netdev - Re: [PATCH] net: fix NULL pointer in skb_segment

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date:   Mon, 30 Jan 2023 22:05:25 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Yan Zhai <yan@...udflare.com>, netdev@...r.kernel.org
Cc:     edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
        davem@...emloft.net, asml.silence@...il.com, imagedong@...cent.com,
        keescook@...omium.org, jbenc@...hat.com, richardbgobert@...il.com,
        willemb@...gle.com, steffen.klassert@...unet.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: fix NULL pointer in skb_segment_list

On 1/30/23 9:51 PM, Yan Zhai wrote:
> Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
> introduced UDP listifyed GRO. The segmentation relies on frag_list being
> untouched when passing through the network stack. This assumption can be
> broken sometimes, where frag_list itself gets pulled into linear area,
> leaving frag_list being NULL. When this happens it can trigger
> following NULL pointer dereference, and panic the kernel. Reverse the
> test condition should fix it.
> 
> [19185.577801][    C1] BUG: kernel NULL pointer dereference, address:
> ...
> [19185.663775][    C1] RIP: 0010:skb_segment_list+0x1cc/0x390
> ...
> [19185.834644][    C1] Call Trace:
> [19185.841730][    C1]  <TASK>
> [19185.848563][    C1]  __udp_gso_segment+0x33e/0x510
> [19185.857370][    C1]  inet_gso_segment+0x15b/0x3e0
> [19185.866059][    C1]  skb_mac_gso_segment+0x97/0x110
> [19185.874939][    C1]  __skb_gso_segment+0xb2/0x160
> [19185.883646][    C1]  udp_queue_rcv_skb+0xc3/0x1d0
> [19185.892319][    C1]  udp_unicast_rcv_skb+0x75/0x90
> [19185.900979][    C1]  ip_protocol_deliver_rcu+0xd2/0x200
> [19185.910003][    C1]  ip_local_deliver_finish+0x44/0x60
> [19185.918757][    C1]  __netif_receive_skb_one_core+0x8b/0xa0
> [19185.927834][    C1]  process_backlog+0x88/0x130
> [19185.935840][    C1]  __napi_poll+0x27/0x150
> [19185.943447][    C1]  net_rx_action+0x27e/0x5f0
> [19185.951331][    C1]  ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]
> [19185.960848][    C1]  __do_softirq+0xbc/0x25d
> [19185.968607][    C1]  irq_exit_rcu+0x83/0xb0
> [19185.976247][    C1]  common_interrupt+0x43/0xa0
> [19185.984235][    C1]  asm_common_interrupt+0x22/0x40
> ...
> [19186.094106][    C1]  </TASK>
> 
> Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
> Suggested-by: Daniel Borkmann <daniel@...earbox.net>
> Reviewed-by: Willem de Bruijn <willemb@...gle.com>
> Signed-off-by: Yan Zhai <yan@...udflare.com>

Acked-by: Daniel Borkmann <daniel@...earbox.net>

>   net/core/skbuff.c | 5 ++---
>   1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index 4a0eb5593275..a31ff4d83ecc 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -4100,7 +4100,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
>   
>   	skb_shinfo(skb)->frag_list = NULL;
>   
> -	do {
> +	while (list_skb) {
>   		nskb = list_skb;
>   		list_skb = list_skb->next;
>   
> @@ -4146,8 +4146,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
>   		if (skb_needs_linearize(nskb, features) &&
>   		    __skb_linearize(nskb))
>   			goto err_linearize;
> -
> -	} while (list_skb);
> +	}
>   
>   	skb->truesize = skb->truesize - delta_truesize;
>   	skb->data_len = skb->data_len - delta_len;
>