From: Oliver Hartkopp <socketcan@hartkopp.net>
To: "Ziyang Xuan (William)" <william.xuanziyang@huawei.com>,
Greg KH <gregkh@linuxfoundation.org>
Cc: davem@davemloft.net, kuba@kernel.org, mkl@pengutronix.de,
netdev@vger.kernel.org, linux-can@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH net] can: raw: fix raw_rcv panic for sock UAF
Date: Wed, 21 Jul 2021 11:45:13 +0200 [thread overview]
Message-ID: <4d91f7bd-eef2-0b1a-f44f-d2006c465422@hartkopp.net> (raw)
In-Reply-To: <e3f56f35-00ca-e8f9-ba41-fdc87dc9bfd4@huawei.com>
On 21.07.21 11:29, Ziyang Xuan (William) wrote:
> On 7/21/2021 2:35 PM, Oliver Hartkopp wrote:
>>
>>
>> On 21.07.21 06:53, Greg KH wrote:
>>> On Wed, Jul 21, 2021 at 09:09:37AM +0800, Ziyang Xuan wrote:
>>>> We get a bug during ltp can_filter test as following.
>>>>
>>>> ===========================================
>>>> [60919.264984] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
>>>> [60919.265223] PGD 8000003dda726067 P4D 8000003dda726067 PUD 3dda727067 PMD 0
>>>> [60919.265443] Oops: 0000 [#1] SMP PTI
>>>> [60919.265550] CPU: 30 PID: 3638365 Comm: can_filter Kdump: loaded Tainted: G W 4.19.90+ #1
>>
>> This kernel version 4.19.90 is definitely outdated.
>>
>> Can you please check your issue with the latest uptream kernel as this problem should have been fixed with this patch:
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8d0caedb759683041d9db82069937525999ada53
>> ("can: bcm/raw/isotp: use per module netdevice notifier")
>>
>> Thanks!
>
> I have tested it under the latest 5.14-rc2 kernel version which includes commit 8d0caedb7596 before I submit the patch.
> Although I failed to get the vmcore-dmesg file after updating the kernel version to 5.14-rc2 to display here.
> But we can get the conclusion according to the following debug messages and my problem analysis.
>
> ==========================================
> [ 1048.953574] unlist_netdevice name[vcan0]
> [ 1048.953661] raw_notify 283: enter, waiting
> [ 1050.950967] raw_setsockopt 552: ro->bound[1] ro->ifindex[8] sk[ffff9420c5699800]
> [ 1053.956002] can: receive list entry not found for dev any, id 000, mask 000
> [ 1053.961989] can: receive list entry not found for dev vcan0, id 123, mask 7FF
>
> raw_setsockopt() executes after unlist_netdevice() and before raw_notify().
> The problem always exists.
>
You are right!
In the meantime I sent a new reply to your original patch here:
https://lore.kernel.org/linux-can/11822417-5931-b2d8-ae77-ec4a84b8b895@hartkopp.net/
Thanks!
prev parent reply other threads:[~2021-07-21 10:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-21 1:09 [PATCH net] can: raw: fix raw_rcv panic for sock UAF Ziyang Xuan
2021-07-21 4:53 ` Greg KH
2021-07-21 6:35 ` Oliver Hartkopp
2021-07-21 9:24 ` Oliver Hartkopp
2021-07-21 11:37 ` Ziyang Xuan (William)
2021-07-21 15:13 ` Oliver Hartkopp
2021-07-22 7:06 ` Ziyang Xuan (William)
2021-07-21 9:29 ` Ziyang Xuan (William)
2021-07-21 9:45 ` Oliver Hartkopp [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4d91f7bd-eef2-0b1a-f44f-d2006c465422@hartkopp.net \
--to=socketcan@hartkopp.net \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=william.xuanziyang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox