lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CADW8OBu8R7tp-SfEwNByZqJaV-j2squT1JigniZLPwe0sWpRWg@mail.gmail.com>
Date:   Fri, 6 Jan 2023 16:12:25 -0700
From:   Kyle Zeng <zengyhkyle@...il.com>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     davem@...emloft.net, yoshfuji@...ux-ipv6.org, dsahern@...nel.org,
        edumazet@...gle.com, pabeni@...hat.com, netdev@...r.kernel.org
Subject: Re: net: ipv6: raw: fixes null pointer deference in rawv6_push_pending_frames

Hi Jakub,

The null dereference can happen if every execution in the loop enters
the `if (offset >= len) {`branch  and directly `continue` without
running `csum_skb = skb`.
A crash report is attached to this email.

Best,
Kyle Zeng

=============================================
[    7.203616] BUG: kernel NULL pointer dereference, address: 00000000000000b2
[    7.205204] #PF: supervisor read access in kernel mode
[    7.206448] #PF: error_code(0x0000) - not-present page
[    7.207630] PGD 88d0067 P4D 88d0067 PUD 79af067 PMD 0
[    7.208060] Oops: 0000 [#1] SMP NOPTI
[    7.208343] CPU: 1 PID: 1846 Comm: poc Not tainted 5.10.133 #39
[    7.208816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[    7.209489] RIP: 0010:rawv6_push_pending_frames+0x96/0x1e0
[    7.209934] Code: 00 00 8d 57 ff 39 d0 0f 8d bc 00 00 00 48 89 7c
24 08 41 83 bc 24 d0 01 00 00 01 0f 85 b8 00 00 00 8b a9 88 00 00 00
48 89 cb <44> 0f b7 ab b2 00 00 00 44 03 ab c0 00 00 00 44 2b ab c8 00
00 00
[    7.211433] RSP: 0018:ffffc90003487b10 EFLAGS: 00010246
[    7.211859] RAX: 00000000000000d8 RBX: 0000000000000000 RCX: ffff8880064101c0
[    7.212410] RDX: 00000000000003c0 RSI: ffff8880064101c0 RDI: 00000000090e5840
[    7.212992] RBP: 00000000479c45b8 R08: 0000000000000000 R09: ffff8880064101a4
[    7.213559] R10: ffff8880064103d0 R11: ffff888006524b00 R12: ffff888006410000
[    7.214106] R13: ffffc90003487c10 R14: ffffc90003487c10 R15: 0000000000000000
[    7.214653] FS:  00000000017e03c0(0000) GS:ffff88803ec80000(0000)
knlGS:0000000000000000
[    7.215272] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    7.215769] CR2: 00000000000000b2 CR3: 0000000009068006 CR4: 0000000000770ee0
[    7.216318] PKRU: 55555554
[    7.216532] Call Trace:
[    7.216744]  rawv6_sendmsg+0x72c/0x7d0
[    7.217041]  kernel_sendmsg+0x7a/0x90
[    7.217325]  sock_no_sendpage+0xc1/0xe0
[    7.217644]  kernel_sendpage+0xa3/0xe0
[    7.217945]  sock_sendpage+0x23/0x30
[    7.218224]  pipe_to_sendpage+0x76/0xa0
[    7.218529]  __splice_from_pipe+0xe5/0x200
[    7.218870]  ? generic_splice_sendpage+0xa0/0xa0
[    7.219263]  generic_splice_sendpage+0x72/0xa0
[    7.219650]  do_splice+0x4ad/0x780
[    7.219928]  __se_sys_splice+0x162/0x210
[    7.220231]  do_syscall_64+0x31/0x40
[    7.220518]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
[    7.220944] RIP: 0033:0x47656d
[    7.221189] Code: c3 e8 47 28 00 00 0f 1f 80 00 00 00 00 f3 0f 1e
fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89
01 48
[    7.222645] RSP: 002b:00007ffd36d11668 EFLAGS: 00000216 ORIG_RAX:
0000000000000113
[    7.223266] RAX: ffffffffffffffda RBX: 000000002000102f RCX: 000000000047656d
[    7.223860] RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000005
[    7.224414] RBP: 00007ffd36d116a0 R08: 000000000804ffe2 R09: 0000000000000000
[    7.224986] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000001
[    7.225546] R13: 00007ffd36d118d8 R14: 00000000005026c0 R15: 0000000000000002
[    7.226112] Modules linked in:
[    7.226350] CR2: 00000000000000b2
[    7.226613] ---[ end trace 5d56aba11d09b665 ]---
[    7.226993] RIP: 0010:rawv6_push_pending_frames+0x96/0x1e0
[    7.227442] Code: 00 00 8d 57 ff 39 d0 0f 8d bc 00 00 00 48 89 7c
24 08 41 83 bc 24 d0 01 00 00 01 0f 85 b8 00 00 00 8b a9 88 00 00 00
48 89 cb <44> 0f b7 ab b2 00 00 00 44 03 ab c0 00 00 00 44 2b ab c8 00
00 00
[    7.228918] RSP: 0018:ffffc90003487b10 EFLAGS: 00010246
[    7.229322] RAX: 00000000000000d8 RBX: 0000000000000000 RCX: ffff8880064101c0
[    7.229880] RDX: 00000000000003c0 RSI: ffff8880064101c0 RDI: 00000000090e5840
[    7.230516] RBP: 00000000479c45b8 R08: 0000000000000000 R09: ffff8880064101a4
[    7.231112] R10: ffff8880064103d0 R11: ffff888006524b00 R12: ffff888006410000
[    7.231687] R13: ffffc90003487c10 R14: ffffc90003487c10 R15: 0000000000000000
[    7.232250] FS:  00000000017e03c0(0000) GS:ffff88803ec80000(0000)
knlGS:0000000000000000
[    7.232912] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    7.233376] CR2: 00000000000000b2 CR3: 0000000009068006 CR4: 0000000000770ee0
[    7.233958] PKRU: 55555554
[    7.234170] Kernel panic - not syncing: Fatal exception
[    7.234762] Kernel Offset: disabled
[    7.235062] Rebooting in 1000 seconds..

On Fri, Jan 6, 2023 at 3:55 PM Jakub Kicinski <kuba@...nel.org> wrote:
>
> On Fri, 6 Jan 2023 14:19:52 -0700 Kyle Zeng wrote:
> > It is posible that the skb_queue_walkloop does not assign csum_skb to a real skb.
>
> Not immediately obvious to me how that could happen given prior checks
> in this function.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ