| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250305120615.GA99596@j66a10360.sqa.eu95> Date: Wed, 5 Mar 2025 20:06:15 +0800 From: "D. Wythe" <alibuda@...ux.alibaba.com > To: ffhgfv <744439878@...com> Cc: wenjia <wenjia@...ux.ibm.com>, jaka <jaka@...ux.ibm.com>, alibuda <alibuda@...ux.alibaba.com>, tonylu <tonylu@...ux.alibaba.com>, guwen <guwen@...ux.alibaba.com>, davem <davem@...emloft.net>, edumazet <edumazet@...gle.com>, kuba <kuba@...nel.org>, pabeni <pabeni@...hat.com>, horms <horms@...nel.org>, linux-rdma <linux-rdma@...r.kernel.org>, linux-s390 <linux-s390@...r.kernel.org>, netdev <netdev@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org> Subject: Re: kernel bug found and suggestions for fixing it On Tue, Mar 04, 2025 at 02:31:37AM -0500, ffhgfv wrote: > Hello, I found a bug titled "KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock" with modified syzkaller in the lasted upstream related to bcachefs file system. > If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <xnxc22xnxc22@...com>, xingwei lee <xrivendell7@...il.com>, Zhizhuo Tang <strforexctzzchange@...mail.com> > > ------------[ cut here ]------------ > TITLE: KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock > ================================================================== > BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] > BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] > BUG: KASAN: null-ptr-deref in smc_tcp_syn_recv_sock+0xa7/0x4c0 net/smc/af_smc.c:131 > Read of size 4 at addr 0000000000000a04 by task syz.7.21/12319 > > CPU: 1 UID: 0 PID: 12319 Comm: syz.7.21 Not tainted 6.14.0-rc5-dirty #2 > diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c > --- a/net/smc/af_smc.c > +++ b/net/smc/af_smc.c > @@ -128,6 +128,8 @@ > struct sock *child; > > smc = smc_clcsock_user_data(sk); > + if (!smc) > + goto drop; // Ensure that the smc pointer is valid before accessing its members Hi ffhgfv, Thanks for your report and solution. The bigger issue here is that smc_clcsock_user_data currently requires lock protection, which means we need to acquire the sk_callback_lock here. But the sk in this context is const, which violates the expected interface. In fact, we have been planning to replace sk_callback_lock with RCU, which should provide a better solution to this issue. However, there is still a significant backlog of tasks related to SMC, and we haven't had the bandwidth to address this yet. Anyway, we sincerely appreciate your report, and we will fix this issue in the future. Best wishes, D. Wythe > > if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > > sk->sk_max_ack_backlog) > > ========================================================================= > I hope it helps. > Best regards > Jianzhou Zhao > xingwei lee > Zhizhuo Tang</strforexctzzchange@...mail.com></xrivendell7@...il.com></xnxc22xnxc22@...com>
Powered by blists - more mailing lists