Re: [PATCH net] ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <horms@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	David Ahern <dsahern@kernel.org>,
	netdev@vger.kernel.org, eric.dumazet@gmail.com
Subject: Re: [PATCH net] ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
Date: Wed, 8 May 2024 14:46:32 +0100	[thread overview]
Message-ID: <20240508134632.GF1736038@kernel.org> (raw)
In-Reply-To: <20240507163145.835254-1-edumazet@google.com>

On Tue, May 07, 2024 at 04:31:45PM +0000, Eric Dumazet wrote:
> syzbot is able to trigger the following crash [1],
> caused by unsafe ip6_dst_idev() use.
> 
> Indeed ip6_dst_idev() can return NULL, and must always be checked.
> 
> [1]
> 
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
>  RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]
>  RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267
> Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c
> RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700
> RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760
> RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd
> R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000
> R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00
> FS:  00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>   fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317
>   fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108
>   ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]
>   ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649
>   ip6_route_output include/net/ip6_route.h:93 [inline]
>   ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120
>   ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250
>   sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326
>   sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455
>   sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662
>   sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099
>   __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197
>   sctp_connect net/sctp/socket.c:4819 [inline]
>   sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834
>   __sys_connect_file net/socket.c:2048 [inline]
>   __sys_connect+0x2df/0x310 net/socket.c:2065
>   __do_sys_connect net/socket.c:2075 [inline]
>   __se_sys_connect net/socket.c:2072 [inline]
>   __x64_sys_connect+0x7a/0x90 net/socket.c:2072
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> Fixes: 5e5f3f0f8013 ("[IPV6] ADDRCONF: Convert ipv6_get_saddr() to ipv6_dev_get_saddr().")
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Simon Horman <horms@kernel.org>

next prev parent reply	other threads:[~2024-05-08 13:46 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-07 16:31 [PATCH net] ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() Eric Dumazet
2024-05-08 13:46 ` Simon Horman [this message]
2024-05-08 15:02 ` David Ahern
2024-05-09  2:00 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240508134632.GF1736038@kernel.org \
    --to=horms@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.