lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 07 Feb 2020 18:44:31 +0100 (CET)
From:   David Miller <davem@...emloft.net>
To:     edumazet@...gle.com
Cc:     netdev@...r.kernel.org, eric.dumazet@...il.com,
        syzkaller@...glegroups.com, maximmi@...lanox.com
Subject: Re: [PATCH v2 net] ipv6/addrconf: fix potential NULL deref in
 inet6_set_link_af()

From: Eric Dumazet <edumazet@...gle.com>
Date: Fri,  7 Feb 2020 07:16:37 -0800

> __in6_dev_get(dev) called from inet6_set_link_af() can return NULL.
> 
> The needed check has been recently removed, let's add it back.
> 
> While do_setlink() does call validate_linkmsg() :
> ...
> err = validate_linkmsg(dev, tb); /* OK at this point */
> ...
> 
> It is possible that the following call happening before the
> ->set_link_af() removes IPv6 if MTU is less than 1280 :
> 
> if (tb[IFLA_MTU]) {
>     err = dev_set_mtu_ext(dev, nla_get_u32(tb[IFLA_MTU]), extack);
>     if (err < 0)
>           goto errout;
>     status |= DO_SETLINK_MODIFIED;
> }
> ...
> 
> if (tb[IFLA_AF_SPEC]) {
>    ...
>    err = af_ops->set_link_af(dev, af);
>       ->inet6_set_link_af() // CRASH because idev is NULL
 ...
> Fixes: 7dc2bccab0ee ("Validate required parameters in inet6_validate_link_af")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Bisected-and-reported-by: syzbot <syzkaller@...glegroups.com>
> Cc: Maxim Mikityanskiy <maximmi@...lanox.com>

Applied and queued up for -stable, thanks Eric.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ