From: Gen Zhang <blackgod016574@gmail.com>
To: Jiri Slaby <jslaby@suse.cz>
Cc: davem@davemloft.net, kuznet@ms2.inr.ac.ru,
yoshfuji@linux-ipv6.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
Date: Mon, 1 Jul 2019 02:06:44 -0700 [thread overview]
Message-ID: <20190701090644.GA88924@ubuntu> (raw)
In-Reply-To: <1b5f82ae-31a7-db36-dc9d-efc46cda2af3@suse.cz>
On Mon, Jul 01, 2019 at 10:57:36AM +0200, Jiri Slaby wrote:
> On 24. 05. 19, 5:19, Gen Zhang wrote:
> > In function ip6_ra_control(), the pointer new_ra is allocated a memory
> > space via kmalloc(). And it is used in the following codes. However,
> > when there is a memory allocation error, kmalloc() fails. Thus null
> > pointer dereference may happen. And it will cause the kernel to crash.
> > Therefore, we should check the return value and handle the error.
> >
> > Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
> >
> > ---
> > diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
> > index 40f21fe..0a3d035 100644
> > --- a/net/ipv6/ipv6_sockglue.c
> > +++ b/net/ipv6/ipv6_sockglue.c
> > @@ -68,6 +68,8 @@ int ip6_ra_control(struct sock *sk, int sel)
> > return -ENOPROTOOPT;
> >
> > new_ra = (sel >= 0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
> > + if (sel >= 0 && !new_ra)
> > + return -ENOMEM;
> >
> > write_lock_bh(&ip6_ra_lock);
> > for (rap = &ip6_ra_chain; (ra = *rap) != NULL; rap = &ra->next) {
> >
>
> Was this really an omission? There is (!new_ra) handling below the for loop:
> if (!new_ra) {
> write_unlock_bh(&ip6_ra_lock);
> return -ENOBUFS;
> }
>
> It used to handle both (sel >= 0) and (sel == 0) cases and it used to
> return ENOBUFS in case of failure. For (sel >= 0) it also could at least
> return EADDRINUSE when a collision was found -- even if memory was
> exhausted.
>
> In anyway, how could this lead to a pointer dereference? And why/how did
> this get a CVE number?
>
> thanks,
> --
> js
> suse labs
This CVE is already disputed by other maintainers and marked *DISPUTED*
on the website.
Thanks
Gen
prev parent reply other threads:[~2019-07-01 9:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-24 3:19 [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control() Gen Zhang
2019-05-25 18:00 ` David Miller
2019-07-01 8:57 ` Jiri Slaby
2019-07-01 9:06 ` Gen Zhang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190701090644.GA88924@ubuntu \
--to=blackgod016574@gmail.com \
--cc=davem@davemloft.net \
--cc=jslaby@suse.cz \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.