| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 07 May 2024 23:50:30 +0000
From: patchwork-bot+netdevbpf@...nel.org
To: Eric Dumazet <edumazet@...gle.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
netdev@...r.kernel.org, eric.dumazet@...il.com, syzkaller@...glegroups.com,
kernelxing@...cent.com, matttbe@...nel.org
Subject: Re: [PATCH net-next] mptcp: fix possible NULL dereferences
Hello:
This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@...nel.org>:
On Mon, 6 May 2024 12:30:32 +0000 you wrote:
> subflow_add_reset_reason(skb, ...) can fail.
>
> We can not assume mptcp_get_ext(skb) always return a non NULL pointer.
>
> syzbot reported:
>
> general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
> CPU: 0 PID: 5098 Comm: syz-executor132 Not tainted 6.9.0-rc6-syzkaller-01478-gcdc74c9d06e7 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
> RIP: 0010:subflow_v6_route_req+0x2c7/0x490 net/mptcp/subflow.c:388
> Code: 8d 7b 07 48 89 f8 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 c0 01 00 00 0f b6 43 07 48 8d 1c c3 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 84 01 00 00 0f b6 5b 01 83 e3 0f 48 89
> RSP: 0018:ffffc9000362eb68 EFLAGS: 00010206
> RAX: 0000000000000003 RBX: 0000000000000018 RCX: ffff888022039e00
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: ffff88807d961140 R08: ffffffff8b6cb76b R09: 1ffff1100fb2c230
> R10: dffffc0000000000 R11: ffffed100fb2c231 R12: dffffc0000000000
> R13: ffff888022bfe273 R14: ffff88802cf9cc80 R15: ffff88802ad5a700
> FS: 0000555587ad2380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f420c3f9720 CR3: 0000000022bfc000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> tcp_conn_request+0xf07/0x32c0 net/ipv4/tcp_input.c:7180
> tcp_rcv_state_process+0x183c/0x4500 net/ipv4/tcp_input.c:6663
> tcp_v6_do_rcv+0x8b2/0x1310 net/ipv6/tcp_ipv6.c:1673
> tcp_v6_rcv+0x22b4/0x30b0 net/ipv6/tcp_ipv6.c:1910
> ip6_protocol_deliver_rcu+0xc76/0x1570 net/ipv6/ip6_input.c:438
> ip6_input_finish+0x186/0x2d0 net/ipv6/ip6_input.c:483
> NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
> NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
> __netif_receive_skb_one_core net/core/dev.c:5625 [inline]
> __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5739
> netif_receive_skb_internal net/core/dev.c:5825 [inline]
> netif_receive_skb+0x1e8/0x890 net/core/dev.c:5885
> tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1549
> tun_get_user+0x2f35/0x4560 drivers/net/tun.c:2002
> tun_chr_write_iter+0x113/0x1f0 drivers/net/tun.c:2048
> call_write_iter include/linux/fs.h:2110 [inline]
> new_sync_write fs/read_write.c:497 [inline]
> vfs_write+0xa84/0xcb0 fs/read_write.c:590
> ksys_write+0x1a0/0x2c0 fs/read_write.c:643
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> [...]
Here is the summary with links:
- [net-next] mptcp: fix possible NULL dereferences
https://git.kernel.org/netdev/net-next/c/445c0b69c729
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Powered by blists - more mailing lists