lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221027142455.3975224-1-chenzhihao@meizu.com> Date: Thu, 27 Oct 2022 14:24:55 +0000 From: Zhihao Chen <chenzhihao@...zu.com> To: <netdev@...r.kernel.org> CC: <baihaowen@...zu.com>, <steffen.klassert@...unet.com>, Zhihao Chen <chenzhihao@...zu.com>, Chonglong Xu <xuchonglong@...zu.com> Subject: [PATCH] xfrm:fix access to the null pointer in __xfrm_state_delete() Validate the byseq node before removing it from the hlist of state_byseq. km.seq cannot be used to determine whether the SA is in the byseq hlist because xfrm_add_sa() may initialize km.seq to 0 and the SA is not inserted into hlist. In later network communication, the seq field will increase after the valid packet is received. In the above case, the NULL pointer will be accessed and cause a kernel panic when the SA is being removed from hlist by checking km.seq field in __xfrm_state_delete(). Call trace: _xfrm_state_delete+0xb0/0x370 xfrm_del_sa+0x1c8/0x378 xfrm_user_rcv_msg+0x220/0x2d8 netlink_rcv_skb+0x104/0x180 xfrm_netlink_rcv+0x6c/0x118 netlink_unicast_kernel+0x12c/0x320 netlink_unicast+0x1dc/0x424 netlink_sendmsg+0x4b8/0x730 sock_write_iter+0x14c/0x1d8 do_iter_readv_writev+0x164/0x1d8 do_iter_write+0x104/0x2c4 do_writev+0x1a4/0x2d4 _arm64_sys_writev+0x24/0x34 invoke_syscall+0x60/0x150 el0svc_common+0xc8/0x114 do_el0_svc+0x28/0xa0 el0_svc+0x28/0x90 el0t_64_sync_handler+0x88/0xec el0t_64_sync+0x1b4/0x1b8 Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq") Signed-off-by: Zhihao Chen <chenzhihao@...zu.com> Signed-off-by: Chonglong Xu <xuchonglong@...zu.com> --- net/xfrm/xfrm_state.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 3d2fe7712ac5..72a6426baef4 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -687,7 +687,7 @@ int __xfrm_state_delete(struct xfrm_state *x) list_del(&x->km.all); hlist_del_rcu(&x->bydst); hlist_del_rcu(&x->bysrc); - if (x->km.seq) + if (x->km.seq && !hlist_unhashed(&x->byseq)) hlist_del_rcu(&x->byseq); if (x->id.spi) hlist_del_rcu(&x->byspi); -- 2.25.1
Powered by blists - more mailing lists