lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABBAZC+oQ64BcMRDgtXHes-Ri=20bh2GC-DuSZy7gPpKTFRMQw@mail.gmail.com>
Date:   Mon, 26 Oct 2020 15:37:48 +0900
From:   Masahiro Fujiwara <fujiwara.masahiro@...il.com>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>,
        Harald Welte <laforge@...monks.org>,
        "David S. Miller" <davem@...emloft.net>,
        Andreas Schultz <aschultz@...p.net>,
        osmocom-net-gprs@...ts.osmocom.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] gtp: fix an use-before-init in gtp_newlink()

Hi,

Thanks for the review. Will send a new patch with the fixes soon.

----
Fujiwara

On Mon, Oct 26, 2020 at 6:05 AM Jakub Kicinski <kuba@...nel.org> wrote:
>
> On Sat, 24 Oct 2020 15:42:33 +0000 Masahiro Fujiwara wrote:
> > *_pdp_find() from gtp_encap_recv() would trigger a crash when a peer
> > sends GTP packets while creating new GTP device.
> >
> > RIP: 0010:gtp1_pdp_find.isra.0+0x68/0x90 [gtp]
> > <SNIP>
> > Call Trace:
> >  <IRQ>
> >  gtp_encap_recv+0xc2/0x2e0 [gtp]
> >  ? gtp1_pdp_find.isra.0+0x90/0x90 [gtp]
> >  udp_queue_rcv_one_skb+0x1fe/0x530
> >  udp_queue_rcv_skb+0x40/0x1b0
> >  udp_unicast_rcv_skb.isra.0+0x78/0x90
> >  __udp4_lib_rcv+0x5af/0xc70
> >  udp_rcv+0x1a/0x20
> >  ip_protocol_deliver_rcu+0xc5/0x1b0
> >  ip_local_deliver_finish+0x48/0x50
> >  ip_local_deliver+0xe5/0xf0
> >  ? ip_protocol_deliver_rcu+0x1b0/0x1b0
> >
> > gtp_encap_enable() should be called after gtp_hastable_new() otherwise
> > *_pdp_find() will access the uninitialized hash table.
>
> Looks good, minor nits:
>
>  - is the time zone broken on your system? Looks like your email has
>    arrived with the date far in the past, so the build systems have
>    missed it. Could you double check the time on your system?
>
> > Fixes: 1e3a3abd8 ("gtp: make GTP sockets in gtp_newlink optional")
>
> The hash looks short, should be at lest 12 chars:
>
> Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
>
> > Signed-off-by: Masahiro Fujiwara <fujiwara.masahiro@...il.com>
>
> > diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
> > index 8e47d0112e5d..6c56337b02a3 100644
> > --- a/drivers/net/gtp.c
> > +++ b/drivers/net/gtp.c
> > @@ -663,10 +663,6 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev,
> >
> >       gtp = netdev_priv(dev);
> >
> > -     err = gtp_encap_enable(gtp, data);
> > -     if (err < 0)
> > -             return err;
> > -
> >       if (!data[IFLA_GTP_PDP_HASHSIZE]) {
> >               hashsize = 1024;
> >       } else {
> > @@ -676,13 +672,18 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev,
> >       }
> >
> >       err = gtp_hashtable_new(gtp, hashsize);
> > +     if (err < 0) {
> > +             return err;
> > +     }
>
> no need for braces around single statement
>
> > +
> > +     err = gtp_encap_enable(gtp, data);
> >       if (err < 0)
> >               goto out_encap;
> >
> >       err = register_netdevice(dev);
> >       if (err < 0) {
> >               netdev_dbg(dev, "failed to register new netdev %d\n", err);
> > -             goto out_hashtable;
> > +             goto out_encap;
> >       }
> >
> >       gn = net_generic(dev_net(dev), gtp_net_id);
> > @@ -693,11 +694,10 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev,
> >
> >       return 0;
> >
> > -out_hashtable:
> > -     kfree(gtp->addr_hash);
> > -     kfree(gtp->tid_hash);
> >  out_encap:
> >       gtp_encap_disable(gtp);
>
> I'd personally move the out_hashtable: label here and keep it, just for
> clarity. Otherwise reader has to double check that gtp_encap_disable()
> can be safely called before gtp_encap_enable().
>
> Also gtp_encap_disable() could change in the future breaking this
> assumption.
>
> > +     kfree(gtp->addr_hash);
> > +     kfree(gtp->tid_hash);
> >       return err;
> >  }
> >
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ