lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210309034736.8656-1-zhudi21@huawei.com>
Date:   Tue, 9 Mar 2021 11:47:36 +0800
From:   zhudi <zhudi21@...wei.com>
To:     <jhs@...atatu.com>, <xiyou.wangcong@...il.com>
CC:     <davem@...emloft.net>, <kuba@...nel.org>, <netdev@...r.kernel.org>,
        <zhudi21@...wei.com>, <rose.chen@...wei.com>
Subject: [PATCH] net/sched: act_pedit: fix a NULL pointer deref in tcf_pedit_init

From: Di Zhu <zhudi21@...wei.com>

when we use syzkaller to fuzz-test our kernel, one NULL pointer dereference
BUG happened:

Write of size 96 at addr 0000000000000010 by task syz-executor.0/22376
==================================================================
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 80000001dc1a9067 P4D 80000001dc1a9067 PUD 1a32b5067 PMD 0
[...]
Call Trace
memcpy  include/linux/string.h:345 [inline]
tcf_pedit_init+0x7b4/0xa10 net/sched/act_pedit.c:232
tcf_action_init_1+0x59b/0x730  net/sched/act_api.c:920
tcf_action_init+0x1ef/0x320  net/sched/act_api.c:975
tcf_action_add+0xd2/0x270  net/sched/act_api.c:1360
tc_ctl_action+0x267/0x290  net/sched/act_api.c:1412
[...]

The root cause is that we use kmalloc() to allocate mem space for
keys without checking if the ksize is 0. if ksize == 0 then kmalloc()
will return ZERO_SIZE_PTR currently defined as 16, not the NULL pointer.
eventually ZERO_SIZE_PTR is assigned to p->tcfp_keys. The next time you
update the action with ksize not equal to 0, the bug will appear. This is
because  p->tcfp_nkeys == 0, so it will not call kmalloc() to realloc mem
using new ksize and eventually, memcpy() use ZERO_SIZE_PTR as destination
address.

So we can allow memory reallocation even if current p->tcfp_nkeys == 0 and
kfree() supports ZERO_SIZE_PTR as input parameter

Signed-off-by: Di Zhu <zhudi21@...wei.com>
---
 net/sched/act_pedit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index b45304446e13..86514bd49ab6 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -216,7 +216,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
 	spin_lock_bh(&p->tcf_lock);
 
 	if (ret == ACT_P_CREATED ||
-	    (p->tcfp_nkeys && p->tcfp_nkeys != parm->nkeys)) {
+	    (p->tcfp_nkeys != parm->nkeys)) {
 		keys = kmalloc(ksize, GFP_ATOMIC);
 		if (!keys) {
 			spin_unlock_bh(&p->tcf_lock);
-- 
2.23.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ