lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3f460707-e267-e749-07fc-c44604cd5713@iogearbox.net>
Date:   Fri, 10 Jun 2022 09:14:15 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Jianhao Xu <jianhao_xu@...il.nju.edu.cn>, jhs@...atatu.com,
        xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net,
        edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: sched: fix potential null pointer deref

Hi Jianhao,

On 6/10/22 4:14 AM, Jianhao Xu wrote:
> mq_queue_get() may return NULL, a check is needed to avoid using
> the NULL pointer.
> 
> Signed-off-by: Jianhao Xu <jianhao_xu@...il.nju.edu.cn>

Do you have a reproducer where this is triggered?

> ---
>   net/sched/sch_mq.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c
> index 83d2e54bf303..9aca4ca82947 100644
> --- a/net/sched/sch_mq.c
> +++ b/net/sched/sch_mq.c
> @@ -201,6 +201,8 @@ static int mq_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new,
>   static struct Qdisc *mq_leaf(struct Qdisc *sch, unsigned long cl)
>   {
>   	struct netdev_queue *dev_queue = mq_queue_get(sch, cl);
> +	if (!dev_queue)
> +		return NULL;
>   
>   	return dev_queue->qdisc_sleeping;
>   }
> @@ -218,6 +220,8 @@ static int mq_dump_class(struct Qdisc *sch, unsigned long cl,
>   			 struct sk_buff *skb, struct tcmsg *tcm)
>   {
>   	struct netdev_queue *dev_queue = mq_queue_get(sch, cl);
> +	if (!dev_queue)
> +		return -1;
>   
>   	tcm->tcm_parent = TC_H_ROOT;
>   	tcm->tcm_handle |= TC_H_MIN(cl);
> @@ -229,6 +233,8 @@ static int mq_dump_class_stats(struct Qdisc *sch, unsigned long cl,
>   			       struct gnet_dump *d)
>   {
>   	struct netdev_queue *dev_queue = mq_queue_get(sch, cl);
> +	if (!dev_queue)
> +		return -1;
>   
>   	sch = dev_queue->qdisc_sleeping;
>   	if (gnet_stats_copy_basic(d, sch->cpu_bstats, &sch->bstats, true) < 0 ||
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ