lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 20 Jan 2020 23:02:11 +0100
From:   Oliver Hartkopp <socketcan@...tkopp.net>
To:     Dmitry Vyukov <dvyukov@...gle.com>,
        Marc Kleine-Budde <mkl@...gutronix.de>,
        o.rempel@...gutronix.de,
        syzbot <syzbot+c3ea30e1e2485573f953@...kaller.appspotmail.com>,
        David Miller <davem@...emloft.net>, linux-can@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: general protection fault in can_rx_register

Hi all,

On 20/01/2020 10.22, Dmitry Vyukov wrote:

>> Is this code what triggers the bug?
>>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=138f5db9e00000
> 
> yes
> 

(..)

>>>> RIP: 0010:hlist_add_head_rcu include/linux/rculist.h:528 [inline]
>>>> RIP: 0010:can_rx_register+0x43b/0x600 net/can/af_can.c:476
>>>
>>> include/linux/rculist.h:528 is
>>>
>>> struct hlist_node *first = h->first;
>>>
>>> which would mean that 'h' must be NULL.
>>>
>>> But the h parameter is rcv_list from
>>> rcv_list = can_rcv_list_find(&can_id, &mask, dev_rcv_lists);
>>>
>>> Which can not return NULL - at least when dev_rcv_lists is a proper pointer
>>> to the dev_rcv_lists provided by can_dev_rcv_lists_find().
>>>
>>> So either dev->ml_priv is NULL in the case of having a CAN interface (here
>>> vxcan) ...

Added some code to check whether dev->ml_priv is NULL:

~/linux$ git diff
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 128d37a4c2e0..6fb4ae4c359e 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -463,6 +463,10 @@ int can_rx_register(struct net *net, struct 
net_device *dev, canid_t can_id,
         spin_lock_bh(&net->can.rcvlists_lock);

         dev_rcv_lists = can_dev_rcv_lists_find(net, dev);
+       if (!dev_rcv_lists) {
+               pr_err("dev_rcv_lists == NULL! %p\n", dev);
+               goto out_unlock;
+       }
         rcv_list = can_rcv_list_find(&can_id, &mask, dev_rcv_lists);

         rcv->can_id = can_id;
@@ -479,6 +483,7 @@ int can_rx_register(struct net *net, struct 
net_device *dev, canid_t can_id,
         rcv_lists_stats->rcv_entries++;
         rcv_lists_stats->rcv_entries_max = 
max(rcv_lists_stats->rcv_entries_max,
 
rcv_lists_stats->rcv_entries);
+out_unlock:
         spin_unlock_bh(&net->can.rcvlists_lock);

         return err;

And the output (after some time) is:

[  758.505841] netlink: 'crash': attribute type 1 has an invalid length.
[  758.508045] bond7148: (slave vxcan1): The slave device specified does 
not support setting the MAC address
[  758.508057] bond7148: (slave vxcan1): Error -22 calling dev_set_mtu
[  758.532025] bond10413: (slave vxcan1): The slave device specified 
does not support setting the MAC address
[  758.532043] bond10413: (slave vxcan1): Error -22 calling dev_set_mtu
[  758.532254] dev_rcv_lists == NULL! 000000006b9d257f
[  758.547392] netlink: 'crash': attribute type 1 has an invalid length.
[  758.549310] bond7145: (slave vxcan1): The slave device specified does 
not support setting the MAC address
[  758.549313] bond7145: (slave vxcan1): Error -22 calling dev_set_mtu
[  758.550464] netlink: 'crash': attribute type 1 has an invalid length.
[  758.552301] bond7146: (slave vxcan1): The slave device specified does 
not support setting the MAC address

So we can see that we get a ml_priv pointer which is NULL which should 
not be possible due to this:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/can/dev.c#n743

Btw. the variable 'size' is set two times at the top of 
alloc_candev_mqs() depending on echo_skb_max. This looks wrong.

Best regards,
Oliver

Powered by blists - more mailing lists