| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Feb 2020 17:44:43 +0000
From: Taehee Yoo <ap420073@...il.com>
To: davem@...emloft.net, kuba@...nel.org, subashab@...eaurora.org,
stranche@...eaurora.org, netdev@...r.kernel.org
Cc: ap420073@...il.com
Subject: [PATCH net 03/10] net: rmnet: fix NULL pointer dereference in rmnet_changelink()
In the rmnet_changelink(), it uses IFLA_LINK without checking
NULL pointer.
tb[IFLA_LINK] could be NULL pointer.
So, NULL-ptr-deref could occur.
rmnet already has a lower interface (real_dev).
So, after this patch, rmnet_changelink() does not use IFLA_LINK anymore.
Test commands:
modprobe rmnet
ip link add dummy0 type dummy
ip link add rmnet0 link dummy0 type rmnet mux_id 1
ip link set rmnet0 type rmnet mux_id 2
Splat looks like:
[ 73.784702][ T944] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 I
[ 73.786128][ T944] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 73.786894][ T944] CPU: 0 PID: 944 Comm: ip Not tainted 5.5.0+ #406
[ 73.787573][ T944] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 73.788865][ T944] RIP: 0010:rmnet_changelink+0x5a/0x8a0 [rmnet]
[ 73.789895][ T944] Code: 83 ec 20 48 c1 ea 03 80 3c 02 00 0f 85 6f 07 00 00 48 8b 5e 28 48 b8 00 00 00 00 00 fc ff d0
[ 73.792187][ T944] RSP: 0018:ffff88804ca571b8 EFLAGS: 00010247
[ 73.792939][ T944] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88804ca578b0
[ 73.793880][ T944] RDX: 0000000000000000 RSI: ffff88804ca574a0 RDI: 0000000000000004
[ 73.794904][ T944] RBP: ffff88806241f400 R08: 0000000000000002 R09: 0000000000000002
[ 73.796720][ T944] R10: ffffffffc03f2a80 R11: 0000000000000000 R12: ffff88804d094000
[ 73.797721][ T944] R13: ffff88804d094000 R14: ffff88806241e800 R15: 0000000000000000
[ 73.798770][ T944] FS: 00007fc9d81650c0(0000) GS:ffff88806c000000(0000) knlGS:0000000000000000
[ 73.800184][ T944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 73.801265][ T944] CR2: 0000557c57167458 CR3: 0000000066eea003 CR4: 00000000000606f0
[ 73.802297][ T944] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 73.803290][ T944] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 73.804433][ T944] Call Trace:
[ 73.804855][ T944] __rtnl_newlink+0x922/0x1270
[ 73.805459][ T944] ? lock_downgrade+0x6e0/0x6e0
[ 73.806068][ T944] ? rtnl_link_unregister+0x220/0x220
[ 73.806737][ T944] ? lock_acquire+0x164/0x3b0
[ 73.807328][ T944] ? is_bpf_image_address+0xff/0x1d0
[ 73.807983][ T944] ? rtnl_newlink+0x4c/0x90
[ 73.808540][ T944] ? kernel_text_address+0x111/0x140
[ 73.809196][ T944] ? __kernel_text_address+0xe/0x30
[ 73.809859][ T944] ? unwind_get_return_address+0x5f/0xa0
[ 73.810560][ T944] ? create_prof_cpu_mask+0x20/0x20
[ 73.811614][ T944] ? arch_stack_walk+0x83/0xb0
[ 73.812350][ T944] ? stack_trace_save+0x82/0xb0
[ 73.812976][ T944] ? stack_trace_consume_entry+0x160/0x160
[ 73.814174][ T944] ? deactivate_slab.isra.78+0x2c5/0x800
[ 73.814920][ T944] ? kasan_unpoison_shadow+0x30/0x40
[ 73.815594][ T944] ? kmem_cache_alloc_trace+0x135/0x350
[ 73.816789][ T944] ? rtnl_newlink+0x4c/0x90
[ 73.817357][ T944] rtnl_newlink+0x65/0x90
[ ... ]
Fixes: 23790ef12082 ("net: qualcomm: rmnet: Allow to configure flags for existing devices")
Signed-off-by: Taehee Yoo <ap420073@...il.com>
---
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
index f3d6a43b97a1..7a7d0f521352 100644
--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
@@ -300,10 +300,8 @@ static int rmnet_changelink(struct net_device *dev, struct nlattr *tb[],
if (!dev)
return -ENODEV;
- real_dev = __dev_get_by_index(dev_net(dev),
- nla_get_u32(tb[IFLA_LINK]));
-
- if (!real_dev || !rmnet_is_real_dev_registered(real_dev))
+ real_dev = priv->real_dev;
+ if (!rmnet_is_real_dev_registered(real_dev))
return -ENODEV;
port = rmnet_get_port_rtnl(real_dev);
--
2.17.1
Powered by blists - more mailing lists