From: Vlad Yasevich <vyasevich@gmail.com>
To: Tommi Rantala <tt.rantala@gmail.com>
Cc: linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
Neil Horman <nhorman@tuxdriver.com>,
Sridhar Samudrala <sri@us.ibm.com>,
"David S. Miller" <davem@davemloft.net>,
Dave Jones <davej@redhat.com>
Subject: Re: [PATCH] sctp: fix CONFIG_SCTP_DBG_MSG=y null pointer dereference in sctp_v6_get_dst()
Date: Fri, 30 Nov 2012 14:18:26 +0000 [thread overview]
Message-ID: <50B8C032.7030307@gmail.com> (raw)
In-Reply-To: <1354267062-15888-1-git-send-email-tt.rantala@gmail.com>
On 11/30/2012 04:17 AM, Tommi Rantala wrote:
> Trinity (the syscall fuzzer) triggered the following BUG, reproducible
> only when the kernel is configured with CONFIG_SCTP_DBG_MSG=y.
>
> When CONFIG_SCTP_DBG_MSG is not set, the null pointer is never
> dereferenced.
>
> ---[ end trace a4de0bfcb38a3642 ]---
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000100
> IP: [<ffffffff8136796e>] ip6_string+0x1e/0xa0
> PGD 4eead067 PUD 4e472067 PMD 0
> Oops: 0000 [#1] PREEMPT SMP
> Modules linked in:
> CPU 3
> Pid: 21324, comm: trinity-child11 Tainted: G W 3.7.0-rc7+ #61 ASUSTeK Computer INC. EB1012/EB1012
> RIP: 0010:[<ffffffff8136796e>] [<ffffffff8136796e>] ip6_string+0x1e/0xa0
> RSP: 0018:ffff88004e4637a0 EFLAGS: 00010046
> RAX: ffff88004e4637da RBX: ffff88004e4637da RCX: 0000000000000000
> RDX: ffffffff8246e92a RSI: 0000000000000100 RDI: ffff88004e4637da
> RBP: ffff88004e4637a8 R08: 000000000000ffff R09: 000000000000ffff
> R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8289d600
> R13: ffffffff8289d230 R14: ffffffff8246e928 R15: ffffffff8289d600
> FS: 00007fed95153700(0000) GS:ffff88005fd80000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000100 CR3: 000000004eeac000 CR4: 00000000000007e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process trinity-child11 (pid: 21324, threadinfo ffff88004e462000, task ffff8800524b0000)
> Stack:
> ffff88004e4637da ffff88004e463828 ffffffff81368eee 000000004e4637d8
> ffffffff0000ffff ffff88000000ffff 0000000000000000 000000004e4637f8
> ffffffff826285d8 ffff88004e4637f8 0000000000000000 ffff8800524b06b0
> Call Trace:
> [<ffffffff81368eee>] ip6_addr_string.isra.11+0x3e/0xa0
> [<ffffffff81369183>] pointer.isra.12+0x233/0x2d0
> [<ffffffff810a413a>] ? vprintk_emit+0x1ba/0x450
> [<ffffffff8110953d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [<ffffffff81369757>] vsnprintf+0x187/0x5d0
> [<ffffffff81369c62>] vscnprintf+0x12/0x30
> [<ffffffff810a4028>] vprintk_emit+0xa8/0x450
> [<ffffffff81e5cb00>] printk+0x49/0x4b
> [<ffffffff81d17221>] sctp_v6_get_dst+0x731/0x780
> [<ffffffff81d16e15>] ? sctp_v6_get_dst+0x325/0x780
> [<ffffffff81d00a96>] sctp_transport_route+0x46/0x120
> [<ffffffff81cff0f1>] sctp_assoc_add_peer+0x161/0x350
> [<ffffffff81d0fd8d>] sctp_sendmsg+0x6cd/0xcb0
> [<ffffffff81b55bf0>] ? inet_create+0x670/0x670
> [<ffffffff81b55cfb>] inet_sendmsg+0x10b/0x220
> [<ffffffff81b55bf0>] ? inet_create+0x670/0x670
> [<ffffffff81a72a64>] ? sock_update_classid+0xa4/0x2b0
> [<ffffffff81a72ab0>] ? sock_update_classid+0xf0/0x2b0
> [<ffffffff81a6ac1c>] sock_sendmsg+0xdc/0xf0
> [<ffffffff8118e9e5>] ? might_fault+0x85/0x90
> [<ffffffff8118e99c>] ? might_fault+0x3c/0x90
> [<ffffffff81a6e12a>] sys_sendto+0xfa/0x130
> [<ffffffff810a9887>] ? do_setitimer+0x197/0x380
> [<ffffffff81e960d5>] ? sysret_check+0x22/0x5d
> [<ffffffff81e960a9>] system_call_fastpath+0x16/0x1b
> Code: 01 eb 89 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 f8 31 c9 48 89 e5 53 eb 12 0f 1f 40 00 48 83 c1 01 48 83 c0 04 48 83 f9 08 74 70 <0f> b6 3c 4e 89 fb 83 e7 0f c0 eb 04 41 89 d8 41 83 e0 0f 0f b6
> RIP [<ffffffff8136796e>] ip6_string+0x1e/0xa0
> RSP <ffff88004e4637a0>
> CR2: 0000000000000100
> ---[ end trace a4de0bfcb38a3643 ]---
>
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Thanks
-vlad
> ---
> net/sctp/ipv6.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> index ea14cb4..f3f0f4d 100644
> --- a/net/sctp/ipv6.c
> +++ b/net/sctp/ipv6.c
> @@ -345,7 +345,7 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
> }
>
> out:
> - if (!IS_ERR(dst)) {
> + if (!IS_ERR_OR_NULL(dst)) {
> struct rt6_info *rt;
> rt = (struct rt6_info *)dst;
> t->dst = dst;
>
WARNING: multiple messages have this Message-ID (diff)
From: Vlad Yasevich <vyasevich@gmail.com>
To: Tommi Rantala <tt.rantala@gmail.com>
Cc: linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
Neil Horman <nhorman@tuxdriver.com>,
Sridhar Samudrala <sri@us.ibm.com>,
"David S. Miller" <davem@davemloft.net>,
Dave Jones <davej@redhat.com>
Subject: Re: [PATCH] sctp: fix CONFIG_SCTP_DBG_MSG=y null pointer dereference in sctp_v6_get_dst()
Date: Fri, 30 Nov 2012 09:18:26 -0500 [thread overview]
Message-ID: <50B8C032.7030307@gmail.com> (raw)
In-Reply-To: <1354267062-15888-1-git-send-email-tt.rantala@gmail.com>
On 11/30/2012 04:17 AM, Tommi Rantala wrote:
> Trinity (the syscall fuzzer) triggered the following BUG, reproducible
> only when the kernel is configured with CONFIG_SCTP_DBG_MSG=y.
>
> When CONFIG_SCTP_DBG_MSG is not set, the null pointer is never
> dereferenced.
>
> ---[ end trace a4de0bfcb38a3642 ]---
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000100
> IP: [<ffffffff8136796e>] ip6_string+0x1e/0xa0
> PGD 4eead067 PUD 4e472067 PMD 0
> Oops: 0000 [#1] PREEMPT SMP
> Modules linked in:
> CPU 3
> Pid: 21324, comm: trinity-child11 Tainted: G W 3.7.0-rc7+ #61 ASUSTeK Computer INC. EB1012/EB1012
> RIP: 0010:[<ffffffff8136796e>] [<ffffffff8136796e>] ip6_string+0x1e/0xa0
> RSP: 0018:ffff88004e4637a0 EFLAGS: 00010046
> RAX: ffff88004e4637da RBX: ffff88004e4637da RCX: 0000000000000000
> RDX: ffffffff8246e92a RSI: 0000000000000100 RDI: ffff88004e4637da
> RBP: ffff88004e4637a8 R08: 000000000000ffff R09: 000000000000ffff
> R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8289d600
> R13: ffffffff8289d230 R14: ffffffff8246e928 R15: ffffffff8289d600
> FS: 00007fed95153700(0000) GS:ffff88005fd80000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000100 CR3: 000000004eeac000 CR4: 00000000000007e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process trinity-child11 (pid: 21324, threadinfo ffff88004e462000, task ffff8800524b0000)
> Stack:
> ffff88004e4637da ffff88004e463828 ffffffff81368eee 000000004e4637d8
> ffffffff0000ffff ffff88000000ffff 0000000000000000 000000004e4637f8
> ffffffff826285d8 ffff88004e4637f8 0000000000000000 ffff8800524b06b0
> Call Trace:
> [<ffffffff81368eee>] ip6_addr_string.isra.11+0x3e/0xa0
> [<ffffffff81369183>] pointer.isra.12+0x233/0x2d0
> [<ffffffff810a413a>] ? vprintk_emit+0x1ba/0x450
> [<ffffffff8110953d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [<ffffffff81369757>] vsnprintf+0x187/0x5d0
> [<ffffffff81369c62>] vscnprintf+0x12/0x30
> [<ffffffff810a4028>] vprintk_emit+0xa8/0x450
> [<ffffffff81e5cb00>] printk+0x49/0x4b
> [<ffffffff81d17221>] sctp_v6_get_dst+0x731/0x780
> [<ffffffff81d16e15>] ? sctp_v6_get_dst+0x325/0x780
> [<ffffffff81d00a96>] sctp_transport_route+0x46/0x120
> [<ffffffff81cff0f1>] sctp_assoc_add_peer+0x161/0x350
> [<ffffffff81d0fd8d>] sctp_sendmsg+0x6cd/0xcb0
> [<ffffffff81b55bf0>] ? inet_create+0x670/0x670
> [<ffffffff81b55cfb>] inet_sendmsg+0x10b/0x220
> [<ffffffff81b55bf0>] ? inet_create+0x670/0x670
> [<ffffffff81a72a64>] ? sock_update_classid+0xa4/0x2b0
> [<ffffffff81a72ab0>] ? sock_update_classid+0xf0/0x2b0
> [<ffffffff81a6ac1c>] sock_sendmsg+0xdc/0xf0
> [<ffffffff8118e9e5>] ? might_fault+0x85/0x90
> [<ffffffff8118e99c>] ? might_fault+0x3c/0x90
> [<ffffffff81a6e12a>] sys_sendto+0xfa/0x130
> [<ffffffff810a9887>] ? do_setitimer+0x197/0x380
> [<ffffffff81e960d5>] ? sysret_check+0x22/0x5d
> [<ffffffff81e960a9>] system_call_fastpath+0x16/0x1b
> Code: 01 eb 89 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 f8 31 c9 48 89 e5 53 eb 12 0f 1f 40 00 48 83 c1 01 48 83 c0 04 48 83 f9 08 74 70 <0f> b6 3c 4e 89 fb 83 e7 0f c0 eb 04 41 89 d8 41 83 e0 0f 0f b6
> RIP [<ffffffff8136796e>] ip6_string+0x1e/0xa0
> RSP <ffff88004e4637a0>
> CR2: 0000000000000100
> ---[ end trace a4de0bfcb38a3643 ]---
>
> Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Thanks
-vlad
> ---
> net/sctp/ipv6.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> index ea14cb4..f3f0f4d 100644
> --- a/net/sctp/ipv6.c
> +++ b/net/sctp/ipv6.c
> @@ -345,7 +345,7 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
> }
>
> out:
> - if (!IS_ERR(dst)) {
> + if (!IS_ERR_OR_NULL(dst)) {
> struct rt6_info *rt;
> rt = (struct rt6_info *)dst;
> t->dst = dst;
>
next prev parent reply other threads:[~2012-11-30 14:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-30 9:17 [PATCH] sctp: fix CONFIG_SCTP_DBG_MSG=y null pointer dereference in sctp_v6_get_dst() Tommi Rantala
2012-11-30 9:17 ` Tommi Rantala
2012-11-30 14:18 ` Vlad Yasevich [this message]
2012-11-30 14:18 ` Vlad Yasevich
2012-11-30 15:20 ` Neil Horman
2012-11-30 15:20 ` Neil Horman
2012-11-30 17:21 ` David Miller
2012-11-30 17:21 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50B8C032.7030307@gmail.com \
--to=vyasevich@gmail.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=sri@us.ibm.com \
--cc=tt.rantala@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.