lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7aad7c92-8160-495f-b2bf-a4984a4516fe@iogearbox.net>
Date: Tue, 13 Jan 2026 11:35:38 +0100
From: Daniel Borkmann <daniel@...earbox.net>
To: Jakub Kicinski <kuba@...nel.org>
Cc: netdev@...r.kernel.org, bpf@...r.kernel.org, jordan@...fe.io,
 maciej.fijalkowski@...el.com, willemb@...gle.com, yangzhenze@...edance.com,
 razor@...ckwall.org, dw@...idwei.uk, pabeni@...hat.com, sdf@...ichev.me,
 wangdongdong.6@...edance.com, john.fastabend@...il.com,
 martin.lau@...nel.org, magnus.karlsson@...el.com, toke@...hat.com,
 davem@...emloft.net
Subject: Re: [net-next,v5,03/16] net: Add lease info to queue-get response

On 1/13/26 4:53 AM, Jakub Kicinski wrote:
[...]
>> @@ -410,6 +413,37 @@ netdev_nl_queue_fill_one(struct sk_buff *rsp, struct net_device *netdev,
>>   		if (nla_put_napi_id(rsp, rxq->napi))
>>   			goto nla_put_failure;
>>
>> +		if (netif_rx_queue_lease_get_owner(&netdev, &lease_q_idx)) {
>> +			struct net *net, *peer_net;
>> +
>> +			nest_lease = nla_nest_start(rsp, NETDEV_A_QUEUE_LEASE);
>> +			if (!nest_lease)
>> +				goto nla_put_failure;
>> +			nest_queue = nla_nest_start(rsp, NETDEV_A_LEASE_QUEUE);
>> +			if (!nest_lease)
>                              ^^^^^^^^^^
> 
> Should this check nest_queue instead of nest_lease? The assignment is to
> nest_queue but the check is on nest_lease. If nla_nest_start() fails for
> NETDEV_A_LEASE_QUEUE and returns NULL, the check passes because nest_lease
> is non-NULL from the previous successful call. This would lead to
> nla_nest_end(rsp, nest_queue) being called with a NULL pointer, causing a
> NULL pointer dereference when accessing start->nla_len.

Oh well, thanks AI, great catch! Will fix this up along with the other findings.

>> +				goto nla_put_failure;
> 
> [ ... ]

Thanks,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ