lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <73bec80c-fb97-0808-8ca5-6579d9ff5251@pengutronix.de>
Date:   Fri, 27 Nov 2020 10:48:45 +0100
From:   Marc Kleine-Budde <mkl@...gutronix.de>
To:     Oliver Hartkopp <socketcan@...tkopp.net>, dvyukov@...gle.com,
        netdev@...r.kernel.org, linux-can@...r.kernel.org
Cc:     syzkaller-bugs@...glegroups.com,
        syzbot+381d06e0c8eaacb8706f@...kaller.appspotmail.com,
        syzbot+d0ddd88c9a7432f041e6@...kaller.appspotmail.com,
        syzbot+76d62d3b8162883c7d11@...kaller.appspotmail.com
Subject: Re: [PATCH] can: remove WARN() statement from list operation sanity
 check

On 11/26/20 8:21 PM, Oliver Hartkopp wrote:
> To detect potential bugs in CAN protocol implementations (double removal
> of receiver entries) a WARN() statement has been used if no matching list
> item was found for removal.
> 
> The fault injection issued by syzkaller was able to create a situation
> where the closing of a socket runs simultaneously to the notifier call
> chain for removing the CAN network device in use.
> 
> This case is very unlikely in real life but it doesn't break anything.
> Therefore we just replace the WARN() statement with pr_warn() to
> preserve the notification for the CAN protocol development.
> 
> Reported-by: syzbot+381d06e0c8eaacb8706f@...kaller.appspotmail.com
> Reported-by: syzbot+d0ddd88c9a7432f041e6@...kaller.appspotmail.com
> Reported-by: syzbot+76d62d3b8162883c7d11@...kaller.appspotmail.com
> Signed-off-by: Oliver Hartkopp <socketcan@...tkopp.net>
> ---
>  net/can/af_can.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/net/can/af_can.c b/net/can/af_can.c
> index 5d124c155904..7c5ccdec89e1 100644
> --- a/net/can/af_can.c
> +++ b/net/can/af_can.c
> @@ -539,14 +539,17 @@ void can_rx_unregister(struct net *net, struct net_device *dev, canid_t can_id,
>  			break;
>  	}
>  
>  	/* Check for bugs in CAN protocol implementations using af_can.c:
>  	 * 'rcv' will be NULL if no matching list item was found for removal.
> +	 * As this case may potentially happen when closing a socket while
> +	 * the notifier for removing the CAN netdev is running we just print
> +	 * a warning here. Reported by syskaller (see commit message)
I've removed the "Reported by syskaller (see commit message)" while applying the
patch, to keep this comment short and to the point. Use tig/git blame (or any
other future tool) to figure out the commit message for details :D

>  	 */
>  	if (!rcv) {
> -		WARN(1, "BUG: receive list entry not found for dev %s, id %03X, mask %03X\n",
> -		     DNAME(dev), can_id, mask);
> +		pr_warn("can: receive list entry not found for dev %s, id %03X, mask %03X\n",
> +			DNAME(dev), can_id, mask);
>  		goto out;
>  	}
>  
>  	hlist_del_rcu(&rcv->list);
>  	dev_rcv_lists->entries--;
> 

Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ