LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
@ 2019-05-24  3:19 Gen Zhang
  2019-05-25 18:00 ` David Miller
  2019-07-01  8:57 ` Jiri Slaby
  0 siblings, 2 replies; 4+ messages in thread
From: Gen Zhang @ 2019-05-24  3:19 UTC (permalink / raw)
  To: davem, kuznet, yoshfuji; +Cc: netdev, linux-kernel

In function ip6_ra_control(), the pointer new_ra is allocated a memory 
space via kmalloc(). And it is used in the following codes. However, 
when there is a memory allocation error, kmalloc() fails. Thus null 
pointer dereference may happen. And it will cause the kernel to crash. 
Therefore, we should check the return value and handle the error.

Signed-off-by: Gen Zhang <blackgod016574@gmail.com>

---
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 40f21fe..0a3d035 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -68,6 +68,8 @@ int ip6_ra_control(struct sock *sk, int sel)
 		return -ENOPROTOOPT;
 
 	new_ra = (sel >= 0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
+	if (sel >= 0 && !new_ra)
+		return -ENOMEM;
 
 	write_lock_bh(&ip6_ra_lock);
 	for (rap = &ip6_ra_chain; (ra = *rap) != NULL; rap = &ra->next) {

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
  2019-05-24  3:19 [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control() Gen Zhang
@ 2019-05-25 18:00 ` David Miller
  2019-07-01  8:57 ` Jiri Slaby
  1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2019-05-25 18:00 UTC (permalink / raw)
  To: blackgod016574; +Cc: kuznet, yoshfuji, netdev, linux-kernel

From: Gen Zhang <blackgod016574@gmail.com>
Date: Fri, 24 May 2019 11:19:46 +0800

> In function ip6_ra_control(), the pointer new_ra is allocated a memory 
> space via kmalloc(). And it is used in the following codes. However, 
> when there is a memory allocation error, kmalloc() fails. Thus null 
> pointer dereference may happen. And it will cause the kernel to crash. 
> Therefore, we should check the return value and handle the error.
> 
> Signed-off-by: Gen Zhang <blackgod016574@gmail.com>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
  2019-05-24  3:19 [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control() Gen Zhang
  2019-05-25 18:00 ` David Miller
@ 2019-07-01  8:57 ` Jiri Slaby
  2019-07-01  9:06   ` Gen Zhang
  1 sibling, 1 reply; 4+ messages in thread
From: Jiri Slaby @ 2019-07-01  8:57 UTC (permalink / raw)
  To: Gen Zhang, davem, kuznet, yoshfuji; +Cc: netdev, linux-kernel

On 24. 05. 19, 5:19, Gen Zhang wrote:
> In function ip6_ra_control(), the pointer new_ra is allocated a memory 
> space via kmalloc(). And it is used in the following codes. However, 
> when there is a memory allocation error, kmalloc() fails. Thus null 
> pointer dereference may happen. And it will cause the kernel to crash. 
> Therefore, we should check the return value and handle the error.
> 
> Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
> 
> ---
> diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
> index 40f21fe..0a3d035 100644
> --- a/net/ipv6/ipv6_sockglue.c
> +++ b/net/ipv6/ipv6_sockglue.c
> @@ -68,6 +68,8 @@ int ip6_ra_control(struct sock *sk, int sel)
>  		return -ENOPROTOOPT;
>  
>  	new_ra = (sel >= 0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
> +	if (sel >= 0 && !new_ra)
> +		return -ENOMEM;
>  
>  	write_lock_bh(&ip6_ra_lock);
>  	for (rap = &ip6_ra_chain; (ra = *rap) != NULL; rap = &ra->next) {
> 

Was this really an omission? There is (!new_ra) handling below the for loop:
        if (!new_ra) {
                write_unlock_bh(&ip6_ra_lock);
                return -ENOBUFS;
        }

It used to handle both (sel >= 0) and (sel == 0) cases and it used to
return ENOBUFS in case of failure. For (sel >= 0) it also could at least
return EADDRINUSE when a collision was found -- even if memory was
exhausted.

In anyway, how could this lead to a pointer dereference? And why/how did
this get a CVE number?

thanks,
-- 
js
suse labs

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
  2019-07-01  8:57 ` Jiri Slaby
@ 2019-07-01  9:06   ` Gen Zhang
  0 siblings, 0 replies; 4+ messages in thread
From: Gen Zhang @ 2019-07-01  9:06 UTC (permalink / raw)
  To: Jiri Slaby; +Cc: davem, kuznet, yoshfuji, netdev, linux-kernel

On Mon, Jul 01, 2019 at 10:57:36AM +0200, Jiri Slaby wrote:
> On 24. 05. 19, 5:19, Gen Zhang wrote:
> > In function ip6_ra_control(), the pointer new_ra is allocated a memory 
> > space via kmalloc(). And it is used in the following codes. However, 
> > when there is a memory allocation error, kmalloc() fails. Thus null 
> > pointer dereference may happen. And it will cause the kernel to crash. 
> > Therefore, we should check the return value and handle the error.
> > 
> > Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
> > 
> > ---
> > diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
> > index 40f21fe..0a3d035 100644
> > --- a/net/ipv6/ipv6_sockglue.c
> > +++ b/net/ipv6/ipv6_sockglue.c
> > @@ -68,6 +68,8 @@ int ip6_ra_control(struct sock *sk, int sel)
> >  		return -ENOPROTOOPT;
> >  
> >  	new_ra = (sel >= 0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
> > +	if (sel >= 0 && !new_ra)
> > +		return -ENOMEM;
> >  
> >  	write_lock_bh(&ip6_ra_lock);
> >  	for (rap = &ip6_ra_chain; (ra = *rap) != NULL; rap = &ra->next) {
> > 
> 
> Was this really an omission? There is (!new_ra) handling below the for loop:
>         if (!new_ra) {
>                 write_unlock_bh(&ip6_ra_lock);
>                 return -ENOBUFS;
>         }
> 
> It used to handle both (sel >= 0) and (sel == 0) cases and it used to
> return ENOBUFS in case of failure. For (sel >= 0) it also could at least
> return EADDRINUSE when a collision was found -- even if memory was
> exhausted.
> 
> In anyway, how could this lead to a pointer dereference? And why/how did
> this get a CVE number?
> 
> thanks,
> -- 
> js
> suse labs
This CVE is already disputed by other maintainers and marked *DISPUTED*
on the website.

Thanks
Gen

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-07-01  9:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-24  3:19 [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control() Gen Zhang
2019-05-25 18:00 ` David Miller
2019-07-01  8:57 ` Jiri Slaby
2019-07-01  9:06   ` Gen Zhang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).