lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 30 Nov 2019 14:24:00 +0000
From:   Taehee Yoo <ap420073@...il.com>
To:     davem@...emloft.net, xiyou.wangcong@...il.com,
        netdev@...r.kernel.org
Cc:     ap420073@...il.com, treeze.taeung@...il.com
Subject: [net PATCH] hsr: fix a NULL pointer dereference in hsr_dev_xmit()

hsr_dev_xmit() calls hsr_port_get_hsr() to find master node and that would
return NULL if master node is not existing in the list.
But hsr_dev_xmit() doesn't check return pointer so a NULL dereference
could occur.

In the TX datapath, there is no rcu_read_lock() so this patch adds missing
rcu_read_lock() in the hsr_dev_xmit() too.

Test commands:
    ip netns add nst
    ip link add v0 type veth peer name v1
    ip link add v2 type veth peer name v3
    ip link set v1 netns nst
    ip link set v3 netns nst
    ip link add hsr0 type hsr slave1 v0 slave2 v2
    ip a a 192.168.100.1/24 dev hsr0
    ip link set v0 up
    ip link set v2 up
    ip link set hsr0 up
    ip netns exec nst ip link add hsr1 type hsr slave1 v1 slave2 v3
    ip netns exec nst ip a a 192.168.100.2/24 dev hsr1
    ip netns exec nst ip link set v1 up
    ip netns exec nst ip link set v3 up
    ip netns exec nst ip link set hsr1 up
    hping3 192.168.100.2 -2 --flood &
    modprobe -rv hsr

Splat looks like:
[  390.879740][ T1362] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  390.880789][ T1362] CPU: 3 PID: 1362 Comm: hping3 Not tainted 5.4.0+ #183
[  390.881679][ T1362] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  390.882804][ T1362] RIP: 0010:hsr_dev_xmit+0x34/0x90 [hsr]
[  390.883528][ T1362] Code: 48 8d be 00 0c 00 00 be 04 00 00 00 48 83 ec 08 e8 21 be ff ff 48 8d 78 10 48 ba 00 00 00 0b
[  390.887020][ T1362] RSP: 0018:ffff888045507058 EFLAGS: 00010202
[  390.888067][ T1362] RAX: 0000000000000000 RBX: ffff88804a5d0cc0 RCX: 0000000000000002
[  390.889390][ T1362] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000010
[  390.890525][ T1362] RBP: ffff88804a5d0cc0 R08: ffffed100d9c0d5d R09: 0000000000000001
[  390.891527][ T1362] R10: 0000000000000001 R11: ffffed100d9c0d5c R12: ffff888063bac000
[  390.893637][ T1362] R13: ffff888063bac088 R14: 0000000000000000 R15: ffff88806428fa00
[  390.900829][ T1362] FS:  00007fa5a5f40740(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000
[  390.908566][ T1362] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  390.909280][ T1362] CR2: 0000555eaf8cef58 CR3: 000000005c8ec002 CR4: 00000000000606e0
[  390.910070][ T1362] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  390.910899][ T1362] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  390.911722][ T1362] Call Trace:
[  390.912105][ T1362]  dev_hard_start_xmit+0x160/0x740
[  390.912640][ T1362]  __dev_queue_xmit+0x1961/0x2e10
[  390.913148][ T1362]  ? check_object+0xaf/0x260
[  390.913630][ T1362]  ? __alloc_skb+0xb9/0x500
[  390.914088][ T1362]  ? init_object+0x6b/0x80
[  390.914558][ T1362]  ? netdev_core_pick_tx+0x2e0/0x2e0
[  390.915085][ T1362]  ? __alloc_skb+0xb9/0x500
[  390.915588][ T1362]  ? rcu_read_lock_sched_held+0x90/0xc0
[  390.916182][ T1362]  ? rcu_read_lock_bh_held+0xa0/0xa0
[  390.916742][ T1362]  ? kasan_unpoison_shadow+0x30/0x40
[  390.917276][ T1362]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
[  390.924192][ T1362]  ? __kmalloc_node_track_caller+0x3a8/0x3f0
[  390.924902][ T1362]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
[  390.925662][ T1362]  ? __kmalloc_reserve.isra.46+0x2e/0xb0
[  390.926398][ T1362]  ? memset+0x1f/0x40
[  390.926904][ T1362]  ? __alloc_skb+0x317/0x500
[  390.927492][ T1362]  ? arp_xmit+0xca/0x2c0
[  390.928050][ T1362]  arp_xmit+0xca/0x2c0
[  390.928576][ T1362]  ? arp_error_report+0x150/0x150
[  390.929209][ T1362]  ? eth_header+0x1b5/0x200
[  390.929781][ T1362]  ? memset+0x1f/0x40
[  390.930288][ T1362]  ? arp_create+0x616/0x780
[  390.930857][ T1362]  arp_send_dst.part.16+0x124/0x180
[  390.931524][ T1362]  ? arp_xmit+0x2c0/0x2c0
[  390.932088][ T1362]  arp_solicit+0x8cf/0xfb0
[  390.932654][ T1362]  ? lock_downgrade+0x6e0/0x6e0
[  390.933269][ T1362]  ? arp_send+0x90/0x90
[  390.933803][ T1362]  neigh_probe+0xaf/0xf0
[ ... ]

Fixes: 311633b60406 ("hsr: switch ->dellink() to ->ndo_uninit()")
Signed-off-by: Taehee Yoo <ap420073@...il.com>
---
 net/hsr/hsr_device.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
index f509b495451a..e3871491960c 100644
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -226,9 +226,16 @@ static int hsr_dev_xmit(struct sk_buff *skb, struct net_device *dev)
 	struct hsr_priv *hsr = netdev_priv(dev);
 	struct hsr_port *master;
 
+	rcu_read_lock();
 	master = hsr_port_get_hsr(hsr, HSR_PT_MASTER);
-	skb->dev = master->dev;
-	hsr_forward_skb(skb, master);
+	if (master) {
+		skb->dev = master->dev;
+		hsr_forward_skb(skb, master);
+	} else {
+		atomic_long_inc(&dev->tx_dropped);
+		dev_kfree_skb_any(skb);
+	}
+	rcu_read_unlock();
 	return NETDEV_TX_OK;
 }
 
-- 
2.17.1

Powered by blists - more mailing lists