[PATCH net] dccp: check for ccid in ccid_hc_tx_send

Netdev List
 help / color / mirror / Atom feed

* [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet
@ 2023-10-28 14:41 Bragatheswaran Manickavel
  2023-10-30  8:59 ` Eric Dumazet
  2023-11-02 11:14 ` Paolo Abeni
  0 siblings, 2 replies; 6+ messages in thread
From: Bragatheswaran Manickavel @ 2023-10-28 14:41 UTC (permalink / raw)
  To: davem, edumazet, kuba, pabeni
  Cc: Bragatheswaran Manickavel, dccp, netdev, linux-kernel,
	syzbot+c71bc336c5061153b502

ccid_hc_tx_send_packet might be called with a NULL ccid pointer
leading to a NULL pointer dereference

Below mentioned commit has similarly changes
commit 276bdb82dedb ("dccp: check ccid before dereferencing")

Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c71bc336c5061153b502
Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
---
 net/dccp/ccid.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
index 105f3734dadb..1015dc2b9392 100644
--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h
@@ -163,7 +163,7 @@ static inline int ccid_packet_dequeue_eval(const int return_code)
 static inline int ccid_hc_tx_send_packet(struct ccid *ccid, struct sock *sk,
 					 struct sk_buff *skb)
 {
-	if (ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
+	if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
 		return ccid->ccid_ops->ccid_hc_tx_send_packet(sk, skb);
 	return CCID_PACKET_SEND_AT_ONCE;
 }
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet
  2023-10-28 14:41 [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet Bragatheswaran Manickavel
@ 2023-10-30  8:59 ` Eric Dumazet
  2023-10-30 15:40   ` Bragatheswaran Manickavel
  2023-11-02 11:14 ` Paolo Abeni
  1 sibling, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2023-10-30  8:59 UTC (permalink / raw)
  To: Bragatheswaran Manickavel
  Cc: davem, kuba, pabeni, dccp, netdev, linux-kernel,
	syzbot+c71bc336c5061153b502

On Sat, Oct 28, 2023 at 4:41 PM Bragatheswaran Manickavel
<bragathemanick0908@gmail.com> wrote:
>
> ccid_hc_tx_send_packet might be called with a NULL ccid pointer
> leading to a NULL pointer dereference
>
> Below mentioned commit has similarly changes
> commit 276bdb82dedb ("dccp: check ccid before dereferencing")
>
> Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c71bc336c5061153b502
> Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
> ---
>  net/dccp/ccid.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
> index 105f3734dadb..1015dc2b9392 100644
> --- a/net/dccp/ccid.h
> +++ b/net/dccp/ccid.h
> @@ -163,7 +163,7 @@ static inline int ccid_packet_dequeue_eval(const int return_code)
>  static inline int ccid_hc_tx_send_packet(struct ccid *ccid, struct sock *sk,
>                                          struct sk_buff *skb)
>  {
> -       if (ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
> +       if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
>                 return ccid->ccid_ops->ccid_hc_tx_send_packet(sk, skb);
>         return CCID_PACKET_SEND_AT_ONCE;
>  }
> --
> 2.34.1
>

If you are willing to fix dccp, I would make sure that some of
lockless accesses to dccps_hc_tx_ccid
are also double checked and fixed.

do_dccp_getsockopt() and dccp_get_info()

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet
  2023-10-30  8:59 ` Eric Dumazet
@ 2023-10-30 15:40   ` Bragatheswaran Manickavel
  2023-10-30 15:49     ` Eric Dumazet
  0 siblings, 1 reply; 6+ messages in thread
From: Bragatheswaran Manickavel @ 2023-10-30 15:40 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: davem, kuba, pabeni, dccp, netdev, linux-kernel,
	syzbot+c71bc336c5061153b502


On 30/10/23 14:29, Eric Dumazet wrote:
> On Sat, Oct 28, 2023 at 4:41 PM Bragatheswaran Manickavel
> <bragathemanick0908@gmail.com> wrote:
>> ccid_hc_tx_send_packet might be called with a NULL ccid pointer
>> leading to a NULL pointer dereference
>>
>> Below mentioned commit has similarly changes
>> commit 276bdb82dedb ("dccp: check ccid before dereferencing")
>>
>> Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=c71bc336c5061153b502
>> Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
>> ---
>>   net/dccp/ccid.h | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
>> index 105f3734dadb..1015dc2b9392 100644
>> --- a/net/dccp/ccid.h
>> +++ b/net/dccp/ccid.h
>> @@ -163,7 +163,7 @@ static inline int ccid_packet_dequeue_eval(const int return_code)
>>   static inline int ccid_hc_tx_send_packet(struct ccid *ccid, struct sock *sk,
>>                                           struct sk_buff *skb)
>>   {
>> -       if (ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
>> +       if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
>>                  return ccid->ccid_ops->ccid_hc_tx_send_packet(sk, skb);
>>          return CCID_PACKET_SEND_AT_ONCE;
>>   }
>> --
>> 2.34.1
>>
> If you are willing to fix dccp, I would make sure that some of
> lockless accesses to dccps_hc_tx_ccid
> are also double checked and fixed.
>
> do_dccp_getsockopt() and dccp_get_info()


Hi Eric,

In both do_dccp_getsockopt() and dccp_get_info(), dccps_hc_rx_ccid are 
checked properly before access.

Thanks,
Bragathe


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet
  2023-10-30 15:40   ` Bragatheswaran Manickavel
@ 2023-10-30 15:49     ` Eric Dumazet
       [not found]       ` <4fffeb15-52b1-4f2c-93bb-c3988ddfbf43@gmail.com>
  0 siblings, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2023-10-30 15:49 UTC (permalink / raw)
  To: Bragatheswaran Manickavel
  Cc: davem, kuba, pabeni, dccp, netdev, linux-kernel,
	syzbot+c71bc336c5061153b502

On Mon, Oct 30, 2023 at 4:40 PM Bragatheswaran Manickavel
<bragathemanick0908@gmail.com> wrote:
>
>
> On 30/10/23 14:29, Eric Dumazet wrote:
> > On Sat, Oct 28, 2023 at 4:41 PM Bragatheswaran Manickavel
> > <bragathemanick0908@gmail.com> wrote:
> >> ccid_hc_tx_send_packet might be called with a NULL ccid pointer
> >> leading to a NULL pointer dereference
> >>
> >> Below mentioned commit has similarly changes
> >> commit 276bdb82dedb ("dccp: check ccid before dereferencing")
> >>
> >> Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
> >> Closes: https://syzkaller.appspot.com/bug?extid=c71bc336c5061153b502
> >> Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
> >> ---
> >>   net/dccp/ccid.h | 2 +-
> >>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
> >> index 105f3734dadb..1015dc2b9392 100644
> >> --- a/net/dccp/ccid.h
> >> +++ b/net/dccp/ccid.h
> >> @@ -163,7 +163,7 @@ static inline int ccid_packet_dequeue_eval(const int return_code)
> >>   static inline int ccid_hc_tx_send_packet(struct ccid *ccid, struct sock *sk,
> >>                                           struct sk_buff *skb)
> >>   {
> >> -       if (ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
> >> +       if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
> >>                  return ccid->ccid_ops->ccid_hc_tx_send_packet(sk, skb);
> >>          return CCID_PACKET_SEND_AT_ONCE;
> >>   }
> >> --
> >> 2.34.1
> >>
> > If you are willing to fix dccp, I would make sure that some of
> > lockless accesses to dccps_hc_tx_ccid
> > are also double checked and fixed.
> >
> > do_dccp_getsockopt() and dccp_get_info()
>
>
> Hi Eric,
>
> In both do_dccp_getsockopt() and dccp_get_info(), dccps_hc_rx_ccid are
> checked properly before access.
>

Not really, because another thread can change the value at the same time.

Adding checks is not solving races.

^ permalink raw reply	[flat|nested] 6+ messages in thread

[parent not found: <4fffeb15-52b1-4f2c-93bb-c3988ddfbf43@gmail.com>]

* Re: [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet
       [not found]       ` <4fffeb15-52b1-4f2c-93bb-c3988ddfbf43@gmail.com>
@ 2023-10-30 16:24         ` Eric Dumazet
  0 siblings, 0 replies; 6+ messages in thread
From: Eric Dumazet @ 2023-10-30 16:24 UTC (permalink / raw)
  To: Bragatheswaran Manickavel
  Cc: davem, kuba, pabeni, dccp, netdev, linux-kernel,
	syzbot+c71bc336c5061153b502

On Mon, Oct 30, 2023 at 5:22 PM Bragatheswaran Manickavel
<bragathemanick0908@gmail.com> wrote:
>
>
> On 30/10/23 21:19, Eric Dumazet wrote:
>
> On Mon, Oct 30, 2023 at 4:40 PM Bragatheswaran Manickavel
> <bragathemanick0908@gmail.com> wrote:
>
> On 30/10/23 14:29, Eric Dumazet wrote:
>
> On Sat, Oct 28, 2023 at 4:41 PM Bragatheswaran Manickavel
> <bragathemanick0908@gmail.com> wrote:
>
> ccid_hc_tx_send_packet might be called with a NULL ccid pointer
> leading to a NULL pointer dereference
>
> Below mentioned commit has similarly changes
> commit 276bdb82dedb ("dccp: check ccid before dereferencing")
>
> Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c71bc336c5061153b502
> Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
> ---
>   net/dccp/ccid.h | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
> index 105f3734dadb..1015dc2b9392 100644
> --- a/net/dccp/ccid.h
> +++ b/net/dccp/ccid.h
> @@ -163,7 +163,7 @@ static inline int ccid_packet_dequeue_eval(const int return_code)
>   static inline int ccid_hc_tx_send_packet(struct ccid *ccid, struct sock *sk,
>                                           struct sk_buff *skb)
>   {
> -       if (ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
> +       if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_send_packet != NULL)
>                  return ccid->ccid_ops->ccid_hc_tx_send_packet(sk, skb);
>          return CCID_PACKET_SEND_AT_ONCE;
>   }
> --
> 2.34.1
>
> If you are willing to fix dccp, I would make sure that some of
> lockless accesses to dccps_hc_tx_ccid
> are also double checked and fixed.
>
> do_dccp_getsockopt() and dccp_get_info()
>
> Hi Eric,
>
> In both do_dccp_getsockopt() and dccp_get_info(), dccps_hc_rx_ccid are
> checked properly before access.
>
> Not really, because another thread can change the value at the same time.
>
> Adding checks is not solving races.
>
> Understood. But when I see function similar to ccid_hc_tx_send_packet all of
> them has ccid check and few of them have addressed same issue.
>
> dccp_get_info()
>         if (dp->dccps_hc_rx_ccid != NULL)
>                 ccid_hc_rx_get_info(dp->dccps_hc_rx_ccid, sk, info);
>         if (dp->dccps_hc_tx_ccid != NULL)
>                 ccid_hc_tx_get_info(dp->dccps_hc_tx_ccid, sk, info);
>

All I am saying is that these changes are not correct.

They are simply adding some 'checks' that are unsafe.

Compiler can absolutely fetch dp->dccps_hc_tx_ccid a second time,
and a NULL could be read this second time.

> do_dccp_getsockopt()
>     ccid_hc_rx_getsockopt
>     ccid_hc_tx_getsockopt
>     ccid_get_current_rx_ccid
>     ccid_get_current_tx_ccid   ===> All of them have ccid check
>
> So, I went on with this changes.
> If you have another suggestion of fixing this issue please let me know. I will take a look.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet
  2023-10-28 14:41 [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet Bragatheswaran Manickavel
  2023-10-30  8:59 ` Eric Dumazet
@ 2023-11-02 11:14 ` Paolo Abeni
  1 sibling, 0 replies; 6+ messages in thread
From: Paolo Abeni @ 2023-11-02 11:14 UTC (permalink / raw)
  To: Bragatheswaran Manickavel, davem, edumazet, kuba
  Cc: dccp, netdev, linux-kernel, syzbot+c71bc336c5061153b502

On Sat, 2023-10-28 at 20:11 +0530, Bragatheswaran Manickavel wrote:
> ccid_hc_tx_send_packet might be called with a NULL ccid pointer
> leading to a NULL pointer dereference

You should describe how such event could happen.

> Below mentioned commit has similarly changes
> commit 276bdb82dedb ("dccp: check ccid before dereferencing")
> 
> Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c71bc336c5061153b502

and add a suitable fixes here.

(beyond taking care of other critical code paths, as reported by Eric).

Thanks!

Paolo


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2023-11-02 11:15 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-28 14:41 [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet Bragatheswaran Manickavel
2023-10-30  8:59 ` Eric Dumazet
2023-10-30 15:40   ` Bragatheswaran Manickavel
2023-10-30 15:49     ` Eric Dumazet
     [not found]       ` <4fffeb15-52b1-4f2c-93bb-c3988ddfbf43@gmail.com>
2023-10-30 16:24         ` Eric Dumazet
2023-11-02 11:14 ` Paolo Abeni

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox