| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a7cef78d-81fb-7de6-1f6e-a948cca1b46b@blackwall.org>
Date: Fri, 17 Feb 2023 15:53:43 +0200
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: Alexander Sapozhnikov <alsp705@...il.com>,
Roopa Prabhu <roopa@...dia.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
bridge@...ts.linux-foundation.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] net-bridge: fix unsafe dereference of potential null ptr
in __vlan_del()
On 17/02/2023 15:16, Alexander Sapozhnikov wrote:
> After having been compared to NULL value at br_vlan.c:399,
> pointer 'p' is passed as 1st parameter in call to function
> 'nbp_vlan_set_vlan_dev_state' at br_vlan.c:420,
> where it is dereferenced at br_vlan.c:1722.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Alexander Sapozhnikov <alsp705@...il.com>
> ---
> net/bridge/br_vlan.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
> index bc75fa1e4666..87091e270adf 100644
> --- a/net/bridge/br_vlan.c
> +++ b/net/bridge/br_vlan.c
> @@ -417,7 +417,8 @@ static int __vlan_del(struct net_bridge_vlan *v)
> rhashtable_remove_fast(&vg->vlan_hash, &v->vnode,
> br_vlan_rht_params);
> __vlan_del_list(v);
> - nbp_vlan_set_vlan_dev_state(p, v->vid);
> + if (p)
> + nbp_vlan_set_vlan_dev_state(p, v->vid);
> br_multicast_toggle_one_vlan(v, false);
> br_multicast_port_ctx_deinit(&v->port_mcast_ctx);
> call_rcu(&v->rcu, nbp_vlan_rcu_free);
This cannot happen, read the code more carefully.
If you have a trace or have hit a bug, please provide the log.
Thanks,
Nacked-by: Nikolay Aleksandrov <razor@...ckwall.org>
Powered by blists - more mailing lists