lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 15 Oct 2022 15:42:56 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     shaozhengchao <shaozhengchao@...wei.com>
Cc:     netdev <netdev@...r.kernel.org>, Paolo Abeni <pabeni@...hat.com>,
        Jakub Kicinski <kuba@...nel.org>,
        David Miller <davem@...emloft.net>, edumazet@...gle.com,
        sgarzare@...hat.com, ast@...nel.org, nikolay@...dia.com,
        mkl@...gutronix.de, cong.wang@...edance.com
Subject: Re: net/kcm: syz issue about general protection fault in skb_unlink

On Thu, Oct 13, 2022 at 06:51:29PM +0800, shaozhengchao wrote:
> I found that the syz issue("general protection fault in skb_unlink")
> still happen in Linux -next branch.
> commit: 082fce125e57cff60687181c97f3a8ee620c38f5
> Link:
> https://groups.google.com/g/syzkaller-bugs/c/ZfR2B5KaQrA/m/QfnGHCYSBwAJ
> Please ask:
> Is there any problem with this patch? Why is this patch not merged into
> the Linux -next branch or mainline?
> 

Does the following patch also fix this bug? It is much smaller than the
one you refer above.

Thanks.

---------------->

diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index 1215c863e1c4..67c4b25d351d 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1116,6 +1116,7 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
 {
 	struct sock *sk = sock->sk;
 	struct kcm_sock *kcm = kcm_sk(sk);
+	struct kcm_mux *mux = kcm->mux;
 	int err = 0;
 	long timeo;
 	struct strp_msg *stm;
@@ -1156,8 +1157,10 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
 msg_finished:
 			/* Finished with message */
 			msg->msg_flags |= MSG_EOR;
+			spin_lock_bh(&mux->rx_lock);
 			KCM_STATS_INCR(kcm->stats.rx_msgs);
 			skb_unlink(skb, &sk->sk_receive_queue);
+			spin_unlock_bh(&mux->rx_lock);
 			kfree_skb(skb);
 		}
 	}

Powered by blists - more mailing lists