Re: net: socket: NULL ptr deref in sendmsg

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sasha.levin@oracle.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	davej@redhat.com, a.ryabinin@samsung.com
Subject: Re: net: socket: NULL ptr deref in sendmsg
Date: Thu, 24 Jul 2014 12:05:31 -0400	[thread overview]
Message-ID: <53D12ECB.2040600@oracle.com> (raw)
In-Reply-To: <20140714.150847.1399242734159771901.davem@davemloft.net>

On 07/14/2014 06:08 PM, David Miller wrote:
> From: Sasha Levin <sasha.levin@oracle.com>
> Date: Sun, 13 Jul 2014 17:50:53 -0400
> 
>> While fuzzing with trinity inside a KVM tools guest running the latest -next
>> kernel with the KASAN patchset, I've stumbled on the following spew:
>  ...
>> It's similar to another variation:
>  ...
>> I've tried debugging it, but I don't see a code path that could lead to that.
> 
> Both of these cases involve working with pointers declared with
> DECLARE_SOCKADDR, maybe that somehow confuses ASAN code generation?
> 

Hey David,

Sorry for the delay.

I've confirmed that it's not ASAN's fault by adding:

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 1b38f7f..81d86b9 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2331,7 +2331,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *so
        err = scm_send(sock, msg, siocb->scm, true);
        if (err < 0)
                return err;
-
+       BUG_ON(msg->msg_namelen && !msg->msg_name);
        if (msg->msg_namelen) {
                err = -EINVAL;
                if (addr->nl_family != AF_NETLINK)

And got:

[ 1322.890135] kernel BUG at net/netlink/af_netlink.c:2334!
[ 1322.890135] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1322.890135] Dumping ftrace buffer:
[ 1322.890135]    (ftrace buffer empty)
[ 1322.890135] Modules linked in:
[ 1322.890135] CPU: 8 PID: 31343 Comm: trinity-c259 Not tainted 3.16.0-rc6-next-20140724-sasha-00046-g7324c87-dirty #931
[ 1322.890135] task: ffff880311268000 ti: ffff88031bf5c000 task.ti: ffff88031bf5c000
[ 1322.890135] RIP: 0010:[<ffffffffb567e01b>]  [<ffffffffb567e01b>] netlink_sendmsg+0xc6b/0xce0
[ 1322.902991] RSP: 0018:ffff88031bf5faa0  EFLAGS: 00010246
[ 1322.902991] RAX: 0000000000000000 RBX: ffff88031bf5fb38 RCX: dfff97060a600000
[ 1322.902991] RDX: ffff88031bf5fe80 RSI: 0000000000000000 RDI: ffff88031bf5fe80
[ 1322.902991] RBP: ffff88031bf5fb80 R08: dfff97060a600000 R09: 0000000000000000
[ 1322.902991] R10: 0000000000000080 R11: 0000000000000001 R12: ffff88031bf5fe78
[ 1322.902991] R13: ffff8801d18fd388 R14: 0000000000000000 R15: 0000000000feff98
[ 1322.902991] FS:  00007f67138b8700(0000) GS:ffff8801de000000(0000) knlGS:0000000000000000
[ 1322.902991] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1322.902991] CR2: 00007f6708260088 CR3: 000000036ad59000 CR4: 00000000000006a0
[ 1322.902991] Stack:
[ 1322.902991]  ffff8801de1e2dc0 ffff88025efbb118 ffffffffb9b9ae30 000000000000092d
[ 1322.902991]  ffff880311268d00 ffff88031bf5fae0 ffffffffb121185d 0000000000000001
[ 1322.902991]  ffff88031bf5faf8 ffff88031bf5fea8 ffff8801d7d9c220 0000000000000000
[ 1322.902991] Call Trace:
[ 1322.902991]  [<ffffffffb121185d>] ? get_parent_ip+0xd/0x50
[ 1322.902991]  [<ffffffffb559bc3a>] sock_sendmsg+0xca/0x100
[ 1322.902991]  [<ffffffffb13b32ed>] ? might_fault+0xed/0x100
[ 1322.902991]  [<ffffffffb13b327a>] ? might_fault+0x7a/0x100
[ 1322.902991]  [<ffffffffb55b3ced>] ? verify_iovec+0xcd/0x180
[ 1322.902991]  [<ffffffffb559cb52>] ___sys_sendmsg+0x312/0x530
[ 1322.902991]  [<ffffffffb124f42e>] ? put_lock_stats.isra.13+0xe/0x30
[ 1322.902991]  [<ffffffffb124fad1>] ? lock_release_holdtime+0x121/0x260
[ 1322.902991]  [<ffffffffb125b2bb>] ? lock_release_non_nested+0x42b/0x4f0
[ 1322.902991]  [<ffffffffb124f004>] ? check_chain_key+0x1f4/0x2e0
[ 1322.902991]  [<ffffffffb559daeb>] __sys_sendmmsg+0x9b/0x1c0
[ 1322.902991]  [<ffffffffb125496d>] ? trace_hardirqs_on_caller+0x1ad/0x380
[ 1322.902991]  [<ffffffffb1254b4d>] ? trace_hardirqs_on+0xd/0x10
[ 1322.902991]  [<ffffffffb10b9222>] ? syscall_trace_enter+0x1e2/0x540
[ 1322.902991]  [<ffffffffb125496d>] ? trace_hardirqs_on_caller+0x1ad/0x380
[ 1322.902991]  [<ffffffffb559dc22>] SyS_sendmmsg+0x12/0x30
[ 1322.902991]  [<ffffffffb5e43a13>] tracesys+0xe1/0xe6
[ 1322.902991] Code: e4 00 00 00 8b 4d 98 45 31 c9 41 b8 d0 00 00 00 48 89 de 8b 55 90 48 c7 04 24 00 00 00 00 4c 89 ef e8 da cb ff ff e9 8d f8 ff ff <0f> 0b e8 5e 3f b9 fb 48 8b bd 68 ff ff ff e8 c2 be da fb 48 8b
[ 1322.902991] RIP  [<ffffffffb567e01b>] netlink_sendmsg+0xc6b/0xce0
[ 1322.902991]  RSP <ffff88031bf5faa0>


Thanks,
Sasha

next prev parent reply	other threads:[~2014-07-24 16:05 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-07-13 21:50 net: socket: NULL ptr deref in sendmsg Sasha Levin
2014-07-14 22:08 ` David Miller
2014-07-24 16:05   ` Sasha Levin [this message]
2014-07-25 15:23 ` Andrey Ryabinin
2014-07-25 18:27   ` Eric Dumazet
2014-07-25 20:52   ` Sasha Levin
2014-07-25 22:15     ` Hannes Frederic Sowa
2014-07-26 15:40     ` Andrey Ryabinin
2014-07-25 22:15   ` Hannes Frederic Sowa
2014-07-26 15:48     ` Andrey Ryabinin
2014-07-26 15:54       ` Hannes Frederic Sowa
2014-07-26 17:26         ` [PATCH] net: sendmsg: fix NULL pointer dereference Andrey Ryabinin
2014-07-28  9:50           ` Hannes Frederic Sowa
2014-07-29 19:21           ` David Miller
2014-07-29  0:19         ` net: socket: NULL ptr deref in sendmsg David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1b38f7f dfblob:81d86b9 )
 OR (
bs:"Re: net: socket: NULL ptr deref in sendmsg" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53D12ECB.2040600@oracle.com \
    --to=sasha.levin@oracle.com \
    --cc=a.ryabinin@samsung.com \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.