lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210529112735.22bdc153@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net>
Date:   Sat, 29 May 2021 11:27:35 -0700
From:   Jakub Kicinski <kuba@...nel.org>
To:     Changbin Du <changbin.du@...il.com>
Cc:     "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] net: fix oops in socket ioctl cmd SIOCGSKNS when NET_NS
 is disabled

On Sat, 29 May 2021 14:05:26 +0800 Changbin Du wrote:
> When NET_NS is not enabled, socket ioctl cmd SIOCGSKNS should do nothing
> but acknowledge userspace it is not supported. Otherwise, kernel would
> panic wherever nsfs trys to access ns->ops since the proc_ns_operations
> is not implemented in this case.
> 
> [7.670023] Unable to handle kernel NULL pointer dereference at virtual address 00000010
> [7.670268] pgd = 32b54000
> [7.670544] [00000010] *pgd=00000000
> [7.671861] Internal error: Oops: 5 [#1] SMP ARM
> [7.672315] Modules linked in:
> [7.672918] CPU: 0 PID: 1 Comm: systemd Not tainted 5.13.0-rc3-00375-g6799d4f2da49 #16
> [7.673309] Hardware name: Generic DT based system
> [7.673642] PC is at nsfs_evict+0x24/0x30
> [7.674486] LR is at clear_inode+0x20/0x9c
> 
> Signed-off-by: Changbin Du <changbin.du@...il.com>
> Cc: <stable@...r.kernel.org> # v4.9

Please provide a Fixes tag.

> diff --git a/net/socket.c b/net/socket.c
> index 27e3e7d53f8e..644b46112d35 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -1149,11 +1149,15 @@ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
>  			mutex_unlock(&vlan_ioctl_mutex);
>  			break;
>  		case SIOCGSKNS:
> +#ifdef CONFIG_NET_NS
>  			err = -EPERM;
>  			if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
>  				break;
>  
>  			err = open_related_ns(&net->ns, get_net_ns);

There's a few more places with this exact code. Can we please add the
check in get_net_ns? That should fix all callers.

> +#else
> +			err = -ENOTSUPP;

EOPNOTSUPP, you shouldn't return ENOTSUPP to user space.

> +#endif
>  			break;
>  		case SIOCGSTAMP_OLD:
>  		case SIOCGSTAMPNS_OLD:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ