| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0f6e9770-1c79-418e-9135-df692f495a91@redhat.com>
Date: Thu, 17 Jul 2025 13:10:26 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Pranav Tyagi <pranav.tyagi03@...il.com>, john.fastabend@...il.com,
jakub@...udflare.com, davem@...emloft.net, edumazet@...gle.com,
kuba@...nel.org, ast@...nel.org, cong.wang@...edance.com,
netdev@...r.kernel.org, bpf@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: skhan@...uxfoundation.org, linux-kernel-mentees@...ts.linux.dev,
syzbot+b18872ea9631b5dcef3b@...kaller.appspotmail.com
Subject: Re: [PATCH] net: skmsg: fix NULL pointer dereference in
sk_msg_recvmsg()
On 7/15/25 10:11 AM, Pranav Tyagi wrote:
> A NULL page from sg_page() in sk_msg_recvmsg() can reach
> __kmap_local_page_prot() and crash the kernel. Add a check for the page
> before calling copy_page_to_iter() and fail early with -EFAULT to
> prevent the crash.
Interesting. I thought the sge in this case are build from the kernel, I
did not expect a null page to be possible. Can you describe in the
commit message how such bad sges are created?
>
> Reported-by: syzbot+b18872ea9631b5dcef3b@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b18872ea9631b5dcef3b
> Fixes: 2bc793e3272a ("skmsg: Extract __tcp_bpf_recvmsg() and tcp_bpf_wait_data()")
> Signed-off-by: Pranav Tyagi <pranav.tyagi03@...il.com>
Does not apply to net. Please rebase and resend, adding the target tree
in the subj prefix and specifying a revision number.
Thanks,
Paolo
Powered by blists - more mailing lists