From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Vasiliy Kovalev <kovalev@altlinux.org>
Cc: Alexander Ofitserov <oficerovas@altlinux.org>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
edumazet@google.com, laforge@gnumonks.org, davem@davemloft.net,
kuba@kernel.org, pabeni@redhat.com, nickel@altlinux.org,
dutyrok@altlinux.org, stable@vger.kernel.org
Subject: Re: [PATCH net] gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
Date: Thu, 29 Feb 2024 17:10:46 +0100 [thread overview]
Message-ID: <ZeCshnw9Ac1fd5pV@calendula> (raw)
In-Reply-To: <3d8314ae-03d9-6e43-86ad-f830ea01c737@basealt.ru>
On Thu, Feb 29, 2024 at 11:37:28AM +0300, Vasiliy Kovalev wrote:
[...]
> This patch fixes another problem, but a similar one, since the sequence is
> incorrect when registering subsystems.
>
> Initially, the registration sequence in the gtp module was as follows:
>
> 1) rtnl_link_register();
>
> 2) genl_register_family();
>
> 3) register_pernet_subsys();
>
> During debugging of the module, when starting the syzkaller reproducer, it
> turned out that after genl_register_family() (2),
>
> without waiting for register_pernet_subsys()(3), the /.dumpit/ event is
> triggered, in which the data of the unregistered pernet subsystem is
> accessed.
>
> That is, the bug was fixed by the commit
>
> 136cfaca2256 ("gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()")[1]
>
> and the registration sequence became as follows:
>
> 1) rtnl_link_register();
>
> 2) register_pernet_subsys();
>
> 3) genl_register_family();
>
> However, syzkaller has discovered another problem:
>
> after registering rtnl_link_register, the .newlink event is triggered, in
> which the data of the unregistered pernet subsystem is accessed.
>
> This problem is reproducible on current stable kernels and the latest
> upstream kernel 6.8-rc6, in which the patch 136cfaca2256 [1] is applied.
>
> Therefore, the correct sequence should be as follows:
>
> 1)register_pernet_subsys();
>
> 2) rtnl_link_register();
>
> 3) genl_register_family();
>
> The proposed patch is developed on top of the commit changes [1], does not
> conflict with it and fixes the described bug.
>
> [1] https://lore.kernel.org/lkml/20240220160434.29bcaf43@kernel.org/T/#mb1f72c2ad57b7ea6d47333e8616beccf8bce0e23
Thanks for explaining, fix LGTM.
next prev parent reply other threads:[~2024-02-29 16:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-28 11:47 [PATCH net] gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Alexander Ofitserov
2024-02-28 13:07 ` Jiri Pirko
2024-02-28 23:51 ` Pablo Neira Ayuso
2024-02-29 9:20 ` Vasiliy Kovalev
[not found] ` <3d8314ae-03d9-6e43-86ad-f830ea01c737@basealt.ru>
2024-02-29 16:10 ` Pablo Neira Ayuso [this message]
2024-02-29 13:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZeCshnw9Ac1fd5pV@calendula \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=dutyrok@altlinux.org \
--cc=edumazet@google.com \
--cc=kovalev@altlinux.org \
--cc=kuba@kernel.org \
--cc=laforge@gnumonks.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nickel@altlinux.org \
--cc=oficerovas@altlinux.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.