All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] net: fix NULL pointer reference in cipso_v4_doi_free
@ 2021-08-26  3:42 王贇
  2021-08-27  0:09 ` Paul Moore
                   ` (3 more replies)
  0 siblings, 4 replies; 25+ messages in thread
From: 王贇 @ 2021-08-26  3:42 UTC (permalink / raw)
  To: Paul Moore, David S. Miller, Hideaki YOSHIFUJI, David Ahern,
	Jakub Kicinski, netdev, linux-security-module, linux-kernel

In netlbl_cipsov4_add_std() when 'doi_def->map.std' alloc
failed, we sometime observe panic:

  BUG: kernel NULL pointer dereference, address:
  ...
  RIP: 0010:cipso_v4_doi_free+0x3a/0x80
  ...
  Call Trace:
   netlbl_cipsov4_add_std+0xf4/0x8c0
   netlbl_cipsov4_add+0x13f/0x1b0
   genl_family_rcv_msg_doit.isra.15+0x132/0x170
   genl_rcv_msg+0x125/0x240

This is because in cipso_v4_doi_free() there is no check
on 'doi_def->map.std' when 'doi_def->type' equal 1, which
is possibe, since netlbl_cipsov4_add_std() haven't initialize
it before alloc 'doi_def->map.std'.

This patch just add the check to prevent panic happen for similar
cases.

Reported-by: Abaci <abaci@linux.alibaba.com>
Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
---

 net/ipv4/cipso_ipv4.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 099259f..7fbd0b5 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -465,14 +465,16 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
 	if (!doi_def)
 		return;

-	switch (doi_def->type) {
-	case CIPSO_V4_MAP_TRANS:
-		kfree(doi_def->map.std->lvl.cipso);
-		kfree(doi_def->map.std->lvl.local);
-		kfree(doi_def->map.std->cat.cipso);
-		kfree(doi_def->map.std->cat.local);
-		kfree(doi_def->map.std);
-		break;
+	if (doi_def->map.std) {
+		switch (doi_def->type) {
+		case CIPSO_V4_MAP_TRANS:
+			kfree(doi_def->map.std->lvl.cipso);
+			kfree(doi_def->map.std->lvl.local);
+			kfree(doi_def->map.std->cat.cipso);
+			kfree(doi_def->map.std->cat.local);
+			kfree(doi_def->map.std);
+			break;
+		}
 	}
 	kfree(doi_def);
 }
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 25+ messages in thread

end of thread, other threads:[~2021-09-03 14:09 UTC | newest]

Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-26  3:42 [PATCH] net: fix NULL pointer reference in cipso_v4_doi_free 王贇
2021-08-27  0:09 ` Paul Moore
2021-08-30 10:20   ` 王贇
2021-08-30 10:14 ` 王贇
2021-08-30 10:28 ` [PATCH v2] " 王贇
2021-08-30 11:30   ` patchwork-bot+netdevbpf
2021-08-30 14:17   ` Paul Moore
2021-08-30 16:45     ` Jakub Kicinski
2021-08-30 16:50       ` Paul Moore
2021-08-31  2:41         ` 王贇
2021-08-31 13:48           ` Paul Moore
2021-09-01  1:51             ` 王贇
2021-09-01  9:30               ` David Miller
2021-09-01  9:41                 ` 王贇
2021-09-01 10:45                   ` David Miller
2021-09-02  3:04                     ` 王贇
2021-09-01  2:18   ` [PATCH] Revert "net: fix NULL pointer reference in cipso_v4_doi_free" 王贇
2021-09-01  2:21     ` 王贇
2021-09-01 21:05       ` Paul Moore
2021-09-02  2:37         ` 王贇
2021-09-03  2:15           ` Paul Moore
2021-09-03  2:31             ` 王贇
2021-09-03 14:08               ` Paul Moore
2021-09-03  2:27 ` [PATCH] net: remove the unnecessary check in cipso_v4_doi_free 王贇
2021-09-03 14:08   ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.