lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20250305120615.GA99596@j66a10360.sqa.eu95>
Date: Wed, 5 Mar 2025 20:06:15 +0800
From: "D. Wythe" <alibuda@...ux.alibaba.com    >
To: ffhgfv <744439878@...com>
Cc: wenjia <wenjia@...ux.ibm.com>, jaka <jaka@...ux.ibm.com>,
	alibuda <alibuda@...ux.alibaba.com>,
	tonylu <tonylu@...ux.alibaba.com>, guwen <guwen@...ux.alibaba.com>,
	davem <davem@...emloft.net>, edumazet <edumazet@...gle.com>,
	kuba <kuba@...nel.org>, pabeni <pabeni@...hat.com>,
	horms <horms@...nel.org>, linux-rdma <linux-rdma@...r.kernel.org>,
	linux-s390 <linux-s390@...r.kernel.org>,
	netdev <netdev@...r.kernel.org>,
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: kernel bug found and suggestions for fixing it

On Tue, Mar 04, 2025 at 02:31:37AM -0500, ffhgfv wrote:
> Hello, I found a bug titled "KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock" with modified syzkaller in the lasted upstream related to bcachefs file system.
> If you fix this issue, please add the following tag to the commit:  Reported-by: Jianzhou Zhao <xnxc22xnxc22@...com>,    xingwei lee <xrivendell7@...il.com>, Zhizhuo Tang <strforexctzzchange@...mail.com>
> 
> ------------[ cut here ]------------
> TITLE: KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock
> ==================================================================
> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
> BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
> BUG: KASAN: null-ptr-deref in smc_tcp_syn_recv_sock+0xa7/0x4c0 net/smc/af_smc.c:131
> Read of size 4 at addr 0000000000000a04 by task syz.7.21/12319
> 
> CPU: 1 UID: 0 PID: 12319 Comm: syz.7.21 Not tainted 6.14.0-rc5-dirty #2
> diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -128,6 +128,8 @@
>  	struct sock *child;
>  
>  	smc = smc_clcsock_user_data(sk);
> +	if (!smc)
> +		goto drop;  // Ensure that the smc pointer is valid before accessing its members

Hi ffhgfv,

Thanks for your report and solution.

The bigger issue here is that smc_clcsock_user_data currently requires
lock protection, which means we need to acquire the sk_callback_lock here.
But the sk in this context is const, which violates the expected interface.

In fact, we have been planning to replace sk_callback_lock with RCU, which should
provide a better solution to this issue. However, there is still a
significant backlog of tasks related to SMC, and we haven't had the
bandwidth to address this yet. 

Anyway, we sincerely appreciate your report, and we will fix
this issue in the future.

Best wishes,
D. Wythe

>  
>  	if (READ_ONCE(sk-&gt;sk_ack_backlog) + atomic_read(&amp;smc-&gt;queued_smc_hs) &gt;
>  	    sk-&gt;sk_max_ack_backlog)
> 
> =========================================================================
> I hope it helps.
> Best regards
> Jianzhou Zhao
> xingwei lee
> Zhizhuo Tang</strforexctzzchange@...mail.com></xrivendell7@...il.com></xnxc22xnxc22@...com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ