From: Leon Romanovsky <leon@kernel.org>
To: Florian Westphal <fw@strlen.de>
Cc: netdev@vger.kernel.org,
syzbot+c54f457cad330e57e967@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, netfilter-devel@vger.kernel.org,
Edward Cree <ecree@solarflare.com>
Subject: Re: [PATCH net-next] inet: do not call sublist_rcv on empty list
Date: Tue, 29 Oct 2019 11:21:42 +0200 [thread overview]
Message-ID: <20191029092142.GC5545@unreal> (raw)
In-Reply-To: <20191029004404.8563-1-fw@strlen.de>
On Tue, Oct 29, 2019 at 01:44:04AM +0100, Florian Westphal wrote:
> syzbot triggered struct net NULL deref in NF_HOOK_LIST:
> RIP: 0010:NF_HOOK_LIST include/linux/netfilter.h:331 [inline]
> RIP: 0010:ip6_sublist_rcv+0x5c9/0x930 net/ipv6/ip6_input.c:292
> ipv6_list_rcv+0x373/0x4b0 net/ipv6/ip6_input.c:328
> __netif_receive_skb_list_ptype net/core/dev.c:5274 [inline]
>
> Reason:
> void ipv6_list_rcv(struct list_head *head, struct packet_type *pt,
> struct net_device *orig_dev)
> [..]
> list_for_each_entry_safe(skb, next, head, list) {
> /* iterates list */
> skb = ip6_rcv_core(skb, dev, net);
> /* ip6_rcv_core drops skb -> NULL is returned */
> if (skb == NULL)
> continue;
> [..]
> }
> /* sublist is empty -> curr_net is NULL */
> ip6_sublist_rcv(&sublist, curr_dev, curr_net);
>
> Before the recent change NF_HOOK_LIST did a list iteration before
> struct net deref, i.e. it was a no-op in the empty list case.
>
> List iteration now happens after *net deref, causing crash.
>
> Follow the same pattern as the ip(v6)_list_rcv loop and add a list_empty
> test for the final sublist dispatch too.
>
> Cc: Edward Cree <ecree@solarflare.com>
> Reported-by: syzbot+c54f457cad330e57e967@syzkaller.appspotmail.com
> Fixes: ca58fbe06c54 ("netfilter: add and use nf_hook_slow_list()")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> net/ipv4/ip_input.c | 3 ++-
> net/ipv6/ip6_input.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
It fixed my crash on boot.
Thanks,
Tested-by: Leon Romanovsky <leonro@mellanox.com>
next prev parent reply other threads:[~2019-10-29 9:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-28 22:55 general protection fault in ip6_sublist_rcv syzbot
2019-10-29 0:44 ` [PATCH net-next] inet: do not call sublist_rcv on empty list Florian Westphal
2019-10-29 9:21 ` Leon Romanovsky [this message]
2019-10-29 13:35 ` Nikolay Aleksandrov
2019-10-30 0:55 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191029092142.GC5545@unreal \
--to=leon@kernel.org \
--cc=ecree@solarflare.com \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=syzbot+c54f457cad330e57e967@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.