| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJwJo6bsZg-arM6GAQM8Lv3DivWUERu0VyFQgi4DA+SxRrZypw@mail.gmail.com>
Date: Fri, 12 Sep 2025 00:26:59 +0100
From: Dmitry Safonov <0x7f454c46@...il.com>
To: Anderson Nascimento <anderson@...elesecurity.com>
Cc: Eric Dumazet <edumazet@...gle.com>, Neal Cardwell <ncardwell@...gle.com>,
Kuniyuki Iwashima <kuniyu@...gle.com>, "David S. Miller" <davem@...emloft.net>,
David Ahern <dsahern@...nel.org>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>, Salam Noureddine <noureddine@...sta.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH v3] net/tcp: Fix a NULL pointer dereference when using
TCP-AO with TCP_REPAIR
On Fri, 12 Sept 2025 at 00:23, Anderson Nascimento
<anderson@...elesecurity.com> wrote:
>
> A NULL pointer dereference can occur in tcp_ao_finish_connect() during a
> connect() system call on a socket with a TCP-AO key added and TCP_REPAIR
> enabled.
>
> The function is called with skb being NULL and attempts to dereference it
> on tcp_hdr(skb)->seq without a prior skb validation.
>
> Fix this by checking if skb is NULL before dereferencing it.
>
> The commentary is taken from bpf_skops_established(), which is also called
> in the same flow. Unlike the function being patched,
> bpf_skops_established() validates the skb before dereferencing it.
>
> int main(void){
> struct sockaddr_in sockaddr;
> struct tcp_ao_add tcp_ao;
> int sk;
> int one = 1;
>
> memset(&sockaddr,'\0',sizeof(sockaddr));
> memset(&tcp_ao,'\0',sizeof(tcp_ao));
>
> sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
>
> sockaddr.sin_family = AF_INET;
>
> memcpy(tcp_ao.alg_name,"cmac(aes128)",12);
> memcpy(tcp_ao.key,"ABCDEFGHABCDEFGH",16);
> tcp_ao.keylen = 16;
>
> memcpy(&tcp_ao.addr,&sockaddr,sizeof(sockaddr));
>
> setsockopt(sk, IPPROTO_TCP, TCP_AO_ADD_KEY, &tcp_ao,
> sizeof(tcp_ao));
> setsockopt(sk, IPPROTO_TCP, TCP_REPAIR, &one, sizeof(one));
>
> sockaddr.sin_family = AF_INET;
> sockaddr.sin_port = htobe16(123);
>
> inet_aton("127.0.0.1", &sockaddr.sin_addr);
>
> connect(sk,(struct sockaddr *)&sockaddr,sizeof(sockaddr));
>
> return 0;
> }
>
> $ gcc tcp-ao-nullptr.c -o tcp-ao-nullptr -Wall
> $ unshare -Urn
> # ip addr add 127.0.0.1 dev lo
> # ./tcp-ao-nullptr
>
> BUG: kernel NULL pointer dereference, address: 00000000000000b6
> PGD 1f648d067 P4D 1f648d067 PUD 1982e8067 PMD 0
> Oops: Oops: 0000 [#1] SMP NOPTI
> Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
> Reference Platform, BIOS 6.00 11/12/2020
> RIP: 0010:tcp_ao_finish_connect (net/ipv4/tcp_ao.c:1182)
>
> Fixes: 7c2ffaf ("net/tcp: Calculate TCP-AO traffic keys")
> Signed-off-by: Anderson Nascimento <anderson@...elesecurity.com>
LGTM, thanks for your fix!
Reviewed-by: Dmitry Safonov <0x7f454c46@...il.com>
Thanks,
Dmitry
Powered by blists - more mailing lists