lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 6 Feb 2020 07:18:46 -0800
From:   Eric Dumazet <edumazet@...gle.com>
To:     David Miller <davem@...emloft.net>
Cc:     netdev <netdev@...r.kernel.org>,
        Eric Dumazet <eric.dumazet@...il.com>,
        syzbot <syzkaller@...glegroups.com>, maximmi@...lanox.com
Subject: Re: [PATCH net] ipv6/addrconf: fix potential NULL deref in inet6_set_link_af()

On Thu, Feb 6, 2020 at 5:13 AM David Miller <davem@...emloft.net> wrote:
>
> From: Eric Dumazet <edumazet@...gle.com>
> Date: Wed,  5 Feb 2020 08:55:44 -0800
>
> > __in6_dev_get(dev) called from inet6_set_link_af() can return NULL.
> >
> > The needed check has been recently removed, let's add it back.
>
> I am having trouble understanding this one.
>
> When we have a do_setlink operation the flow is that we first validate
> the AFs and then invoke setlink operations after that validation.
>
> do_setlink() {
>  ..
>         err = validate_linkmsg(dev, tb);
>         if (err < 0)
>                 return err;
>  ..
>         if (tb[IFLA_AF_SPEC]) {
>  ...
>                         err = af_ops->set_link_af(dev, af);
>                         if (err < 0) {
>                                 rcu_read_unlock();
>                                 goto errout;
>                         }
>
> By definition, we only get to ->set_link_af() if there is an
> IFLA_AF_SPEC nested attribute and if we look at the validation
> performed by validate_linkmsg() it goes:
>
>         if (tb[IFLA_AF_SPEC]) {
>  ...
>                         if (af_ops->validate_link_af) {
>                                 err = af_ops->validate_link_af(dev, af);
>  ...
>
> And validate_link_af in net/ipv6/addrconf.c clearly does the
> following:
>
> static int inet6_validate_link_af(const struct net_device *dev,
>                                   const struct nlattr *nla)
>  ...
>         if (dev) {
>                 idev = __in6_dev_get(dev);
>                 if (!idev)
>                         return -EAFNOSUPPORT;
>         }
>  ...
>
> It checks the idev and makes sure it is not-NULL.
>
> I therefore cannot find a path by which we arrive at inet6_set_link_af
> with a NULL idev.  The above validation code should trap it.
>
> Please explain.
>

I can give a repro if that helps.

(I have to run, I might have more time later)

// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len)               \
  *(type*)(addr) =                                                             \
      htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) |           \
            (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

uint64_t r[1] = {0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
  intptr_t res = 0;
  res = syscall(__NR_socket, 0x10ul, 3ul, 0ul);
  if (res != -1)
    r[0] = res;
  *(uint64_t*)0x20000080 = 0;
  *(uint32_t*)0x20000088 = 0;
  *(uint64_t*)0x20000090 = 0x20000200;
  *(uint64_t*)0x20000200 = 0x20000000;
  *(uint32_t*)0x20000000 = 0x40;
  *(uint16_t*)0x20000004 = 0x10;
  *(uint16_t*)0x20000006 = 0x801;
  *(uint32_t*)0x20000008 = 0;
  *(uint32_t*)0x2000000c = 0;
  *(uint8_t*)0x20000010 = 0;
  *(uint8_t*)0x20000011 = 0;
  *(uint16_t*)0x20000012 = 0;
  *(uint32_t*)0x20000014 = 0;
  *(uint32_t*)0x20000018 = 0;
  *(uint32_t*)0x2000001c = 0;
  *(uint16_t*)0x20000020 = 0x10;
  STORE_BY_BITMASK(uint16_t, , 0x20000022, 0x1a, 0, 14);
  STORE_BY_BITMASK(uint16_t, , 0x20000023, 0, 6, 1);
  STORE_BY_BITMASK(uint16_t, , 0x20000023, 1, 7, 1);
  *(uint16_t*)0x20000024 = 0xc;
  STORE_BY_BITMASK(uint16_t, , 0x20000026, 0xa, 0, 14);
  STORE_BY_BITMASK(uint16_t, , 0x20000027, 0, 6, 1);
  STORE_BY_BITMASK(uint16_t, , 0x20000027, 1, 7, 1);
  *(uint16_t*)0x20000028 = 5;
  *(uint16_t*)0x2000002a = 8;
  *(uint8_t*)0x2000002c = 0;
  *(uint16_t*)0x20000030 = 8;
  *(uint16_t*)0x20000032 = 0x1b;
  *(uint32_t*)0x20000034 = 0;
  *(uint16_t*)0x20000038 = 8;
  *(uint16_t*)0x2000003a = 4;
  *(uint32_t*)0x2000003c = 0x3ff;
  *(uint64_t*)0x20000208 = 0x40;
  *(uint64_t*)0x20000098 = 1;
  *(uint64_t*)0x200000a0 = 0;
  *(uint64_t*)0x200000a8 = 0;
  *(uint32_t*)0x200000b0 = 0x54;
  syscall(__NR_sendmsg, r[0], 0x20000080ul, 0ul);
  return 0;
}

Powered by blists - more mailing lists