lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250723144828.664-1-huyizhen2024@163.com>
Date: Wed, 23 Jul 2025 22:48:27 +0800
From: huyizhen2024@....com
To: jhs@...atatu.com,
	xiyou.wangcong@...il.com,
	jiri@...nulli.us
Cc: davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	andy@...yhouse.net,
	netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [Discuss] KASAN: null-ptr-deference in qdisc_tree_reduce_backlog

Hello.

KASAN found a null ptr deference in qdisc_tree_reduce_backlog.
If cops->find cannot find a qdisc, it returns NULL.
And if cops->qlen_notify doesn't valid arg, it will deference the NULL ptr, resulting in a kernel crash.
Should we add a check for the argument in cops->qlen_notify?

Looking forward to your reply, thank you!

net\sched\sch_hfsc.c:1237 hfsc_qlen_notify-null-ptr-deref

other info that might help debug this:

crash> bt
PID: 2297     TASK: ffff8881666aa540  CPU: 0    COMMAND: "syz-executor.1"
#0 [ffffc9001597f3b0] machine_kexec at ffffffff81206168
#1 [ffffc9001597f420] __crash_kexec at ffffffff81492da1
#2 [ffffc9001597f4e8] panic at ffffffff8131dde6
#3 [ffffc9001597f570] oops_end at ffffffff8119e82b
#4 [ffffc9001597f598] page_fault_oops at ffffffff8122786c
#5 [ffffc9001597f630] kernelmode_fixup_or_oops at ffffffff81228125
#6 [ffffc9001597f658] __bad_area_nosemaphore at ffffffff8122841f
#7 [ffffc9001597f6a0] exc_page_fault at ffffffff8683eb70
#8 [ffffc9001597f730] asm_exc_page_fault at ffffffff86a00c12
    [exception RIP: hfsc_qlen_notify+17]
    RIP: ffffffff85e29141  RSP: ffffc9001597f7e0  RFLAGS: 00010216
    RAX: 0000000000001d66  RBX: 0000000000000000  RCX: 0000000000040000
    RDX: ffffc90006512000  RSI: ffff8881666aa540  RDI: 0000000000000002
    RBP: 00000000000affe0   R8: 0000000000000001   R9: 0000000000000000
    R10: 0000000000000000  R11: 0000000000000000  R12: ffffffff87691f60
    R13: 0000000000000000  R14: 0000000000000000  R15: 0000000000000000
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
#9 [ffffc9001597f7f8] qdisc_tree_reduce_backlog at ffffffff85dece27
#10 [ffffc9001597f830] codel_change at ffffffff85e4fe44
#11 [ffffc9001597f8a0] codel_init at ffffffff85e50223
#12 [ffffc9001597f8c0] qdisc_create at ffffffff85deb1d8
#13 [ffffc9001597f930] tc_modify_qdisc at ffffffff85deb9c9
#14 [ffffc9001597fa38] rtnetlink_rcv_msg at ffffffff85d43739
#15 [ffffc9001597fac8] netlink_rcv_skb at ffffffff85e913f5
#16 [ffffc9001597fbb8] netlink_unicast at ffffffff85e907f1
#17 [ffffc9001597fc00] netlink_sendmsg at ffffffff85e91973
#18 [ffffc9001597fc80] __sock_sendmsg at ffffffff85cc765e
#19 [ffffc9001597fca0] ____sys_sendmsg at ffffffff85cc7de2
#20 [ffffc9001597fd18] ___sys_sendmsg at ffffffff85ccbc0c
#21 [ffffc9001597fe70] __sys_sendmsg at ffffffff85ccbd47
#22 [ffffc9001597ff28] do_syscall_64 at ffffffff8683612c
#23 [ffffc9001597ff50] entry_SYSCALL_64_after_hwframe at ffffffff86a00130
    RIP: 00007fc942692bdd  RSP: 00007fc9433bebf8  RFLAGS: 00000246
    RAX: ffffffffffffffda  RBX: 00007fc9427dbf80  RCX: 00007fc942692bdd
    RDX: 0000000000004000  RSI: 0000000020000280  RDI: 0000000000000003
    RBP: 00007fc9426f0499   R8: 0000000000000000   R9: 0000000000000000
    R10: 0000000000000000  R11: 0000000000000246  R12: 0000000000000000
    R13: 00007ffcb898b86f  R14: 00007ffcb898ba10  R15: 00007fc9433bed80
ORIG_RAX: 000000000000002e  CS: 0033  SS: 002b

crash> dis -l hfsc_qlen_notify 10
/data/nq/kernel/net/sched/sch_hfsc.c: 1231
0xffffffff85e29130 <hfsc_qlen_notify>:  nopl   0x0(%rax,%rax,1) [FTRACE NOP]
/data/nq/kernel/net/sched/sch_hfsc.c: 1232
0xffffffff85e29135 <hfsc_qlen_notify+5>:        push   %r12
0xffffffff85e29137 <hfsc_qlen_notify+7>:        push   %rbp
0xffffffff85e29138 <hfsc_qlen_notify+8>:        push   %rbx
/data/nq/kernel/net/sched/sch_hfsc.c: 1231
0xffffffff85e29139 <hfsc_qlen_notify+9>:        mov    %rsi,%rbx
/data/nq/kernel/net/sched/sch_hfsc.c: 1232
0xffffffff85e2913c <hfsc_qlen_notify+12>:       call   0xffffffff814f06a0 <__sanitizer_cov_trace_pc>
/data/nq/kernel/net/sched/sch_hfsc.c: 1237
0xffffffff85e29141 <hfsc_qlen_notify+17>:       mov    0x2ec(%rbx),%ebp
0xffffffff85e29147 <hfsc_qlen_notify+23>:       xor    %edi,%edi
0xffffffff85e29149 <hfsc_qlen_notify+25>:       mov    %ebp,%esi
0xffffffff85e2914b <hfsc_qlen_notify+27>:       call   0xffffffff814f08b0 <__sanitizer_cov_trace_const_cmp4>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ