From: zhudi <zhudi21@huawei.com>
To: <jhs@mojatatu.com>, <xiyou.wangcong@gmail.com>
Cc: <davem@davemloft.net>, <kuba@kernel.org>,
<netdev@vger.kernel.org>, <zhudi21@huawei.com>,
<rose.chen@huawei.com>
Subject: [PATCH] net/sched: act_pedit: fix a NULL pointer deref in tcf_pedit_init
Date: Tue, 9 Mar 2021 11:47:36 +0800 [thread overview]
Message-ID: <20210309034736.8656-1-zhudi21@huawei.com> (raw)
From: Di Zhu <zhudi21@huawei.com>
when we use syzkaller to fuzz-test our kernel, one NULL pointer dereference
BUG happened:
Write of size 96 at addr 0000000000000010 by task syz-executor.0/22376
==================================================================
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 80000001dc1a9067 P4D 80000001dc1a9067 PUD 1a32b5067 PMD 0
[...]
Call Trace
memcpy include/linux/string.h:345 [inline]
tcf_pedit_init+0x7b4/0xa10 net/sched/act_pedit.c:232
tcf_action_init_1+0x59b/0x730 net/sched/act_api.c:920
tcf_action_init+0x1ef/0x320 net/sched/act_api.c:975
tcf_action_add+0xd2/0x270 net/sched/act_api.c:1360
tc_ctl_action+0x267/0x290 net/sched/act_api.c:1412
[...]
The root cause is that we use kmalloc() to allocate mem space for
keys without checking if the ksize is 0. if ksize == 0 then kmalloc()
will return ZERO_SIZE_PTR currently defined as 16, not the NULL pointer.
eventually ZERO_SIZE_PTR is assigned to p->tcfp_keys. The next time you
update the action with ksize not equal to 0, the bug will appear. This is
because p->tcfp_nkeys == 0, so it will not call kmalloc() to realloc mem
using new ksize and eventually, memcpy() use ZERO_SIZE_PTR as destination
address.
So we can allow memory reallocation even if current p->tcfp_nkeys == 0 and
kfree() supports ZERO_SIZE_PTR as input parameter
Signed-off-by: Di Zhu <zhudi21@huawei.com>
---
net/sched/act_pedit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index b45304446e13..86514bd49ab6 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -216,7 +216,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
spin_lock_bh(&p->tcf_lock);
if (ret == ACT_P_CREATED ||
- (p->tcfp_nkeys && p->tcfp_nkeys != parm->nkeys)) {
+ (p->tcfp_nkeys != parm->nkeys)) {
keys = kmalloc(ksize, GFP_ATOMIC);
if (!keys) {
spin_unlock_bh(&p->tcf_lock);
--
2.23.0
next reply other threads:[~2021-03-09 3:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-09 3:47 zhudi [this message]
2021-03-09 8:53 ` [PATCH] net/sched: act_pedit: fix a NULL pointer deref in tcf_pedit_init Davide Caratti
2021-03-09 11:24 ` 答复: " zhudi (J)
2021-03-09 15:47 ` Davide Caratti
2021-03-09 18:00 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210309034736.8656-1-zhudi21@huawei.com \
--to=zhudi21@huawei.com \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rose.chen@huawei.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).