[PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
@ 2024-11-06  9:36 Hyunwoo Kim
  2024-11-06  9:41 ` Stefano Garzarella
                   ` (3 more replies)
  0 siblings, 4 replies; 8+ messages in thread
From: Hyunwoo Kim @ 2024-11-06  9:36 UTC (permalink / raw)
  To: K. Y. Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui,
	Stefano Garzarella, mst, jasowang
  Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, linux-hyperv, virtualization, netdev, gregkh,
	imv4bel, v4bel

When hvs is released, there is a possibility that vsk->trans may not
be initialized to NULL, which could lead to a dangling pointer.
This issue is resolved by initializing vsk->trans to NULL.

Fixes: ae0078fcf0a5 ("hv_sock: implements Hyper-V transport for Virtual Sockets (AF_VSOCK)")
Cc: stable@vger.kernel.org
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
---
v1 -> v2: Add fixes and cc tags
---
 net/vmw_vsock/hyperv_transport.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index e2157e387217..56c232cf5b0f 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -549,6 +549,7 @@ static void hvs_destruct(struct vsock_sock *vsk)
 		vmbus_hvsock_device_unregister(chan);
 
 	kfree(hvs);
+	vsk->trans = NULL;
 }
 
 static int hvs_dgram_bind(struct vsock_sock *vsk, struct sockaddr_vm *addr)
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
  2024-11-06  9:36 [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Hyunwoo Kim
@ 2024-11-06  9:41 ` Stefano Garzarella
  2024-11-06  9:42 ` Michael S. Tsirkin
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 8+ messages in thread
From: Stefano Garzarella @ 2024-11-06  9:41 UTC (permalink / raw)
  To: Hyunwoo Kim
  Cc: K. Y. Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui, mst,
	jasowang, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Simon Horman, linux-hyperv, virtualization, netdev,
	gregkh, imv4bel

On Wed, Nov 06, 2024 at 04:36:04AM -0500, Hyunwoo Kim wrote:
>When hvs is released, there is a possibility that vsk->trans may not
>be initialized to NULL, which could lead to a dangling pointer.
>This issue is resolved by initializing vsk->trans to NULL.
>
>Fixes: ae0078fcf0a5 ("hv_sock: implements Hyper-V transport for Virtual Sockets (AF_VSOCK)")
>Cc: stable@vger.kernel.org
>Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
>---
>v1 -> v2: Add fixes and cc tags
>---
> net/vmw_vsock/hyperv_transport.c | 1 +
> 1 file changed, 1 insertion(+)

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>

>
>diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
>index e2157e387217..56c232cf5b0f 100644
>--- a/net/vmw_vsock/hyperv_transport.c
>+++ b/net/vmw_vsock/hyperv_transport.c
>@@ -549,6 +549,7 @@ static void hvs_destruct(struct vsock_sock *vsk)
> 		vmbus_hvsock_device_unregister(chan);
>
> 	kfree(hvs);
>+	vsk->trans = NULL;
> }
>
> static int hvs_dgram_bind(struct vsock_sock *vsk, struct sockaddr_vm *addr)
>-- 
>2.34.1
>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
  2024-11-06  9:36 [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Hyunwoo Kim
  2024-11-06  9:41 ` Stefano Garzarella
@ 2024-11-06  9:42 ` Michael S. Tsirkin
  2024-11-07 19:29 ` Jakub Kicinski
  2024-11-09 17:50 ` patchwork-bot+netdevbpf
  3 siblings, 0 replies; 8+ messages in thread
From: Michael S. Tsirkin @ 2024-11-06  9:42 UTC (permalink / raw)
  To: Hyunwoo Kim
  Cc: K. Y. Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui,
	Stefano Garzarella, jasowang, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman, linux-hyperv,
	virtualization, netdev, gregkh, imv4bel

On Wed, Nov 06, 2024 at 04:36:04AM -0500, Hyunwoo Kim wrote:
> When hvs is released, there is a possibility that vsk->trans may not
> be initialized to NULL, which could lead to a dangling pointer.
> This issue is resolved by initializing vsk->trans to NULL.
> 
> Fixes: ae0078fcf0a5 ("hv_sock: implements Hyper-V transport for Virtual Sockets (AF_VSOCK)")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hyunwoo Kim <v4bel@theori.io>

Acked-by: Michael S. Tsirkin <mst@redhat.com>


> ---
> v1 -> v2: Add fixes and cc tags
> ---
>  net/vmw_vsock/hyperv_transport.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
> index e2157e387217..56c232cf5b0f 100644
> --- a/net/vmw_vsock/hyperv_transport.c
> +++ b/net/vmw_vsock/hyperv_transport.c
> @@ -549,6 +549,7 @@ static void hvs_destruct(struct vsock_sock *vsk)
>  		vmbus_hvsock_device_unregister(chan);
>  
>  	kfree(hvs);
> +	vsk->trans = NULL;
>  }
>  
>  static int hvs_dgram_bind(struct vsock_sock *vsk, struct sockaddr_vm *addr)
> -- 
> 2.34.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
  2024-11-06  9:36 [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Hyunwoo Kim
  2024-11-06  9:41 ` Stefano Garzarella
  2024-11-06  9:42 ` Michael S. Tsirkin
@ 2024-11-07 19:29 ` Jakub Kicinski
  2024-11-07 21:41   ` Michael S. Tsirkin
  2024-11-09 17:50 ` patchwork-bot+netdevbpf
  3 siblings, 1 reply; 8+ messages in thread
From: Jakub Kicinski @ 2024-11-07 19:29 UTC (permalink / raw)
  To: Hyunwoo Kim
  Cc: K. Y. Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui,
	Stefano Garzarella, mst, jasowang, David S. Miller, Eric Dumazet,
	Paolo Abeni, Simon Horman, linux-hyperv, virtualization, netdev,
	gregkh, imv4bel

On Wed, 6 Nov 2024 04:36:04 -0500 Hyunwoo Kim wrote:
> When hvs is released, there is a possibility that vsk->trans may not
> be initialized to NULL, which could lead to a dangling pointer.
> This issue is resolved by initializing vsk->trans to NULL.
> 
> Fixes: ae0078fcf0a5 ("hv_sock: implements Hyper-V transport for Virtual Sockets (AF_VSOCK)")
> Cc: stable@vger.kernel.org

I don't see the v1 on netdev@, nor a link to it in the change log
so I may be missing the context, but the commit message is a bit
sparse.

The stable and Fixes tags indicate this is a fix. But the commit
message reads like currently no such crash is observed, quote:

                          which could lead to a dangling pointer.
                                ^^^^^
                                     ?

Could someone clarify?

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
  2024-11-07 19:29 ` Jakub Kicinski
@ 2024-11-07 21:41   ` Michael S. Tsirkin
  2024-11-07 21:52     ` Jakub Kicinski
  0 siblings, 1 reply; 8+ messages in thread
From: Michael S. Tsirkin @ 2024-11-07 21:41 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Hyunwoo Kim, K. Y. Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui,
	Stefano Garzarella, jasowang, David S. Miller, Eric Dumazet,
	Paolo Abeni, Simon Horman, linux-hyperv, virtualization, netdev,
	gregkh, imv4bel

On Thu, Nov 07, 2024 at 11:29:42AM -0800, Jakub Kicinski wrote:
> On Wed, 6 Nov 2024 04:36:04 -0500 Hyunwoo Kim wrote:
> > When hvs is released, there is a possibility that vsk->trans may not
> > be initialized to NULL, which could lead to a dangling pointer.
> > This issue is resolved by initializing vsk->trans to NULL.
> > 
> > Fixes: ae0078fcf0a5 ("hv_sock: implements Hyper-V transport for Virtual Sockets (AF_VSOCK)")
> > Cc: stable@vger.kernel.org
> 
> I don't see the v1 on netdev@, nor a link to it in the change log
> so I may be missing the context, but the commit message is a bit
> sparse.
> 
> The stable and Fixes tags indicate this is a fix. But the commit
> message reads like currently no such crash is observed, quote:
> 
>                           which could lead to a dangling pointer.
>                                 ^^^^^
>                                      ?
> 
> Could someone clarify?

I think it's just an accent, in certain languages/cultures expressing
uncertainty is considered polite. Should be "can".

-- 
MST


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
  2024-11-07 21:41   ` Michael S. Tsirkin
@ 2024-11-07 21:52     ` Jakub Kicinski
  2024-11-08  9:06       ` Hyunwoo Kim
  0 siblings, 1 reply; 8+ messages in thread
From: Jakub Kicinski @ 2024-11-07 21:52 UTC (permalink / raw)
  To: Michael S. Tsirkin
  Cc: Hyunwoo Kim, K. Y. Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui,
	Stefano Garzarella, jasowang, David S. Miller, Eric Dumazet,
	Paolo Abeni, Simon Horman, linux-hyperv, virtualization, netdev,
	gregkh, imv4bel

On Thu, 7 Nov 2024 16:41:02 -0500 Michael S. Tsirkin wrote:
> On Thu, Nov 07, 2024 at 11:29:42AM -0800, Jakub Kicinski wrote:
> > On Wed, 6 Nov 2024 04:36:04 -0500 Hyunwoo Kim wrote:  
> > > When hvs is released, there is a possibility that vsk->trans may not
> > > be initialized to NULL, which could lead to a dangling pointer.
> > > This issue is resolved by initializing vsk->trans to NULL.
> > > 
> > > Fixes: ae0078fcf0a5 ("hv_sock: implements Hyper-V transport for Virtual Sockets (AF_VSOCK)")
> > > Cc: stable@vger.kernel.org  
> > 
> > I don't see the v1 on netdev@, nor a link to it in the change log
> > so I may be missing the context, but the commit message is a bit
> > sparse.
> > 
> > The stable and Fixes tags indicate this is a fix. But the commit
> > message reads like currently no such crash is observed, quote:
> > 
> >                           which could lead to a dangling pointer.
> >                                 ^^^^^
> >                                      ?
> > 
> > Could someone clarify?  
> 
> I think it's just an accent, in certain languages/cultures expressing
> uncertainty is considered polite. Should be "can".

You're probably right, the issue perhaps isn't the phrasing as much 
as the lack of pointing out the code path in which the dangling pointer
would be deferenced.  Hyunwoo Kim, can you provide one?

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
  2024-11-07 21:52     ` Jakub Kicinski
@ 2024-11-08  9:06       ` Hyunwoo Kim
  0 siblings, 0 replies; 8+ messages in thread
From: Hyunwoo Kim @ 2024-11-08  9:06 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Michael S. Tsirkin, K. Y. Srinivasan, Haiyang Zhang, Wei Liu,
	Dexuan Cui, Stefano Garzarella, jasowang, David S. Miller,
	Eric Dumazet, Paolo Abeni, Simon Horman, linux-hyperv,
	virtualization, netdev, gregkh, imv4bel, v4bel

Dear,

On Thu, Nov 07, 2024 at 01:52:33PM -0800, Jakub Kicinski wrote:
> On Thu, 7 Nov 2024 16:41:02 -0500 Michael S. Tsirkin wrote:
> > On Thu, Nov 07, 2024 at 11:29:42AM -0800, Jakub Kicinski wrote:
> > > On Wed, 6 Nov 2024 04:36:04 -0500 Hyunwoo Kim wrote:  
> > > > When hvs is released, there is a possibility that vsk->trans may not
> > > > be initialized to NULL, which could lead to a dangling pointer.
> > > > This issue is resolved by initializing vsk->trans to NULL.
> > > > 
> > > > Fixes: ae0078fcf0a5 ("hv_sock: implements Hyper-V transport for Virtual Sockets (AF_VSOCK)")
> > > > Cc: stable@vger.kernel.org  
> > > 
> > > I don't see the v1 on netdev@, nor a link to it in the change log
> > > so I may be missing the context, but the commit message is a bit
> > > sparse.
> > > 
> > > The stable and Fixes tags indicate this is a fix. But the commit
> > > message reads like currently no such crash is observed, quote:
> > > 
> > >                           which could lead to a dangling pointer.
> > >                                 ^^^^^
> > >                                      ?
> > > 
> > > Could someone clarify?  
> > 
> > I think it's just an accent, in certain languages/cultures expressing
> > uncertainty is considered polite. Should be "can".
> 
> You're probably right, the issue perhaps isn't the phrasing as much 
> as the lack of pointing out the code path in which the dangling pointer
> would be deferenced.  Hyunwoo Kim, can you provide one?

This is a potential issue.

Initially, I reported a patch for a dangling pointer in 
virtio_transport_destruct() within virtio_transport_common.c to the security team.
The vulnerability in virtio_transport_destruct() was actually exploited for 
root privilege escalation, and its exploitability was confirmed (Google kernelCTF). 
Afterward, the maintainers recommended patching the hvs_destruct() function, which 
has a similar form to virtio_transport_destruct(), so I created and submitted this patch. 
Unlike virtio_transport_destruct(), this has not been actually triggered, so there 
is no call stack available.

However, I still believe it’s good to patch it since it is a potential issue.
Additionally, the v1 patch only exists in the security mailing list, which is why it might not be visible.

Best Regards,
Hyunwoo Kim

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
  2024-11-06  9:36 [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Hyunwoo Kim
                   ` (2 preceding siblings ...)
  2024-11-07 19:29 ` Jakub Kicinski
@ 2024-11-09 17:50 ` patchwork-bot+netdevbpf
  3 siblings, 0 replies; 8+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-11-09 17:50 UTC (permalink / raw)
  To: Hyunwoo Kim
  Cc: kys, haiyangz, wei.liu, decui, sgarzare, mst, jasowang, davem,
	edumazet, kuba, pabeni, horms, linux-hyperv, virtualization,
	netdev, gregkh, imv4bel

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 6 Nov 2024 04:36:04 -0500 you wrote:
> When hvs is released, there is a possibility that vsk->trans may not
> be initialized to NULL, which could lead to a dangling pointer.
> This issue is resolved by initializing vsk->trans to NULL.
> 
> Fixes: ae0078fcf0a5 ("hv_sock: implements Hyper-V transport for Virtual Sockets (AF_VSOCK)")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
> 
> [...]

Here is the summary with links:
  - [v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
    https://git.kernel.org/netdev/net-next/c/e629295bd60a

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2024-11-09 17:50 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-06  9:36 [PATCH v2] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Hyunwoo Kim
2024-11-06  9:41 ` Stefano Garzarella
2024-11-06  9:42 ` Michael S. Tsirkin
2024-11-07 19:29 ` Jakub Kicinski
2024-11-07 21:41   ` Michael S. Tsirkin
2024-11-07 21:52     ` Jakub Kicinski
2024-11-08  9:06       ` Hyunwoo Kim
2024-11-09 17:50 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).