lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 16 Oct 2022 10:22:24 +0800
From:   shaozhengchao <shaozhengchao@...wei.com>
To:     Cong Wang <xiyou.wangcong@...il.com>
CC:     netdev <netdev@...r.kernel.org>, Paolo Abeni <pabeni@...hat.com>,
        Jakub Kicinski <kuba@...nel.org>,
        David Miller <davem@...emloft.net>, <edumazet@...gle.com>,
        <sgarzare@...hat.com>, <ast@...nel.org>, <nikolay@...dia.com>,
        <mkl@...gutronix.de>, <cong.wang@...edance.com>
Subject: Re: net/kcm: syz issue about general protection fault in skb_unlink



On 2022/10/16 6:42, Cong Wang wrote:
> On Thu, Oct 13, 2022 at 06:51:29PM +0800, shaozhengchao wrote:
>> I found that the syz issue("general protection fault in skb_unlink")
>> still happen in Linux -next branch.
>> commit: 082fce125e57cff60687181c97f3a8ee620c38f5
>> Link:
>> https://groups.google.com/g/syzkaller-bugs/c/ZfR2B5KaQrA/m/QfnGHCYSBwAJ
>> Please ask:
>> Is there any problem with this patch? Why is this patch not merged into
>> the Linux -next branch or mainline?
>>
> 
> Does the following patch also fix this bug? It is much smaller than the
> one you refer above.
> 
> Thanks.
> 

Hi Wang:
	Thank you for your patch. I've tested this patch and it solves
my problem as well. Maybe it is better?

Zhengchao Shao
	
> ---------------->
> 
> diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
> index 1215c863e1c4..67c4b25d351d 100644
> --- a/net/kcm/kcmsock.c
> +++ b/net/kcm/kcmsock.c
> @@ -1116,6 +1116,7 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
>   {
>   	struct sock *sk = sock->sk;
>   	struct kcm_sock *kcm = kcm_sk(sk);
> +	struct kcm_mux *mux = kcm->mux;
>   	int err = 0;
>   	long timeo;
>   	struct strp_msg *stm;
> @@ -1156,8 +1157,10 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
>   msg_finished:
>   			/* Finished with message */
>   			msg->msg_flags |= MSG_EOR;
> +			spin_lock_bh(&mux->rx_lock);
>   			KCM_STATS_INCR(kcm->stats.rx_msgs);
>   			skb_unlink(skb, &sk->sk_receive_queue);
> +			spin_unlock_bh(&mux->rx_lock);
>   			kfree_skb(skb);
>   		}
>   	}

Powered by blists - more mailing lists