* [PATCH net] tipc: increment the tmp aead refcnt before attaching it
@ 2021-04-06 2:45 Xin Long
2021-04-06 23:30 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Xin Long @ 2021-04-06 2:45 UTC (permalink / raw)
To: network dev, tipc-discussion; +Cc: davem, kuba, Jon Maloy, Ying Xue, Tuong Lien
Li Shuang found a NULL pointer dereference crash in her testing:
[] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[] RIP: 0010:tipc_crypto_rcv_complete+0xc8/0x7e0 [tipc]
[] Call Trace:
[] <IRQ>
[] tipc_crypto_rcv+0x2d9/0x8f0 [tipc]
[] tipc_rcv+0x2fc/0x1120 [tipc]
[] tipc_udp_recv+0xc6/0x1e0 [tipc]
[] udpv6_queue_rcv_one_skb+0x16a/0x460
[] udp6_unicast_rcv_skb.isra.35+0x41/0xa0
[] ip6_protocol_deliver_rcu+0x23b/0x4c0
[] ip6_input+0x3d/0xb0
[] ipv6_rcv+0x395/0x510
[] __netif_receive_skb_core+0x5fc/0xc40
This is caused by NULL returned by tipc_aead_get(), and then crashed when
dereferencing it later in tipc_crypto_rcv_complete(). This might happen
when tipc_crypto_rcv_complete() is called by two threads at the same time:
the tmp attached by tipc_crypto_key_attach() in one thread may be released
by the one attached by that in the other thread.
This patch is to fix it by incrementing the tmp's refcnt before attaching
it instead of calling tipc_aead_get() after attaching it.
Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Reported-by: Li Shuang <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
net/tipc/crypto.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index f4fca8f..97710ce 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -1941,12 +1941,13 @@ static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead,
goto rcv;
if (tipc_aead_clone(&tmp, aead) < 0)
goto rcv;
+ WARN_ON(!refcount_inc_not_zero(&tmp->refcnt));
if (tipc_crypto_key_attach(rx, tmp, ehdr->tx_key, false) < 0) {
tipc_aead_free(&tmp->rcu);
goto rcv;
}
tipc_aead_put(aead);
- aead = tipc_aead_get(tmp);
+ aead = tmp;
}
if (unlikely(err)) {
--
2.1.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] tipc: increment the tmp aead refcnt before attaching it
2021-04-06 2:45 [PATCH net] tipc: increment the tmp aead refcnt before attaching it Xin Long
@ 2021-04-06 23:30 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-04-06 23:30 UTC (permalink / raw)
To: Xin Long
Cc: netdev, tipc-discussion, davem, kuba, jmaloy, ying.xue, tuong.t.lien
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Tue, 6 Apr 2021 10:45:23 +0800 you wrote:
> Li Shuang found a NULL pointer dereference crash in her testing:
>
> [] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
> [] RIP: 0010:tipc_crypto_rcv_complete+0xc8/0x7e0 [tipc]
> [] Call Trace:
> [] <IRQ>
> [] tipc_crypto_rcv+0x2d9/0x8f0 [tipc]
> [] tipc_rcv+0x2fc/0x1120 [tipc]
> [] tipc_udp_recv+0xc6/0x1e0 [tipc]
> [] udpv6_queue_rcv_one_skb+0x16a/0x460
> [] udp6_unicast_rcv_skb.isra.35+0x41/0xa0
> [] ip6_protocol_deliver_rcu+0x23b/0x4c0
> [] ip6_input+0x3d/0xb0
> [] ipv6_rcv+0x395/0x510
> [] __netif_receive_skb_core+0x5fc/0xc40
>
> [...]
Here is the summary with links:
- [net] tipc: increment the tmp aead refcnt before attaching it
https://git.kernel.org/netdev/net/c/2a2403ca3add
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-06 23:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-06 2:45 [PATCH net] tipc: increment the tmp aead refcnt before attaching it Xin Long
2021-04-06 23:30 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.