lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAM_iQpUH-ZS2SCYzffg-vhq3EHD0SeHY0vf2beLUpVFtwW66EQ@mail.gmail.com>
Date:   Sat, 30 Nov 2019 12:42:30 -0800
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     David Miller <davem@...emloft.net>
Cc:     Linux Kernel Network Developers <netdev@...r.kernel.org>,
        syzbot+9fe8e3f6c64aa5e5d82c@...kaller.appspotmail.com
Subject: Re: [Patch net] netrom: fix a potential NULL pointer dereference

On Sat, Nov 30, 2019 at 12:31 PM David Miller <davem@...emloft.net> wrote:
>
> From: Cong Wang <xiyou.wangcong@...il.com>
> Date: Sat, 30 Nov 2019 12:05:40 -0800
>
> > It is possible that the skb gets removed between skb_peek() and
> > skb_dequeue(). So we should just check the return value of
> > skb_dequeue().  Otherwise, skb_clone() may get a NULL pointer.
> >
> > Technically, this should be protected by sock lock, but netrom
> > doesn't use it correctly. It is harder to fix sock lock than just
> > fixing this.
> >
> > Reported-by: syzbot+9fe8e3f6c64aa5e5d82c@...kaller.appspotmail.com
> > Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
>
> This is really bogus because it also means that all of the other
> state such as the ack_queue, nr->va, nr->vs, nr->window can also
> change meanwhile.
>
> And these determine whether a dequeue should be done at all, and
> I'm sure some range violations are possible as a result as well.
>
> This code is really terminally broken and just adding this check
> will leave many other other obvious bugs here that syzbot will
> trigger eventually.

Yes, this is what I meant by mentioning sock lock above, it is
more broken than this NULL-deref as I said. It is not worth time
to audit sock lock for netrom, so I decided to just fix this single
crash.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ