| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Nov 2022 13:40:21 +0100
From: "Denis V. Lunev" <den@...tuozzo.com>
To: Chen Zhongjin <chenzhongjin@...wei.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, dsahern@...nel.org, daniel@...earbox.net,
yangyingliang@...wei.com, stephen@...workplumber.org,
wangyuweihx@...il.com, alexander.mikhalitsyn@...tuozzo.com,
xu.xin16@....com.cn
Subject: Re: [PATCH net] net, neigh: Fix null-ptr-deref in neigh_table_clear()
On 11/1/22 13:15, Chen Zhongjin wrote:
> When IPv6 module gets initialized but hits an error in the middle,
> kenel panic with:
>
> KASAN: null-ptr-deref in range [0x0000000000000598-0x000000000000059f]
> CPU: 1 PID: 361 Comm: insmod
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
> RIP: 0010:__neigh_ifdown.isra.0+0x24b/0x370
> RSP: 0018:ffff888012677908 EFLAGS: 00000202
> ...
> Call Trace:
> <TASK>
> neigh_table_clear+0x94/0x2d0
> ndisc_cleanup+0x27/0x40 [ipv6]
> inet6_init+0x21c/0x2cb [ipv6]
> do_one_initcall+0xd3/0x4d0
> do_init_module+0x1ae/0x670
> ...
> Kernel panic - not syncing: Fatal exception
>
> When ipv6 initialization fails, it will try to cleanup and calls:
>
> neigh_table_clear()
> neigh_ifdown(tbl, NULL)
> pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev == NULL))
> # dev_net(NULL) triggers null-ptr-deref.
>
> Fix it by passing NULL to pneigh_queue_purge() in neigh_ifdown() if dev
> is NULL, to make kernel not panic immediately.
>
> Fixes: 66ba215cb513 ("neigh: fix possible DoS due to net iface start/stop loop")
> Signed-off-by: Chen Zhongjin <chenzhongjin@...wei.com>
> ---
> net/core/neighbour.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index 3c4786b99907..a77a85e357e0 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -409,7 +409,7 @@ static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev,
> write_lock_bh(&tbl->lock);
> neigh_flush_dev(tbl, dev, skip_perm);
> pneigh_ifdown_and_unlock(tbl, dev);
> - pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev));
> + pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL);
> if (skb_queue_empty_lockless(&tbl->proxy_queue))
> del_timer_sync(&tbl->proxy_timer);
> return 0;
Reviewed-by: Denis V. Lunev <den@...nvz.org>
Powered by blists - more mailing lists