lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 19 Aug 2022 18:11:46 +0300
From:   Sergei Antonov <saproj@...il.com>
To:     Vladimir Oltean <olteanv@...il.com>, netdev@...r.kernel.org
Subject: mv88e6060: NULL dereference in dsa_slave_changeupper()

Hello!
I am using the current netdev/net.git kernel. My DSA is mv88e6060
(CONFIG_NET_DSA_MV88E6060).
These two commands cause a crash:
~ # brctl addbr mybridge
~ # brctl addif mybridge lan2

Unable to handle kernel NULL pointer dereference at virtual address 00000000
[00000000] *pgd=2b7b83102b7b831, *pte=c2b7b000, *ppte=c086b6f4
Internal error: Oops: 17 [#1] PREEMPT ARM
CPU: 0 PID: 70 Comm: brctl Not tainted 6.0.0-rc1+ #102
Hardware name: Generic DT based system
PC is at dsa_slave_changeupper+0x5c/0x158

 dsa_slave_changeupper from raw_notifier_call_chain+0x38/0x6c
 raw_notifier_call_chain from __netdev_upper_dev_link+0x198/0x3b4
 __netdev_upper_dev_link from netdev_master_upper_dev_link+0x50/0x78
 netdev_master_upper_dev_link from br_add_if+0x430/0x7f4
 br_add_if from br_ioctl_stub+0x170/0x530
 br_ioctl_stub from br_ioctl_call+0x54/0x7c
 br_ioctl_call from dev_ifsioc+0x4e0/0x6bc
 dev_ifsioc from dev_ioctl+0x2f8/0x758
 dev_ioctl from sock_ioctl+0x5f0/0x674
 sock_ioctl from sys_ioctl+0x518/0xe40
 sys_ioctl from ret_fast_syscall+0x0/0x1c

The reason is that extack is NULL in dsa_slave_changeupper(). Does
mv88e6060 driver support bridges at all? Anyway, it does not justify
the crash.
Below is "ip a" output. Tell me if anything else is needed.

1: lo: <LOOPBACK> mtu 65536 qdisc noop qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:90:e8:00:10:03 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:e8ff:fe00:1003/64 scope link
       valid_lft forever preferred_lft forever
3: lan2@...0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
noqueue qlen 1000
    link/ether 00:90:e8:00:10:03 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 scope global lan2
       valid_lft forever preferred_lft forever
4: lan3@...0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
noqueue qlen 1000
    link/ether 00:90:e8:00:10:03 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 scope global lan3
       valid_lft forever preferred_lft forever
5: lan1@...0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue qlen 1000
    link/ether 00:90:e8:00:10:03 brd ff:ff:ff:ff:ff:ff
    inet 192.168.127.254/24 scope global lan1
       valid_lft forever preferred_lft forever
    inet6 fe80::290:e8ff:fe00:1003/64 scope link
       valid_lft forever preferred_lft forever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ