc_error_report() may get called to
> deal with it after sk_user_data on the UDP socket has been cleared, leading
> to a NULL pointer access when this local endpoint record gets accessed.
>
> Fix this by just returning immediately if sk_user_data was NULL.
>
> The oops looks like the following:
>
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> ...
> RIP: 0010:rxrpc_error_report+0x1bd/0x6a9
> ...
> Call Trace:
> ? sock_queue_err_skb+0xbd/0xde
> ? __udp4_lib_err+0x313/0x34d
> __udp4_lib_err+0x313/0x34d
> icmp_unreach+0x1ee/0x207
> icmp_rcv+0x25b/0x28f
> ip_protocol_deliver_rcu+0x95/0x10e
> ip_local_deliver+0xe9/0x148
> __netif_receive_skb_one_core+0x52/0x6e
> process_backlog+0xdc/0x177
> net_rx_action+0xf9/0x270
> __do_softirq+0x1b6/0x39a
> ? smpboot_register_percpu_thread+0xce/0xce
> run_ksoftirqd+0x1d/0x42
> smpboot_thread_fn+0x19e/0x1b3
> kthread+0xf1/0xf6
> ? kthread_delayed_work_timer_fn+0x83/0x83
> ret_from_fork+0x24/0x30
>
> Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
> Reported-by: syzbot+611164843bd48cc2190c@...kaller.appspotmail.com
> Signed-off-by: David Howells <dhowells@...hat.com>
> ---
>
> net/rxrpc/peer_event.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
> index c97ebdc043e4..61451281d74a 100644
> --- a/net/rxrpc/peer_event.c
> +++ b/net/rxrpc/peer_event.c
> @@ -151,6 +151,9 @@ void rxrpc_error_report(struct sock *sk)
> struct rxrpc_peer *peer;
> struct sk_buff *skb;
>
> + if (unlikely(!local))
> + return;
> +
> _enter("%p{%d}", sk, local->debug_id);
>
> /* Clear the outstanding error value on the socket so that it doesn't
>
Okay, but we also need this.
diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
index c97ebdc043e44525eaecdd54bc447c1895bdca74..38db10e61f7a5cb50f9ee036b5e16ec284e723ac 100644
--- a/net/rxrpc/peer_event.c
+++ b/net/rxrpc/peer_event.c
@@ -145,9 +145,9 @@ static void rxrpc_adjust_mtu(struct rxrpc_peer *peer, struct sock_exterr_skb *se
*/
void rxrpc_error_report(struct sock *sk)
{
+ struct rxrpc_local *local = rcu_dereference_sk_user_data(sk);
struct sock_exterr_skb *serr;
struct sockaddr_rxrpc srx;
- struct rxrpc_local *local = sk->sk_user_data;
struct rxrpc_peer *peer;
struct sk_buff *skb;
Powered by blists - more mailing lists