| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <abbe18b1-b372-4044-8490-82e6c0b4ec36@linux.dev>
Date: Thu, 26 Sep 2024 10:06:21 +0100
From: Vadim Fedorenko <vadim.fedorenko@...ux.dev>
To: Lena Wang <lena.wang@...iatek.com>, edumazet@...gle.com,
davem@...emloft.net, dsahern@...nel.org, pabeni@...hat.com, kuba@...nel.org
Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH net] tcp: check if skb is true to avoid crash
On 26/09/2024 08:56, Lena Wang wrote:
> A kernel NULL pointer dereference reported.
> Backtrace:
> vmlinux tcp_can_coalesce_send_queue_head(sk=0xFFFFFF80316D9400, len=755)
> + 28 </alps/OfficialRelease/Of/alps/kernel-6.6/net/ipv4/tcp_output.c:2315>
> vmlinux tcp_mtu_probe(sk=0xFFFFFF80316D9400) + 3196
> </alps/OfficialRelease/Of/alps/kernel-6.6/net/ipv4/tcp_output.c:2452>
> vmlinux tcp_write_xmit(sk=0xFFFFFF80316D9400, mss_now=128,
> nonagle=-2145862684, push_one=0, gfp=2080) + 3296
> </alps/OfficialRelease/Of/alps/kernel-6.6/net/ipv4/tcp_output.c:2689>
> vmlinux tcp_tsq_write() + 172
> </alps/OfficialRelease/Of/alps/kernel-6.6/net/ipv4/tcp_output.c:1033>
> vmlinux tcp_tsq_handler() + 104
> </alps/OfficialRelease/Of/alps/kernel-6.6/net/ipv4/tcp_output.c:1042>
> vmlinux tcp_tasklet_func() + 208
>
> When there is no pending skb in sk->sk_write_queue, tcp_send_head
> returns NULL. Directly dereference of skb->len will result crash.
> So it is necessary to evaluate the skb to be true here.
>
> Fixes: 808cf9e38cd7 ("tcp: Honor the eor bit in tcp_mtu_probe")
> Signed-off-by: Lena Wang <lena.wang@...iatek.com>
> ---
> net/ipv4/tcp_output.c | 20 +++++++++++---------
> 1 file changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> index 4fd746bd4d54..12cde5d879c5 100644
> --- a/net/ipv4/tcp_output.c
> +++ b/net/ipv4/tcp_output.c
> @@ -2338,17 +2338,19 @@ static bool tcp_can_coalesce_send_queue_head(struct sock *sk, int len)
> struct sk_buff *skb, *next;
>
> skb = tcp_send_head(sk);
> - tcp_for_write_queue_from_safe(skb, next, sk) {
> - if (len <= skb->len)
> - break;
> + if (skb) {
Thinking more of this, I don't really understand how is it possible to
reach tcp_can_coalesce_send_queue_head() with empty send queue, but
anyway, this patch will move NULL dereference further to tcp_mtu_probe()
where new skb is build with the same tcp_send_head() call.
I believe the proper way is to return false here in case of missing skb:
if (!skb)
return false;
This will prevent tcp_mtu_probe() to continue execution and avoid
possible NULL dereference.
> + tcp_for_write_queue_from_safe(skb, next, sk) {
> + if (len <= skb->len)
> + break;
>
> - if (unlikely(TCP_SKB_CB(skb)->eor) ||
> - tcp_has_tx_tstamp(skb) ||
> - !skb_pure_zcopy_same(skb, next) ||
> - skb_frags_readable(skb) != skb_frags_readable(next))
> - return false;
> + if (unlikely(TCP_SKB_CB(skb)->eor) ||
> + tcp_has_tx_tstamp(skb) ||
> + !skb_pure_zcopy_same(skb, next) ||
> + skb_frags_readable(skb) != skb_frags_readable(next))
> + return false;
>
> - len -= skb->len;
> + len -= skb->len;
> + }
> }
>
> return true;
Powered by blists - more mailing lists