* net/ipv6: null-ptr-deref in inet6_bind
@ 2016-11-02 21:14 Andrey Konovalov
2016-11-03 15:39 ` Eric Dumazet
0 siblings, 1 reply; 6+ messages in thread
From: Andrey Konovalov @ 2016-11-02 21:14 UTC (permalink / raw)
To: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML
Cc: Dmitry Vyukov, Alexander Potapenko, Kostya Serebryany,
Eric Dumazet, syzkaller
[-- Attachment #1: Type: text/plain, Size: 2130 bytes --]
Hi,
I've got the following error report while running the syzkaller fuzzer:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [< (null)>] (null)
PGD 66b6f067 [ 102.549865] PUD 66c6e067
PMD 0 [ 102.549865]
Oops: 0010 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4143 Comm: a.out Not tainted 4.9.0-rc3+ #336
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880066b1c200 task.stack: ffff880065b58000
RIP: 0010:[<0000000000000000>] [< (null)>] (null)
RSP: 0018:ffff880065b5fbc0 EFLAGS: 00010246
RAX: ffff880066b1c200 RBX: ffff88006873864a RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff880068738640 RDI: ffff880063bd3200
RBP: ffff880065b5fd20 R08: 1ffff1000c77a713 R09: dffffc0000000000
R10: ffffffff844fc800 R11: 1ffff1000d0e70c9 R12: ffffffff84e7e040
R13: ffff880068738640 R14: ffff880063bd3200 R15: ffffffff86836380
FS: 00007f40b7acf700(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000006bb28000 CR4: 00000000000006f0
Stack:
ffffffff83099988 ffffffff8479f7e8 ffffffff81208580 1ffff1000000000c
0000000041b58ab3 ffffffff8479f7e8 ffffffff81208580 ffffffff812506ed
0000000000000007 ffff880065b5fc18 ffffffff812506ed ffff880065b5fcd0
Call Trace:
[<ffffffff832cf4fc>] inet6_bind+0x8ec/0x1020 net/ipv6/af_inet6.c:384
[<ffffffff82b7033c>] SYSC_bind+0x1ec/0x250 net/socket.c:1367
[<ffffffff82b72ae4>] SyS_bind+0x24/0x30 net/socket.c:1353
[<ffffffff83fc0401>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
Code: Bad RIP value.
RIP [< (null)>] (null)
RSP <ffff880065b5fbc0>
CR2: 0000000000000000
---[ end trace b5ec698ae4926a97 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
On commit 0c183d92b20b5c84ca655b45ef57b3318b83eb9e (Oct 31).
I'm able to reproduce it with the attached program by running it as:
$ gcc -lpthread inet6-bind-poc.c
$ while true; do ./a.out; done
Thanks!
[-- Attachment #2: inet6-bind-poc.c --]
[-- Type: application/octet-stream, Size: 7394 bytes --]
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_bind
#define __NR_bind 49
#endif
#ifndef __NR_syz_open_dev
#define __NR_syz_open_dev 1000002
#endif
#ifndef __NR_syz_open_pts
#define __NR_syz_open_pts 1000003
#endif
#ifndef __NR_syz_test
#define __NR_syz_test 1000001
#endif
#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_connect
#define __NR_connect 42
#endif
#ifndef __NR_syz_fuse_mount
#define __NR_syz_fuse_mount 1000004
#endif
#ifndef __NR_syz_fuseblk_mount
#define __NR_syz_fuseblk_mount 1000005
#endif
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
__thread int skip_segv;
__thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED))
_longjmp(segv_env, 1);
exit(sig);
}
static void install_segv_handler()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
(uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf));
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
static uintptr_t syz_open_pts(uintptr_t a0, uintptr_t a1)
{
int ptyno = 0;
if (ioctl(a0, TIOCGPTN, &ptyno))
return -1;
char buf[128];
sprintf(buf, "/dev/pts/%d", ptyno);
return open(buf, a1, 0);
}
static uintptr_t syz_fuse_mount(uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5)
{
uint64_t target = a0;
uint64_t mode = a1;
uint64_t uid = a2;
uint64_t gid = a3;
uint64_t maxread = a4;
uint64_t flags = a5;
int fd = open("/dev/fuse", O_RDWR);
if (fd == -1)
return fd;
char buf[1024];
sprintf(buf, "fd=%d,user_id=%ld,group_id=%ld,rootmode=0%o", fd,
(long)uid, (long)gid, (unsigned)mode & ~3u);
if (maxread != 0)
sprintf(buf + strlen(buf), ",max_read=%ld", (long)maxread);
if (mode & 1)
strcat(buf, ",default_permissions");
if (mode & 2)
strcat(buf, ",allow_other");
syscall(SYS_mount, "", target, "fuse", flags, buf);
return fd;
}
static uintptr_t syz_fuseblk_mount(uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7)
{
uint64_t target = a0;
uint64_t blkdev = a1;
uint64_t mode = a2;
uint64_t uid = a3;
uint64_t gid = a4;
uint64_t maxread = a5;
uint64_t blksize = a6;
uint64_t flags = a7;
int fd = open("/dev/fuse", O_RDWR);
if (fd == -1)
return fd;
if (syscall(SYS_mknodat, AT_FDCWD, blkdev, S_IFBLK, makedev(7, 199)))
return fd;
char buf[256];
sprintf(buf, "fd=%d,user_id=%ld,group_id=%ld,rootmode=0%o", fd,
(long)uid, (long)gid, (unsigned)mode & ~3u);
if (maxread != 0)
sprintf(buf + strlen(buf), ",max_read=%ld", (long)maxread);
if (blksize != 0)
sprintf(buf + strlen(buf), ",blksize=%ld", (long)blksize);
if (mode & 1)
strcat(buf, ",default_permissions");
if (mode & 2)
strcat(buf, ",allow_other");
syscall(SYS_mount, blkdev, target, "fuseblk", flags, buf);
return fd;
}
static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7,
uintptr_t a8)
{
switch (nr) {
default:
return syscall(nr, a0, a1, a2, a3, a4, a5);
case __NR_syz_test:
return 0;
case __NR_syz_open_dev:
return syz_open_dev(a0, a1, a2);
case __NR_syz_open_pts:
return syz_open_pts(a0, a1);
case __NR_syz_fuse_mount:
return syz_fuse_mount(a0, a1, a2, a3, a4, a5);
case __NR_syz_fuseblk_mount:
return syz_fuseblk_mount(a0, a1, a2, a3, a4, a5, a6, a7);
}
}
long r[21];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
r[0] =
execute_syscall(__NR_mmap, 0x20000000ul, 0xb88000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
break;
case 1:
r[1] = execute_syscall(__NR_socket, 0xaul, 0x6ul, 0x0ul, 0, 0, 0, 0,
0, 0);
break;
case 2:
r[2] =
execute_syscall(__NR_mmap, 0x20b88000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
break;
case 3:
NONFAILING(*(uint16_t*)0x20b88000 = (uint16_t)0xa);
NONFAILING(*(uint16_t*)0x20b88002 = (uint16_t)0x4242);
NONFAILING(*(uint32_t*)0x20b88004 = (uint32_t)0x1);
NONFAILING(*(uint32_t*)0x20b88008 = (uint32_t)0xffffffff);
NONFAILING(*(uint32_t*)0x20b8800c = (uint32_t)0x1);
NONFAILING(*(uint32_t*)0x20b88010 = (uint32_t)0x5);
NONFAILING(*(uint32_t*)0x20b88014 = (uint32_t)0x0);
NONFAILING(*(uint32_t*)0x20b88018 = (uint32_t)0x100000000);
r[11] = execute_syscall(__NR_bind, r[1], 0x20b88000ul, 0x1cul, 0, 0,
0, 0, 0, 0);
break;
case 4:
NONFAILING(*(uint16_t*)0x20000000 = (uint16_t)0xa);
NONFAILING(*(uint16_t*)0x20000002 = (uint16_t)0x4242);
NONFAILING(*(uint32_t*)0x20000004 = (uint32_t)0x400);
NONFAILING(*(uint32_t*)0x20000008 = (uint32_t)0x100000000000000);
NONFAILING(*(uint32_t*)0x2000000c = (uint32_t)0x100000000);
NONFAILING(*(uint32_t*)0x20000010 = (uint32_t)0xffffffffffff0000);
NONFAILING(*(uint32_t*)0x20000014 = (uint32_t)0x0);
NONFAILING(*(uint32_t*)0x20000018 = (uint32_t)0xffff);
r[20] = execute_syscall(__NR_connect, r[1], 0x20000000ul, 0x1cul, 0,
0, 0, 0, 0, 0);
break;
}
return 0;
}
int main()
{
long i;
pthread_t th[10];
install_segv_handler();
memset(r, -1, sizeof(r));
srand(getpid());
for (i = 0; i < 5; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(10000);
}
for (i = 0; i < 5; i++) {
pthread_create(&th[5 + i], 0, thr, (void*)i);
if (rand() % 2)
usleep(rand() % 10000);
}
usleep(100000);
return 0;
}
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: net/ipv6: null-ptr-deref in inet6_bind
2016-11-02 21:14 net/ipv6: null-ptr-deref in inet6_bind Andrey Konovalov
@ 2016-11-03 15:39 ` Eric Dumazet
2016-11-03 15:49 ` Andrey Konovalov
2016-11-03 15:59 ` [PATCH net] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped Eric Dumazet
0 siblings, 2 replies; 6+ messages in thread
From: Eric Dumazet @ 2016-11-03 15:39 UTC (permalink / raw)
To: Andrey Konovalov
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Dmitry Vyukov,
Alexander Potapenko, Kostya Serebryany, syzkaller
On Wed, Nov 2, 2016 at 2:14 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> Hi,
>
> I've got the following error report while running the syzkaller fuzzer:
>
> BUG: unable to handle kernel NULL pointer dereference at (null)
> IP: [< (null)>] (null)
> PGD 66b6f067 [ 102.549865] PUD 66c6e067
> PMD 0 [ 102.549865]
> Oops: 0010 [#1] SMP KASAN
> Modules linked in:
> CPU: 0 PID: 4143 Comm: a.out Not tainted 4.9.0-rc3+ #336
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff880066b1c200 task.stack: ffff880065b58000
> RIP: 0010:[<0000000000000000>] [< (null)>] (null)
> RSP: 0018:ffff880065b5fbc0 EFLAGS: 00010246
> RAX: ffff880066b1c200 RBX: ffff88006873864a RCX: 0000000000000000
> RDX: 0000000000000001 RSI: ffff880068738640 RDI: ffff880063bd3200
> RBP: ffff880065b5fd20 R08: 1ffff1000c77a713 R09: dffffc0000000000
> R10: ffffffff844fc800 R11: 1ffff1000d0e70c9 R12: ffffffff84e7e040
> R13: ffff880068738640 R14: ffff880063bd3200 R15: ffffffff86836380
> FS: 00007f40b7acf700(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 000000006bb28000 CR4: 00000000000006f0
> Stack:
> ffffffff83099988 ffffffff8479f7e8 ffffffff81208580 1ffff1000000000c
> 0000000041b58ab3 ffffffff8479f7e8 ffffffff81208580 ffffffff812506ed
> 0000000000000007 ffff880065b5fc18 ffffffff812506ed ffff880065b5fcd0
> Call Trace:
> [<ffffffff832cf4fc>] inet6_bind+0x8ec/0x1020 net/ipv6/af_inet6.c:384
> [<ffffffff82b7033c>] SYSC_bind+0x1ec/0x250 net/socket.c:1367
> [<ffffffff82b72ae4>] SyS_bind+0x24/0x30 net/socket.c:1353
> [<ffffffff83fc0401>] entry_SYSCALL_64_fastpath+0x1f/0xc2
> arch/x86/entry/entry_64.S:209
> Code: Bad RIP value.
> RIP [< (null)>] (null)
> RSP <ffff880065b5fbc0>
> CR2: 0000000000000000
> ---[ end trace b5ec698ae4926a97 ]---
> Kernel panic - not syncing: Fatal exception in interrupt
> Kernel Offset: disabled
> ---[ end Kernel panic - not syncing: Fatal exception in interrupt
>
> On commit 0c183d92b20b5c84ca655b45ef57b3318b83eb9e (Oct 31).
>
> I'm able to reproduce it with the attached program by running it as:
> $ gcc -lpthread inet6-bind-poc.c
> $ while true; do ./a.out; done
>
> Thanks!
Looks like this patch should fix it ?
Thanks !
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 3828f94b234c..95353bdbfa7b 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -956,6 +956,7 @@ static const struct inet_connection_sock_af_ops
dccp_ipv6_mapped = {
.getsockopt = ipv6_getsockopt,
.addr2sockaddr = inet6_csk_addr2sockaddr,
.sockaddr_len = sizeof(struct sockaddr_in6),
+ .bind_conflict = inet6_csk_bind_conflict,
#ifdef CONFIG_COMPAT
.compat_setsockopt = compat_ipv6_setsockopt,
.compat_getsockopt = compat_ipv6_getsockopt,
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: net/ipv6: null-ptr-deref in inet6_bind
2016-11-03 15:39 ` Eric Dumazet
@ 2016-11-03 15:49 ` Andrey Konovalov
2016-11-03 15:59 ` [PATCH net] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped Eric Dumazet
1 sibling, 0 replies; 6+ messages in thread
From: Andrey Konovalov @ 2016-11-03 15:49 UTC (permalink / raw)
To: Eric Dumazet
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Dmitry Vyukov,
Alexander Potapenko, Kostya Serebryany, syzkaller
Hi Eric,
It seems that your patch fixes the issue, I'm not seeing the report any more.
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Thanks!
On Thu, Nov 3, 2016 at 4:39 PM, Eric Dumazet <edumazet@google.com> wrote:
> On Wed, Nov 2, 2016 at 2:14 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
>> Hi,
>>
>> I've got the following error report while running the syzkaller fuzzer:
>>
>> BUG: unable to handle kernel NULL pointer dereference at (null)
>> IP: [< (null)>] (null)
>> PGD 66b6f067 [ 102.549865] PUD 66c6e067
>> PMD 0 [ 102.549865]
>> Oops: 0010 [#1] SMP KASAN
>> Modules linked in:
>> CPU: 0 PID: 4143 Comm: a.out Not tainted 4.9.0-rc3+ #336
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: ffff880066b1c200 task.stack: ffff880065b58000
>> RIP: 0010:[<0000000000000000>] [< (null)>] (null)
>> RSP: 0018:ffff880065b5fbc0 EFLAGS: 00010246
>> RAX: ffff880066b1c200 RBX: ffff88006873864a RCX: 0000000000000000
>> RDX: 0000000000000001 RSI: ffff880068738640 RDI: ffff880063bd3200
>> RBP: ffff880065b5fd20 R08: 1ffff1000c77a713 R09: dffffc0000000000
>> R10: ffffffff844fc800 R11: 1ffff1000d0e70c9 R12: ffffffff84e7e040
>> R13: ffff880068738640 R14: ffff880063bd3200 R15: ffffffff86836380
>> FS: 00007f40b7acf700(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000000000000 CR3: 000000006bb28000 CR4: 00000000000006f0
>> Stack:
>> ffffffff83099988 ffffffff8479f7e8 ffffffff81208580 1ffff1000000000c
>> 0000000041b58ab3 ffffffff8479f7e8 ffffffff81208580 ffffffff812506ed
>> 0000000000000007 ffff880065b5fc18 ffffffff812506ed ffff880065b5fcd0
>> Call Trace:
>> [<ffffffff832cf4fc>] inet6_bind+0x8ec/0x1020 net/ipv6/af_inet6.c:384
>> [<ffffffff82b7033c>] SYSC_bind+0x1ec/0x250 net/socket.c:1367
>> [<ffffffff82b72ae4>] SyS_bind+0x24/0x30 net/socket.c:1353
>> [<ffffffff83fc0401>] entry_SYSCALL_64_fastpath+0x1f/0xc2
>> arch/x86/entry/entry_64.S:209
>> Code: Bad RIP value.
>> RIP [< (null)>] (null)
>> RSP <ffff880065b5fbc0>
>> CR2: 0000000000000000
>> ---[ end trace b5ec698ae4926a97 ]---
>> Kernel panic - not syncing: Fatal exception in interrupt
>> Kernel Offset: disabled
>> ---[ end Kernel panic - not syncing: Fatal exception in interrupt
>>
>> On commit 0c183d92b20b5c84ca655b45ef57b3318b83eb9e (Oct 31).
>>
>> I'm able to reproduce it with the attached program by running it as:
>> $ gcc -lpthread inet6-bind-poc.c
>> $ while true; do ./a.out; done
>>
>> Thanks!
>
> Looks like this patch should fix it ?
>
> Thanks !
>
> diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> index 3828f94b234c..95353bdbfa7b 100644
> --- a/net/dccp/ipv6.c
> +++ b/net/dccp/ipv6.c
> @@ -956,6 +956,7 @@ static const struct inet_connection_sock_af_ops
> dccp_ipv6_mapped = {
> .getsockopt = ipv6_getsockopt,
> .addr2sockaddr = inet6_csk_addr2sockaddr,
> .sockaddr_len = sizeof(struct sockaddr_in6),
> + .bind_conflict = inet6_csk_bind_conflict,
> #ifdef CONFIG_COMPAT
> .compat_setsockopt = compat_ipv6_setsockopt,
> .compat_getsockopt = compat_ipv6_getsockopt,
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
2016-11-03 15:39 ` Eric Dumazet
2016-11-03 15:49 ` Andrey Konovalov
@ 2016-11-03 15:59 ` Eric Dumazet
2016-11-03 16:22 ` Arnaldo Carvalho de Melo
2016-11-03 20:51 ` David Miller
1 sibling, 2 replies; 6+ messages in thread
From: Eric Dumazet @ 2016-11-03 15:59 UTC (permalink / raw)
To: David Miller
Cc: Andrey Konovalov, netdev, syzkaller, Gerrit Renker, dccp,
Arnaldo Carvalho de Melo
From: Eric Dumazet <edumazet@google.com>
While fuzzing kernel with syzkaller, Andrey reported a nasty crash
in inet6_bind() caused by DCCP lacking a required method.
Fixes: ab1e0a13d7029 ("[SOCK] proto: Add hashinfo member to struct proto")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
---
net/dccp/ipv6.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 3828f94b234c..95353bdbfa7b 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -956,6 +956,7 @@ static const struct inet_connection_sock_af_ops
dccp_ipv6_mapped = {
.getsockopt = ipv6_getsockopt,
.addr2sockaddr = inet6_csk_addr2sockaddr,
.sockaddr_len = sizeof(struct sockaddr_in6),
+ .bind_conflict = inet6_csk_bind_conflict,
#ifdef CONFIG_COMPAT
.compat_setsockopt = compat_ipv6_setsockopt,
.compat_getsockopt = compat_ipv6_getsockopt,
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
2016-11-03 15:59 ` [PATCH net] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped Eric Dumazet
@ 2016-11-03 16:22 ` Arnaldo Carvalho de Melo
2016-11-03 20:51 ` David Miller
1 sibling, 0 replies; 6+ messages in thread
From: Arnaldo Carvalho de Melo @ 2016-11-03 16:22 UTC (permalink / raw)
To: Eric Dumazet
Cc: David Miller, Andrey Konovalov, netdev, syzkaller, Gerrit Renker,
dccp, Arnaldo Carvalho de Melo
Em Thu, Nov 03, 2016 at 08:59:46AM -0700, Eric Dumazet escreveu:
> From: Eric Dumazet <edumazet@google.com>
>
> While fuzzing kernel with syzkaller, Andrey reported a nasty crash
> in inet6_bind() caused by DCCP lacking a required method.
Ouch, thanks, forgot the mapped case :-)
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
- Arnaldo
> Fixes: ab1e0a13d7029 ("[SOCK] proto: Add hashinfo member to struct proto")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> Tested-by: Andrey Konovalov <andreyknvl@google.com>
> Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> ---
> net/dccp/ipv6.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> index 3828f94b234c..95353bdbfa7b 100644
> --- a/net/dccp/ipv6.c
> +++ b/net/dccp/ipv6.c
> @@ -956,6 +956,7 @@ static const struct inet_connection_sock_af_ops
> dccp_ipv6_mapped = {
> .getsockopt = ipv6_getsockopt,
> .addr2sockaddr = inet6_csk_addr2sockaddr,
> .sockaddr_len = sizeof(struct sockaddr_in6),
> + .bind_conflict = inet6_csk_bind_conflict,
> #ifdef CONFIG_COMPAT
> .compat_setsockopt = compat_ipv6_setsockopt,
> .compat_getsockopt = compat_ipv6_getsockopt,
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe dccp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
2016-11-03 15:59 ` [PATCH net] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped Eric Dumazet
2016-11-03 16:22 ` Arnaldo Carvalho de Melo
@ 2016-11-03 20:51 ` David Miller
1 sibling, 0 replies; 6+ messages in thread
From: David Miller @ 2016-11-03 20:51 UTC (permalink / raw)
To: eric.dumazet; +Cc: andreyknvl, netdev, syzkaller, gerrit, dccp, acme
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu, 03 Nov 2016 08:59:46 -0700
> From: Eric Dumazet <edumazet@google.com>
>
> While fuzzing kernel with syzkaller, Andrey reported a nasty crash
> in inet6_bind() caused by DCCP lacking a required method.
>
> Fixes: ab1e0a13d7029 ("[SOCK] proto: Add hashinfo member to struct proto")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> Tested-by: Andrey Konovalov <andreyknvl@google.com>
Applied and queued up for -stable, thanks Eric.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-11-03 20:51 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-02 21:14 net/ipv6: null-ptr-deref in inet6_bind Andrey Konovalov
2016-11-03 15:39 ` Eric Dumazet
2016-11-03 15:49 ` Andrey Konovalov
2016-11-03 15:59 ` [PATCH net] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped Eric Dumazet
2016-11-03 16:22 ` Arnaldo Carvalho de Melo
2016-11-03 20:51 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).