All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] net/neighbour: fix potential null pointer deference
@ 2019-05-31  8:29 Young Xiao
  2019-05-31  8:41 ` Konstantin Khlebnikov
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Young Xiao @ 2019-05-31  8:29 UTC (permalink / raw)
  To: davem, dsahern, roopa, christian, khlebnikov, netdev; +Cc: Young Xiao

There is a possible null pointer deference bugs in neigh_fill_info(),
which is similar to the bug which was fixed in commit 6adc5fd6a142
("net/neighbour: fix crash at dumping device-agnostic proxy entries").

Signed-off-by: Young Xiao <92siuyang@gmail.com>
---
 net/core/neighbour.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index dfa8710..33c3ff1 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2440,7 +2440,7 @@ static int neigh_fill_info(struct sk_buff *skb, struct neighbour *neigh,
 	ndm->ndm_pad2    = 0;
 	ndm->ndm_flags	 = neigh->flags;
 	ndm->ndm_type	 = neigh->type;
-	ndm->ndm_ifindex = neigh->dev->ifindex;
+	ndm->ndm_ifindex = neigh->dev ? neigh->dev->ifindex : 0;
 
 	if (nla_put(skb, NDA_DST, neigh->tbl->key_len, neigh->primary_key))
 		goto nla_put_failure;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] net/neighbour: fix potential null pointer deference
  2019-05-31  8:29 [PATCH] net/neighbour: fix potential null pointer deference Young Xiao
@ 2019-05-31  8:41 ` Konstantin Khlebnikov
  2019-05-31  8:42 ` Paolo Abeni
  2019-05-31 14:56 ` Eric Dumazet
  2 siblings, 0 replies; 4+ messages in thread
From: Konstantin Khlebnikov @ 2019-05-31  8:41 UTC (permalink / raw)
  To: Young Xiao, davem, dsahern, roopa, christian, netdev

On 31.05.2019 11:29, Young Xiao wrote:
> There is a possible null pointer deference bugs in neigh_fill_info(),
> which is similar to the bug which was fixed in commit 6adc5fd6a142
> ("net/neighbour: fix crash at dumping device-agnostic proxy entries").

Have you seen this in real life?
I see nobody who could produce neighbour with null device pointer._

> 
> Signed-off-by: Young Xiao <92siuyang@gmail.com>
> ---
>   net/core/neighbour.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index dfa8710..33c3ff1 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -2440,7 +2440,7 @@ static int neigh_fill_info(struct sk_buff *skb, struct neighbour *neigh,
>   	ndm->ndm_pad2    = 0;
>   	ndm->ndm_flags	 = neigh->flags;
>   	ndm->ndm_type	 = neigh->type;
> -	ndm->ndm_ifindex = neigh->dev->ifindex;
> +	ndm->ndm_ifindex = neigh->dev ? neigh->dev->ifindex : 0;
>   
>   	if (nla_put(skb, NDA_DST, neigh->tbl->key_len, neigh->primary_key))
>   		goto nla_put_failure;
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] net/neighbour: fix potential null pointer deference
  2019-05-31  8:29 [PATCH] net/neighbour: fix potential null pointer deference Young Xiao
  2019-05-31  8:41 ` Konstantin Khlebnikov
@ 2019-05-31  8:42 ` Paolo Abeni
  2019-05-31 14:56 ` Eric Dumazet
  2 siblings, 0 replies; 4+ messages in thread
From: Paolo Abeni @ 2019-05-31  8:42 UTC (permalink / raw)
  To: Young Xiao, davem, dsahern, roopa, christian, khlebnikov, netdev

On Fri, 2019-05-31 at 16:29 +0800, Young Xiao wrote:
> There is a possible null pointer deference bugs in neigh_fill_info(),
> which is similar to the bug which was fixed in commit 6adc5fd6a142
> ("net/neighbour: fix crash at dumping device-agnostic proxy entries").
> 
> Signed-off-by: Young Xiao <92siuyang@gmail.com>
> ---
>  net/core/neighbour.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index dfa8710..33c3ff1 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -2440,7 +2440,7 @@ static int neigh_fill_info(struct sk_buff *skb, struct neighbour *neigh,
>  	ndm->ndm_pad2    = 0;
>  	ndm->ndm_flags	 = neigh->flags;
>  	ndm->ndm_type	 = neigh->type;
> -	ndm->ndm_ifindex = neigh->dev->ifindex;
> +	ndm->ndm_ifindex = neigh->dev ? neigh->dev->ifindex : 0;
>  
>  	if (nla_put(skb, NDA_DST, neigh->tbl->key_len, neigh->primary_key))
>  		goto nla_put_failure;

AFAICS, neigh->dev is requested to be != NULL at neighbour creation
time (see ___neigh_create()), so the above NULL ptr dereference looks
impossible. Am I missing something?

Thanks,

Paolo




^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] net/neighbour: fix potential null pointer deference
  2019-05-31  8:29 [PATCH] net/neighbour: fix potential null pointer deference Young Xiao
  2019-05-31  8:41 ` Konstantin Khlebnikov
  2019-05-31  8:42 ` Paolo Abeni
@ 2019-05-31 14:56 ` Eric Dumazet
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2019-05-31 14:56 UTC (permalink / raw)
  To: Young Xiao, davem, dsahern, roopa, christian, khlebnikov, netdev



On 5/31/19 1:29 AM, Young Xiao wrote:
> There is a possible null pointer deference bugs in neigh_fill_info(),
> which is similar to the bug which was fixed in commit 6adc5fd6a142
> ("net/neighbour: fix crash at dumping device-agnostic proxy entries").
> 
> Signed-off-by: Young Xiao <92siuyang@gmail.com>
> ---
>  net/core/neighbour.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index dfa8710..33c3ff1 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -2440,7 +2440,7 @@ static int neigh_fill_info(struct sk_buff *skb, struct neighbour *neigh,
>  	ndm->ndm_pad2    = 0;
>  	ndm->ndm_flags	 = neigh->flags;
>  	ndm->ndm_type	 = neigh->type;
> -	ndm->ndm_ifindex = neigh->dev->ifindex;
> +	ndm->ndm_ifindex = neigh->dev ? neigh->dev->ifindex : 0;
>  
>  	if (nla_put(skb, NDA_DST, neigh->tbl->key_len, neigh->primary_key))
>  		goto nla_put_failure;
> 

When was the bug added exactly ?

Hint : We want a Fixes: tag, so that we can fully understand the issue and make sure the
fix is complete.

Otherwise, your patch might very well have been randomly generated by a bot.

Thank you.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-05-31 14:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-31  8:29 [PATCH] net/neighbour: fix potential null pointer deference Young Xiao
2019-05-31  8:41 ` Konstantin Khlebnikov
2019-05-31  8:42 ` Paolo Abeni
2019-05-31 14:56 ` Eric Dumazet

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.