All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pavel Skripkin <paskripkin@gmail.com>
To: Alexander Aring <alex.aring@gmail.com>
Cc: Stefan Schmidt <stefan@datenfreihafen.org>,
	"David S. Miller" <davem@davemloft.net>,
	linux-wpan - ML <linux-wpan@vger.kernel.org>,
	"open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
	kernel list <linux-kernel@vger.kernel.org>,
	syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
Subject: Re: [PATCH] net: mac802154: Fix null pointer dereference
Date: Thu, 04 Mar 2021 12:23:22 +0300	[thread overview]
Message-ID: <e70d7b45638db427be978c620475a330cb9db57c.camel@gmail.com> (raw)
In-Reply-To: <CAB_54W6-ONBmLhaQqrDD=efiinRosxe06VEGDqmMM-1-XjYcPw@mail.gmail.com>

Hi, thanks for your reply!

On Wed, 2021-03-03 at 21:40 -0500, Alexander Aring wrote:
> Hi,
> 
> On Wed, 3 Mar 2021 at 11:28, Pavel Skripkin <paskripkin@gmail.com>
> wrote:
> > syzbot found general protection fault in crypto_destroy_tfm()[1].
> > It was caused by wrong clean up loop in llsec_key_alloc().
> > If one of the tfm array members won't be initialized it will cause
> > NULL dereference in crypto_destroy_tfm().
> > 
> > Call Trace:
> >  crypto_free_aead include/crypto/aead.h:191 [inline] [1]
> >  llsec_key_alloc net/mac802154/llsec.c:156 [inline]
> >  mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
> >  ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
> >  rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
> >  nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
> >  genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
> >  genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
> >  genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
> >  netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
> >  genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
> >  netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
> >  netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
> >  netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
> >  sock_sendmsg_nosec net/socket.c:654 [inline]
> >  sock_sendmsg+0xcf/0x120 net/socket.c:674
> >  ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
> >  ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
> >  __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
> >  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > 
> > Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> > Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
> > ---
> >  net/mac802154/llsec.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/mac802154/llsec.c b/net/mac802154/llsec.c
> > index 585d33144c33..6709f186f777 100644
> > --- a/net/mac802154/llsec.c
> > +++ b/net/mac802154/llsec.c
> > @@ -151,7 +151,7 @@ llsec_key_alloc(const struct
> > ieee802154_llsec_key *template)
> >  err_tfm0:
> >         crypto_free_sync_skcipher(key->tfm0);
> >  err_tfm:
> > -       for (i = 0; i < ARRAY_SIZE(key->tfm); i++)
> > +       for (; i >= 0; i--)
> >                 if (key->tfm[i])
> 
> I think this need to be:
> 
> if (!IS_ERR_OR_NULL(key->tfm[i]))
> 
> otherwise we still run into issues for the current iterator when
> key->tfm[i] is in range of IS_ERR().

Oh... I got it completly wrong, I'm sorry. If it's still not fixed,
I'll send rigth patch for that.

> 
> - Alex
-- 
With regards,
Pavel Skripkin


  reply	other threads:[~2021-03-04  9:25 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-03 16:27 [PATCH] net: mac802154: Fix null pointer dereference Pavel Skripkin
2021-03-04  2:40 ` Alexander Aring
2021-03-04  9:23   ` Pavel Skripkin [this message]
2021-03-04 14:22     ` Alexander Aring
2021-03-04 15:21       ` [PATCH v2] net: mac802154: Fix general protection fault Pavel Skripkin
2021-03-08  8:27         ` Stefan Schmidt
2021-04-05  0:43         ` Alexander Aring
2021-04-05  5:45           ` Pavel Skripkin
2021-04-05 11:50             ` Alexander Aring
2021-04-06 20:43               ` Stefan Schmidt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e70d7b45638db427be978c620475a330cb9db57c.camel@gmail.com \
    --to=paskripkin@gmail.com \
    --cc=alex.aring@gmail.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wpan@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stefan@datenfreihafen.org \
    --cc=syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.