From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61016C282C4 for ; Tue, 12 Feb 2019 22:45:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1EF30222BB for ; Tue, 12 Feb 2019 22:45:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=networkplumber-org.20150623.gappssmtp.com header.i=@networkplumber-org.20150623.gappssmtp.com header.b="g7jbKd9Q" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730063AbfBLWp6 (ORCPT ); Tue, 12 Feb 2019 17:45:58 -0500 Received: from mail-pg1-f182.google.com ([209.85.215.182]:34687 "EHLO mail-pg1-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727172AbfBLWp5 (ORCPT ); Tue, 12 Feb 2019 17:45:57 -0500 Received: by mail-pg1-f182.google.com with SMTP id i130so172062pgd.1 for ; Tue, 12 Feb 2019 14:45:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:subject:message-id:mime-version :content-transfer-encoding; bh=f1Pv8/3NNkQSMYf+6o2vi8mtM3sBtS8OmRll+KbcH4Y=; b=g7jbKd9QnxgQM6ZXtX3Aft6m1Tvb9s3zxa/4HgwKkKvanc59wTB22xEfCbIkMNZuXz Oxd5AnYXxfQyqxusDtheQgkAV5BF8WEnZDT6FusGXka0oqxVCJ+YoYA9zdJEyZVjkm2g dkGjcIwW+akATL2BsoP/o3Tx+85RCLaktxUNdE9pViDdlkHRPOJfCIVaTh3jYUIVpayh A3NpGedxzreXBRg+vA5KhgDbvXImpkd4w1IfAlRsg4GI90Zvb/8ifw2+SnSeEVq9FQlG nfH3Onyb+NSA+wE1Jg2fFRAoZaYADuIicLK+LfzotVCx8un4O95bvVQZmbeOnFQC7RiV wb8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-transfer-encoding; bh=f1Pv8/3NNkQSMYf+6o2vi8mtM3sBtS8OmRll+KbcH4Y=; b=sUJEUB7J2xrC8KJJd5z+sJLnFxA8GvEwwhaWeRXnIaEsfMZ+aZIS1rg1+uMCr3VgNS 0BoHdsOrsAzUhNTyleu+PneSwJkARsOCgBRw3NLA7dueJD6ia4rSvonb64JWn/6CQrL+ x3xn8UmWDnArdYLvd93DpMnhyvVeKH8rl1nj0Q9tHlBo8wzgOCjuyqUCMn6dXPKMSMul tN8tTp+u1BdlFRit3yo+Kk6zl4aM9FerBwYDQNQiADvyVqgrmyrWZPwuxdvP/vvATEhV vkNtivEsADsm2Xk8Am+YlfCqZ0Ja/wL5QoesuIjsGgFsvJ7r6i6fKfPAYr/V6r0pteEz UvUg== X-Gm-Message-State: AHQUAuY6i/9fr5I8EW3sb+VfrAqjgbnWROV5SHJutn91YYAO68RbfbVd jmmaLBbpDYT7csWVpKTomYXhl4azVtE= X-Google-Smtp-Source: AHgI3IbidbavxQHSlgBdPtpnnGmW483Qh8yX9Iol5ASfZ1mbiIao+J8ED/Kf9P5C9XPjRG7U++doXg== X-Received: by 2002:a63:db02:: with SMTP id e2mr5866322pgg.419.1550011556384; Tue, 12 Feb 2019 14:45:56 -0800 (PST) Received: from shemminger-XPS-13-9360 (204-195-22-127.wavecable.com. [204.195.22.127]) by smtp.gmail.com with ESMTPSA id h128sm19972405pgc.15.2019.02.12.14.45.55 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 12 Feb 2019 14:45:56 -0800 (PST) Date: Tue, 12 Feb 2019 14:45:47 -0800 From: Stephen Hemminger To: netdev@vger.kernel.org Subject: Fw: [Bug 202561] BUG: Null pointer dereference in __skb_unlink() Message-ID: <20190212144547.27dca239@shemminger-XPS-13-9360> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org https://bugzilla.kernel.org/show_bug.cgi?id=202561 Backtrace: [ 3.589241] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 [ 3.598006] IP: __skb_try_recv_from_queue+0x4e/0x1b0 [ 3.606376] Oops: 0002 [#1] PREEMPT SMP NOPTI [ 3.720520] RIP: 0010:__skb_try_recv_from_queue+0x4e/0x1b0 [ 3.726645] RSP: 0018:ffffb03400e53ac8 EFLAGS: 00010046 [ 3.732470] RAX: ffff9040a78988c8 RBX: ffff904096bbef00 RCX: 000000000000000 [ 3.740441] RDX: 0000000000000000 RSI: ffff9040a78988c8 RDI: fff9040a7898800 [ 3.748411] RBP: ffffb03400e53ae8 R08: ffffb03400e53bf8 R09: fffb03400e53bfc [ 3.756382] R10: ffff904096989d00 R11: 0000000000000000 R12: fff9040a78988dc [ 3.764345] R13: ffff9040a78988c8 R14: 0000000000000202 R15: fffb03400e53ba8 [ 3.772305] FS: 00007feb1ef2f740(0000) GS:ffff9040bfd00000(0000) knlGS:0000000000000000 [ 3.781342] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.787757] CR2: 0000000000000008 CR3: 00000001e87fa000 CR4: 00000000003406a0 [ 3.795725] Call Trace: [ 3.798456] ? preempt_count_add+0x22/0x30 [ 3.803027] __skb_try_recv_datagram+0xe2/0x160 [ 3.808086] __skb_recv_datagram+0x8a/0xc0 [ 3.812657] skb_recv_datagram+0x3a/0x50 [ 3.817035] netlink_recvmsg+0x4e/0x3c0 [ 3.821315] ? copy_msghdr_from_user+0xcf/0x150 [ 3.826372] sock_recvmsg+0x3b/0x50 [ 3.830264] ___sys_recvmsg+0xd4/0x180 [ 3.834441] ? poll_select_copy_remaining+0x140/0x140 [ 3.840080] ? poll_select_copy_remaining+0x140/0x140 [ 3.845721] ? __switch_to_asm+0x34/0x70 [ 3.850098] ? __switch_to_asm+0x40/0x70 [ 3.854473] ? __switch_to_asm+0x34/0x70 [ 3.858849] ? __switch_to_asm+0x40/0x70 [ 3.863228] ? __switch_to_asm+0x34/0x70 [ 3.867604] ? __fget+0x71/0xa0 [ 3.871108] __sys_recvmsg+0x4c/0x90 [ 3.875097] ? __sys_recvmsg+0x4c/0x90 [ 3.879280] SyS_recvmsg+0x9/0x10 [ 3.882979] do_syscall_64+0x7e/0x350 [ 3.887064] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 3.892315] entry_SYSCALL_64_after_hwframe+0x42/0xb7 Original report from sharathkernel@gmail.com: NULL POINTER DEFERENCE DURING __skb_unlink() In the function call, __skb_try_recv_from_queue() (net/core/datagram.c), sbk_queue_walk() walks through the queue without checking if the next member in the queue has valid next pointer/address. When a socket buffer has to unlink, __skb_unlink() is called. Inside __skb_unlink() function, it doesn't verify if skb->next has a valid address. skb->next is assigned and used, without verifying the value inside it. What could be probable solution, in this scenario? Should we check if skb->next is not NULL, before calling __skb_unlink()? -------------------------------------------------------------------------- -------------------------------------------------------------------------- net/core/datagram.c struct sk_buff *__skb_try_recv_from_queue(struct sock *sk, struct sk_buff_head *queue, unsigned int flags,void (*destructor)(struct sock *sk, struct sk_buff *skb),int *peeked, int *off, int *err, struct sk_buff **last) { ... ... ... skb_queue_walk(queue, skb) { ... ... ... } else { ==> __skb_unlink(skb, queue); if(destructor){ .... ... ... }