From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E16615E96 for ; Mon, 24 Mar 2025 17:27:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742837235; cv=none; b=StJAEYWwlPhuue0LWowr59BZU9CyCWfCb8PpROD8omXJnztH+FO199UatjwSb8jajDARngMY8pHdD03Tlkpfbp8qrobD7wP1KhxO4DHJjhpQMjQJiGhonMDcV4nIS9nk1jgoIBWPtvTHtD/IEGV6mUO2s8i3UlLSRV4ZrpxlI9M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742837235; c=relaxed/simple; bh=DDzbRGLnbu4uTuvdNh+10/YEoDbbL3Lk8HM3XCWM3UE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=JbcPFhzQCYMCr/nJOElzruGxKz22fB0gR/wNabV8Gl49+ylguJhi+rd9ropva+0N8A+qeWw9hwH+XUiJCls0U7FwXuPDeWffNsWsIe6achVfKGj5HVisi2tUbOlkAKdAoromCpCJaM67sSw3Bi+JdXMsKhiZfLo/rb4zWkftC40= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hg/PLskM; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hg/PLskM" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 95B16C4CEDD; Mon, 24 Mar 2025 17:27:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1742837234; bh=DDzbRGLnbu4uTuvdNh+10/YEoDbbL3Lk8HM3XCWM3UE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hg/PLskMZUWsRFcO/Eh9R+MCPHNzcsqih0cU1tnbZylFPClLfcIe3td16MbF99sqU yqMAaqz/UXikJVmvEmrm0UA/OBU6y1VF5USTKezU16FYUK/2un8mTrxVeneDKo7Rla leOqedLs2PEjLeuVkf/KM8/SzlYYQgMNb8BZX3JRBNASz3k7cUztNYOPfKVfdO/WoC rwYB56wmAYgA6T3yBQ5m7kvimrzCBMfTKearMK6GMcUw9B66ntTUzlUlrgwYywtKgN hGJ1aeKTrztRxNGSHaKyQ1IzTDtGDgrdLPoleZaciccEovZjg/s9GduSKqv9Z7b3CD 7vjDMsaGDNS7w== Date: Mon, 24 Mar 2025 17:27:11 +0000 From: Simon Horman To: pwn9uin@gmail.com Cc: "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org Subject: Re: [PATCH net v2] atm: Fix NULL pointer dereference Message-ID: <20250324172711.GI892515@horms.kernel.org> References: <20250322105200.14981-1-pwn9uin@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250322105200.14981-1-pwn9uin@gmail.com> On Sat, Mar 22, 2025 at 10:52:00AM +0000, pwn9uin@gmail.com wrote: > From: Minjoong Kim > > When MPOA_cache_impos_rcvd() receives the msg, it can trigger > Null Pointer Dereference Vulnerability if both entry and > holding_time are NULL. Because there is only for the situation > where entry is NULL and holding_time exists, it can be passed > when both entry and holding_time are NULL. If these are NULL, > the entry will be passd to eg_cache_put() as parameter and > it is referenced by entry->use code in it. > > kasan log: > > [ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I > [ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] > [ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102 > [ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > [ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470 > [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80 > [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006 > [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e > [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030 > [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88 > [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15 > [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068 > [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000 > [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0 > [ 3.326430] Call Trace: > [ 3.326725] > [ 3.326927] ? die_addr+0x3c/0xa0 > [ 3.327330] ? exc_general_protection+0x161/0x2a0 > [ 3.327662] ? asm_exc_general_protection+0x26/0x30 > [ 3.328214] ? vprintk_emit+0x15e/0x420 > [ 3.328543] ? eg_cache_remove_entry+0xa5/0x470 > [ 3.328910] ? eg_cache_remove_entry+0x9a/0x470 > [ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10 > [ 3.329664] ? console_unlock+0x107/0x1d0 > [ 3.329946] ? __pfx_console_unlock+0x10/0x10 > [ 3.330283] ? do_syscall_64+0xa6/0x1a0 > [ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f > [ 3.331090] ? __pfx_prb_read_valid+0x10/0x10 > [ 3.331395] ? down_trylock+0x52/0x80 > [ 3.331703] ? vprintk_emit+0x15e/0x420 > [ 3.331986] ? __pfx_vprintk_emit+0x10/0x10 > [ 3.332279] ? down_trylock+0x52/0x80 > [ 3.332527] ? _printk+0xbf/0x100 > [ 3.332762] ? __pfx__printk+0x10/0x10 > [ 3.333007] ? _raw_write_lock_irq+0x81/0xe0 > [ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10 > [ 3.333614] msg_from_mpoad+0x1185/0x2750 > [ 3.333893] ? __build_skb_around+0x27b/0x3a0 > [ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10 > [ 3.334501] ? __alloc_skb+0x1c0/0x310 > [ 3.334809] ? __pfx___alloc_skb+0x10/0x10 > [ 3.335283] ? _raw_spin_lock+0xe0/0xe0 > [ 3.335632] ? finish_wait+0x8d/0x1e0 > [ 3.335975] vcc_sendmsg+0x684/0xba0 > [ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10 > [ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10 > [ 3.337056] ? fdget+0x176/0x3e0 > [ 3.337348] __sys_sendto+0x4a2/0x510 > [ 3.337663] ? __pfx___sys_sendto+0x10/0x10 > [ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400 > [ 3.338364] ? sock_ioctl+0x1bb/0x5a0 > [ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20 > [ 3.339017] ? __pfx_sock_ioctl+0x10/0x10 > [ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10 > [ 3.339727] ? selinux_file_ioctl+0xa4/0x260 > [ 3.340166] __x64_sys_sendto+0xe0/0x1c0 > [ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140 > [ 3.340898] do_syscall_64+0xa6/0x1a0 > [ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f > [ 3.341533] RIP: 0033:0x44a380 > [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00 > [ 3.343078] RSP: 002b:00007ffc1d404098 EFLAGS: 00000246 ORIG_RAX: 000000000000002c > [ 3.343631] RAX: ffffffffffffffda RBX: 00007ffc1d404458 RCX: 000000000044a380 > [ 3.344306] RDX: 000000000000019c RSI: 00007ffc1d4040b0 RDI: 0000000000000003 > [ 3.344833] RBP: 00007ffc1d404260 R08: 0000000000000000 R09: 0000000000000000 > [ 3.345381] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 > [ 3.346015] R13: 00007ffc1d404448 R14: 00000000004c17d0 R15: 0000000000000001 > [ 3.346503] > [ 3.346679] Modules linked in: > [ 3.346956] ---[ end trace 0000000000000000 ]--- > [ 3.347315] RIP: 0010:eg_cache_remove_entry+0xa5/0x470 > [ 3.347737] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80 > [ 3.349157] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006 > [ 3.349517] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e > [ 3.350103] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030 > [ 3.350610] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88 > [ 3.351246] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15 > [ 3.351785] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068 > [ 3.352404] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000 > [ 3.353099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 3.353544] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0 > [ 3.354072] note: ex[79] exited with irqs disabled > [ 3.354458] note: ex[79] exited with preempt_count 1 > > Signed-off-by: Minjoong Kim > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > --- > Changes in v2: > * Add KASAN report and Link to patch description > * Link to v1 https://lore.kernel.org/netdev/20250314003404.16408-1-pwn9uin@gmail.com/ Thanks for the update. Reviewed-by: Simon Horman