lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 May 2022 09:22:48 +0200 From: Paolo Abeni <pabeni@...hat.com> To: Zixuan Fu <r33s3n6@...il.com>, doshir@...are.com, pv-drivers@...are.com, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, baijiaju1990@...il.com, TOTE Robot <oslab@...nghua.edu.cn> Subject: Re: [PATCH v2] drivers: net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup() On Tue, 2022-05-10 at 21:17 +0800, Zixuan Fu wrote: > In vmxnet3_rq_create(), when dma_alloc_coherent() fails, > vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then > vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all() > -> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls > vmxnet3_force_close() -> dev_close() in error handling code. And the driver > calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all() > -> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(), > rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing > a NULL pointer dereference. > > To fix this possible bug, an if statement is added to check whether > rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so. > > The error log in our fault-injection testing is shown as follows: > > [ 65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008 > ... > [ 65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3] > ... > [ 65.227977] Call Trace: > ... > [ 65.228262] vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3] > [ 65.228580] vmxnet3_close+0x2c4/0x3f0 [vmxnet3] > [ 65.228866] __dev_close_many+0x288/0x350 > [ 65.229607] dev_close_many+0xa4/0x480 > [ 65.231124] dev_close+0x138/0x230 > [ 65.231933] vmxnet3_force_close+0x1f0/0x240 [vmxnet3] > [ 65.232248] vmxnet3_change_mtu+0x75d/0x920 [vmxnet3] > ... > > Reported-by: TOTE Robot <oslab@...nghua.edu.cn> > Signed-off-by: Zixuan Fu <r33s3n6@...il.com> Same remarks here, please provide a new version with a suitable fixes tag, thanks! Paolo
Powered by blists - more mailing lists