subject:"\[PATCH\] net\: llc\: check for device before dereferencing"

Re: [PATCH] net: llc: check for device before dereferencing

2014-09-29 Thread David Miller

From: Sasha Levin 
Date: Fri, 26 Sep 2014 21:41:43 -0400

> llc_ui_sendmsg would not make sure that a device indeed exists before
> dereferencing it. This caused a user triggerable NULL ptr deref:
...
> Signed-off-by: Sasha Levin 

The bug is real, but I don't think the fix is in the correct spot.

The real problem seems to be that the guard for calling
llc_ui_autobind() is inaccurate.

Fix that and there will always be a proper llc->dev attached at
this location.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH] net: llc: check for device before dereferencing

2014-09-26 Thread Sasha Levin

llc_ui_sendmsg would not make sure that a device indeed exists before
dereferencing it. This caused a user triggerable NULL ptr deref:

[  430.542391] BUG: unable to handle kernel NULL pointer dereference at 
021e
[  430.551939] IP: llc_ui_sendmsg (net/llc/af_llc.c:912)
[  430.551939] PGD 5edcd067 PUD 5edce067 PMD 0
[  430.551939] Oops:  [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[  430.551939] Dumping ftrace buffer:
[  430.551939](ftrace buffer empty)
[  430.551939] Modules linked in:
[  430.551939] CPU: 2 PID: 9395 Comm: trinity-c261 Not tainted 
3.17.0-rc6-next-20140926-sasha-00050-g625a54d-dirty #1239
[  430.551939] task: 88005edc ti: 88005edc8000 task.ti: 
88005edc8000
[  430.551939] RIP: llc_ui_sendmsg (net/llc/af_llc.c:912)
[  430.551939] RSP: 0018:88005edcbcd8  EFLAGS: 00010282
[  430.551939] RAX:  RBX: 880239191148 RCX: 
[  430.551939] RDX: dfffe900 RSI: 814471e1 RDI: 85f7a77f
[  430.551939] RBP: 88005edcbd18 R08: dfffe901 R09: 
[  430.551939] R10:  R11:  R12: 
[  430.551939] R13: 88023716 R14: 88005edcbeb0 R15: 
[  430.551939] FS:  7fbcf9f6b700() GS:880111c0() 
knlGS:
[  430.551939] CS:  0010 DS:  ES:  CR0: 8005003b
[  430.551939] CR2: 021e CR3: 5edcc000 CR4: 06a0
[  430.551939] DR0: 006ef000 DR1:  DR2: 
[  430.551939] DR3:  DR6: 0ff0 DR7: 00010602
[  430.551939] Stack:
[  430.551939]   0100 88005edcbd18 
88005edcbd30
[  430.551939]  88023716 88005edcbe78 0100 
86963ec0
[  430.551939]  88005edcbe38 85680290 88005edcbd68 

[  430.551939] Call Trace:
[  430.551939] sock_sendmsg (net/socket.c:663)
[  430.551939] ? might_fault (mm/memory.c:3733)
[  430.551939] ? might_fault (./arch/x86/include/asm/current.h:14 
mm/memory.c:3732)
[  430.551939] ? __fdget (fs/file.c:698)
[  430.551939] SYSC_sendto (net/socket.c:1818)
[  430.551939] ? do_audit_syscall_entry (include/linux/audit.h:153 
arch/x86/kernel/ptrace.c:1448)
[  430.551939] ? syscall_trace_enter_phase2 (arch/x86/kernel/ptrace.c:1598 
(discriminator 2))
[  430.551939] SyS_sendto (net/socket.c:1783)
[  430.551939] tracesys_phase2 (arch/x86/kernel/entry_64.S:529)
[ 430.551939] Code: 0f 85 b6 00 00 00 48 8d bb 38 05 00 00 e8 f2 01 d5 fb 4c 8b 
bb 38 05 00 00 49 8d bf 1e 02 00 00 e8 2f 01 d5 fb 66 41 83 7e 04 00 <45> 0f b7 
af 1e 02 00 00 75 1a 48 8d bb d0 02 00 00 e8 53 00 d5

All code

   0:   0f 85 b6 00 00 00   jne0xbc
   6:   48 8d bb 38 05 00 00lea0x538(%rbx),%rdi
   d:   e8 f2 01 d5 fb  callq  0xfbd50204
  12:   4c 8b bb 38 05 00 00mov0x538(%rbx),%r15
  19:   49 8d bf 1e 02 00 00lea0x21e(%r15),%rdi
  20:   e8 2f 01 d5 fb  callq  0xfbd50154
  25:   66 41 83 7e 04 00   cmpw   $0x0,0x4(%r14)
  2b:*  45 0f b7 af 1e 02 00movzwl 0x21e(%r15),%r13d<-- 
trapping instruction
  32:   00
  33:   75 1a   jne0x4f
  35:   48 8d bb d0 02 00 00lea0x2d0(%rbx),%rdi
  3c:   e8 53 00 d5 00  callq  0xd50094

Code starting with the faulting instruction
===
   0:   45 0f b7 af 1e 02 00movzwl 0x21e(%r15),%r13d
   7:   00
   8:   75 1a   jne0x24
   a:   48 8d bb d0 02 00 00lea0x2d0(%rbx),%rdi
  11:   e8 53 00 d5 00  callq  0xd50069
[  430.551939] RIP llc_ui_sendmsg (net/llc/af_llc.c:912)
[  430.551939]  RSP 
[  430.551939] CR2: 021e

Signed-off-by: Sasha Levin 
---
 net/llc/af_llc.c |3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index c776ffb..c16e01a 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -909,6 +909,9 @@ static int llc_ui_sendmsg(struct kiocb *iocb, struct socket 
*sock,
if (rc)
goto release;
}
+   rc = -ENODEV;
+   if (!llc->dev)
+   goto release;
hdrlen = llc->dev->hard_header_len + llc_ui_header_len(sk, addr);
size = hdrlen + len;
if (size > llc->dev->mtu)
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH] net: llc: check for device before dereferencing

[PATCH] net: llc: check for device before dereferencing

2 matches

Site Navigation

Mail list logo

Footer information