Linux-WPAN Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] net: mac802154: Fix null pointer dereference
@ 2021-03-03 16:27 Pavel Skripkin
  2021-03-04  2:40 ` Alexander Aring
  0 siblings, 1 reply; 10+ messages in thread
From: Pavel Skripkin @ 2021-03-03 16:27 UTC (permalink / raw)
  To: alex.aring, stefan, davem
  Cc: linux-wpan, netdev, linux-kernel, Pavel Skripkin,
	syzbot+12cf5fbfdeba210a89dd

syzbot found general protection fault in crypto_destroy_tfm()[1].
It was caused by wrong clean up loop in llsec_key_alloc().
If one of the tfm array members won't be initialized it will cause
NULL dereference in crypto_destroy_tfm().

Call Trace:
 crypto_free_aead include/crypto/aead.h:191 [inline] [1]
 llsec_key_alloc net/mac802154/llsec.c:156 [inline]
 mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
 ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
 rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
 nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
---
 net/mac802154/llsec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac802154/llsec.c b/net/mac802154/llsec.c
index 585d33144c33..6709f186f777 100644
--- a/net/mac802154/llsec.c
+++ b/net/mac802154/llsec.c
@@ -151,7 +151,7 @@ llsec_key_alloc(const struct ieee802154_llsec_key *template)
 err_tfm0:
 	crypto_free_sync_skcipher(key->tfm0);
 err_tfm:
-	for (i = 0; i < ARRAY_SIZE(key->tfm); i++)
+	for (; i >= 0; i--)
 		if (key->tfm[i])
 			crypto_free_aead(key->tfm[i]);
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] net: mac802154: Fix null pointer dereference
  2021-03-03 16:27 [PATCH] net: mac802154: Fix null pointer dereference Pavel Skripkin
@ 2021-03-04  2:40 ` Alexander Aring
  2021-03-04  9:23   ` Pavel Skripkin
  0 siblings, 1 reply; 10+ messages in thread
From: Alexander Aring @ 2021-03-04  2:40 UTC (permalink / raw)
  To: Pavel Skripkin
  Cc: Stefan Schmidt, David S. Miller, linux-wpan - ML,
	open list:NETWORKING [GENERAL],
	kernel list, syzbot+12cf5fbfdeba210a89dd

Hi,

On Wed, 3 Mar 2021 at 11:28, Pavel Skripkin <paskripkin@gmail.com> wrote:
>
> syzbot found general protection fault in crypto_destroy_tfm()[1].
> It was caused by wrong clean up loop in llsec_key_alloc().
> If one of the tfm array members won't be initialized it will cause
> NULL dereference in crypto_destroy_tfm().
>
> Call Trace:
>  crypto_free_aead include/crypto/aead.h:191 [inline] [1]
>  llsec_key_alloc net/mac802154/llsec.c:156 [inline]
>  mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
>  ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
>  rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
>  nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
>  genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
>  genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
>  genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
>  netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
>  genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
>  netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
>  netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
>  netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
>  sock_sendmsg_nosec net/socket.c:654 [inline]
>  sock_sendmsg+0xcf/0x120 net/socket.c:674
>  ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
>  ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
>  __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
>  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
> ---
>  net/mac802154/llsec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/mac802154/llsec.c b/net/mac802154/llsec.c
> index 585d33144c33..6709f186f777 100644
> --- a/net/mac802154/llsec.c
> +++ b/net/mac802154/llsec.c
> @@ -151,7 +151,7 @@ llsec_key_alloc(const struct ieee802154_llsec_key *template)
>  err_tfm0:
>         crypto_free_sync_skcipher(key->tfm0);
>  err_tfm:
> -       for (i = 0; i < ARRAY_SIZE(key->tfm); i++)
> +       for (; i >= 0; i--)
>                 if (key->tfm[i])

I think this need to be:

if (!IS_ERR_OR_NULL(key->tfm[i]))

otherwise we still run into issues for the current iterator when
key->tfm[i] is in range of IS_ERR().

- Alex

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] net: mac802154: Fix null pointer dereference
  2021-03-04  2:40 ` Alexander Aring
@ 2021-03-04  9:23   ` Pavel Skripkin
  2021-03-04 14:22     ` Alexander Aring
  0 siblings, 1 reply; 10+ messages in thread
From: Pavel Skripkin @ 2021-03-04  9:23 UTC (permalink / raw)
  To: Alexander Aring
  Cc: Stefan Schmidt, David S. Miller, linux-wpan - ML,
	open list:NETWORKING [GENERAL],
	kernel list, syzbot+12cf5fbfdeba210a89dd

Hi, thanks for your reply!

On Wed, 2021-03-03 at 21:40 -0500, Alexander Aring wrote:
> Hi,
> 
> On Wed, 3 Mar 2021 at 11:28, Pavel Skripkin <paskripkin@gmail.com>
> wrote:
> > syzbot found general protection fault in crypto_destroy_tfm()[1].
> > It was caused by wrong clean up loop in llsec_key_alloc().
> > If one of the tfm array members won't be initialized it will cause
> > NULL dereference in crypto_destroy_tfm().
> > 
> > Call Trace:
> >  crypto_free_aead include/crypto/aead.h:191 [inline] [1]
> >  llsec_key_alloc net/mac802154/llsec.c:156 [inline]
> >  mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
> >  ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
> >  rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
> >  nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
> >  genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
> >  genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
> >  genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
> >  netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
> >  genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
> >  netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
> >  netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
> >  netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
> >  sock_sendmsg_nosec net/socket.c:654 [inline]
> >  sock_sendmsg+0xcf/0x120 net/socket.c:674
> >  ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
> >  ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
> >  __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
> >  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > 
> > Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> > Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
> > ---
> >  net/mac802154/llsec.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/mac802154/llsec.c b/net/mac802154/llsec.c
> > index 585d33144c33..6709f186f777 100644
> > --- a/net/mac802154/llsec.c
> > +++ b/net/mac802154/llsec.c
> > @@ -151,7 +151,7 @@ llsec_key_alloc(const struct
> > ieee802154_llsec_key *template)
> >  err_tfm0:
> >         crypto_free_sync_skcipher(key->tfm0);
> >  err_tfm:
> > -       for (i = 0; i < ARRAY_SIZE(key->tfm); i++)
> > +       for (; i >= 0; i--)
> >                 if (key->tfm[i])
> 
> I think this need to be:
> 
> if (!IS_ERR_OR_NULL(key->tfm[i]))
> 
> otherwise we still run into issues for the current iterator when
> key->tfm[i] is in range of IS_ERR().

Oh... I got it completly wrong, I'm sorry. If it's still not fixed,
I'll send rigth patch for that.

> 
> - Alex
-- 
With regards,
Pavel Skripkin


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] net: mac802154: Fix null pointer dereference
  2021-03-04  9:23   ` Pavel Skripkin
@ 2021-03-04 14:22     ` Alexander Aring
  2021-03-04 15:21       ` [PATCH v2] net: mac802154: Fix general protection fault Pavel Skripkin
  0 siblings, 1 reply; 10+ messages in thread
From: Alexander Aring @ 2021-03-04 14:22 UTC (permalink / raw)
  To: Pavel Skripkin
  Cc: Stefan Schmidt, David S. Miller, linux-wpan - ML,
	open list:NETWORKING [GENERAL],
	kernel list, syzbot+12cf5fbfdeba210a89dd

Hi,

On Thu, 4 Mar 2021 at 04:23, Pavel Skripkin <paskripkin@gmail.com> wrote:
...
> >
> > I think this need to be:
> >
> > if (!IS_ERR_OR_NULL(key->tfm[i]))
> >
> > otherwise we still run into issues for the current iterator when
> > key->tfm[i] is in range of IS_ERR().
>
> Oh... I got it completly wrong, I'm sorry. If it's still not fixed,
> I'll send rigth patch for that.
>

please resend your patch. We will review again.

- Alex

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH v2] net: mac802154: Fix general protection fault
  2021-03-04 14:22     ` Alexander Aring
@ 2021-03-04 15:21       ` Pavel Skripkin
  2021-03-08  8:27         ` Stefan Schmidt
  2021-04-05  0:43         ` Alexander Aring
  0 siblings, 2 replies; 10+ messages in thread
From: Pavel Skripkin @ 2021-03-04 15:21 UTC (permalink / raw)
  To: alex.aring, stefan, davem
  Cc: linux-wpan, netdev, linux-kernel, Pavel Skripkin,
	syzbot+9ec037722d2603a9f52e

syzbot found general protection fault in crypto_destroy_tfm()[1].
It was caused by wrong clean up loop in llsec_key_alloc().
If one of the tfm array members is in IS_ERR() range it will
cause general protection fault in clean up function [1].

Call Trace:
 crypto_free_aead include/crypto/aead.h:191 [inline] [1]
 llsec_key_alloc net/mac802154/llsec.c:156 [inline]
 mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
 ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
 rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
 nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
Change-Id: I29f7ac641a039096d63d1e6070bb32cb5a3beb07
---
 net/mac802154/llsec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac802154/llsec.c b/net/mac802154/llsec.c
index 585d33144c33..55550ead2ced 100644
--- a/net/mac802154/llsec.c
+++ b/net/mac802154/llsec.c
@@ -152,7 +152,7 @@ llsec_key_alloc(const struct ieee802154_llsec_key *template)
 	crypto_free_sync_skcipher(key->tfm0);
 err_tfm:
 	for (i = 0; i < ARRAY_SIZE(key->tfm); i++)
-		if (key->tfm[i])
+		if (!IS_ERR_OR_NULL(key->tfm[i]))
 			crypto_free_aead(key->tfm[i]);
 
 	kfree_sensitive(key);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2] net: mac802154: Fix general protection fault
  2021-03-04 15:21       ` [PATCH v2] net: mac802154: Fix general protection fault Pavel Skripkin
@ 2021-03-08  8:27         ` Stefan Schmidt
  2021-04-05  0:43         ` Alexander Aring
  1 sibling, 0 replies; 10+ messages in thread
From: Stefan Schmidt @ 2021-03-08  8:27 UTC (permalink / raw)
  To: Pavel Skripkin, alex.aring, davem
  Cc: linux-wpan, netdev, linux-kernel, syzbot+9ec037722d2603a9f52e

Hello.

On 04.03.21 16:21, Pavel Skripkin wrote:
> syzbot found general protection fault in crypto_destroy_tfm()[1].
> It was caused by wrong clean up loop in llsec_key_alloc().
> If one of the tfm array members is in IS_ERR() range it will
> cause general protection fault in clean up function [1].
> 
> Call Trace:
>   crypto_free_aead include/crypto/aead.h:191 [inline] [1]
>   llsec_key_alloc net/mac802154/llsec.c:156 [inline]
>   mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
>   ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
>   rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
>   nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
>   genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
>   genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
>   genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
>   netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
>   genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
>   netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
>   netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
>   netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
>   sock_sendmsg_nosec net/socket.c:654 [inline]
>   sock_sendmsg+0xcf/0x120 net/socket.c:674
>   ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
>   ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
>   __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
>   do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>   entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
> Change-Id: I29f7ac641a039096d63d1e6070bb32cb5a3beb07
> ---
>   net/mac802154/llsec.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/mac802154/llsec.c b/net/mac802154/llsec.c
> index 585d33144c33..55550ead2ced 100644
> --- a/net/mac802154/llsec.c
> +++ b/net/mac802154/llsec.c
> @@ -152,7 +152,7 @@ llsec_key_alloc(const struct ieee802154_llsec_key *template)
>   	crypto_free_sync_skcipher(key->tfm0);
>   err_tfm:
>   	for (i = 0; i < ARRAY_SIZE(key->tfm); i++)
> -		if (key->tfm[i])
> +		if (!IS_ERR_OR_NULL(key->tfm[i]))
>   			crypto_free_aead(key->tfm[i]);
>   
>   	kfree_sensitive(key);
> 

Alex, are you happy with this patch now? I would like to get it applied. 
Waiting for your review or ack given you had comments on the first version.

regards
Stefan Schmidt

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2] net: mac802154: Fix general protection fault
  2021-03-04 15:21       ` [PATCH v2] net: mac802154: Fix general protection fault Pavel Skripkin
  2021-03-08  8:27         ` Stefan Schmidt
@ 2021-04-05  0:43         ` Alexander Aring
  2021-04-05  5:45           ` Pavel Skripkin
  1 sibling, 1 reply; 10+ messages in thread
From: Alexander Aring @ 2021-04-05  0:43 UTC (permalink / raw)
  To: Pavel Skripkin
  Cc: Stefan Schmidt, David S. Miller, linux-wpan - ML,
	open list:NETWORKING [GENERAL],
	kernel list, syzbot+9ec037722d2603a9f52e

Hi,

On Thu, 4 Mar 2021 at 10:25, Pavel Skripkin <paskripkin@gmail.com> wrote:
>
> syzbot found general protection fault in crypto_destroy_tfm()[1].
> It was caused by wrong clean up loop in llsec_key_alloc().
> If one of the tfm array members is in IS_ERR() range it will
> cause general protection fault in clean up function [1].
>
> Call Trace:
>  crypto_free_aead include/crypto/aead.h:191 [inline] [1]
>  llsec_key_alloc net/mac802154/llsec.c:156 [inline]
>  mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
>  ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
>  rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
>  nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
>  genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
>  genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
>  genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
>  netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
>  genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
>  netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
>  netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
>  netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
>  sock_sendmsg_nosec net/socket.c:654 [inline]
>  sock_sendmsg+0xcf/0x120 net/socket.c:674
>  ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
>  ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
>  __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
>  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
> Change-Id: I29f7ac641a039096d63d1e6070bb32cb5a3beb07

I am sorry, I don't know the tag "Change-Id", I was doing a whole grep
on Documentation/ without any luck.

Dumb question: What is the meaning of it?

- Alex

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2] net: mac802154: Fix general protection fault
  2021-04-05  0:43         ` Alexander Aring
@ 2021-04-05  5:45           ` Pavel Skripkin
  2021-04-05 11:50             ` Alexander Aring
  0 siblings, 1 reply; 10+ messages in thread
From: Pavel Skripkin @ 2021-04-05  5:45 UTC (permalink / raw)
  To: Alexander Aring
  Cc: Stefan Schmidt, David S. Miller, linux-wpan - ML,
	open list:NETWORKING [GENERAL],
	kernel list, syzbot+9ec037722d2603a9f52e

Hi!

On Sun, 2021-04-04 at 20:43 -0400, Alexander Aring wrote:
> Hi,
> 
> On Thu, 4 Mar 2021 at 10:25, Pavel Skripkin <paskripkin@gmail.com>
> wrote:
> > 
> > syzbot found general protection fault in crypto_destroy_tfm()[1].
> > It was caused by wrong clean up loop in llsec_key_alloc().
> > If one of the tfm array members is in IS_ERR() range it will
> > cause general protection fault in clean up function [1].
> > 
> > Call Trace:
> >  crypto_free_aead include/crypto/aead.h:191 [inline] [1]
> >  llsec_key_alloc net/mac802154/llsec.c:156 [inline]
> >  mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
> >  ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
> >  rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
> >  nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
> >  genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
> >  genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
> >  genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
> >  netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
> >  genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
> >  netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
> >  netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
> >  netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
> >  sock_sendmsg_nosec net/socket.c:654 [inline]
> >  sock_sendmsg+0xcf/0x120 net/socket.c:674
> >  ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
> >  ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
> >  __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
> >  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > 
> > Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> > Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
> > Change-Id: I29f7ac641a039096d63d1e6070bb32cb5a3beb07
> 
> I am sorry, I don't know the tag "Change-Id", I was doing a whole
> grep
> on Documentation/ without any luck.
> 

I forgot to check the patch with ./scripts/checkpatch.pl :(

> Dumb question: What is the meaning of it?

This is for gerrit code review. This is required to push changes to
gerrit public mirror. I'm using it to check patches with syzbot. Change
ids are useless outside gerrit, so it shouldn't be here.

Btw, should I sent v2 or this is already fixed? 

> 
> - Alex

With regards,
Pavel Skripkin



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2] net: mac802154: Fix general protection fault
  2021-04-05  5:45           ` Pavel Skripkin
@ 2021-04-05 11:50             ` Alexander Aring
  2021-04-06 20:43               ` Stefan Schmidt
  0 siblings, 1 reply; 10+ messages in thread
From: Alexander Aring @ 2021-04-05 11:50 UTC (permalink / raw)
  To: Pavel Skripkin
  Cc: Stefan Schmidt, David S. Miller, linux-wpan - ML,
	open list:NETWORKING [GENERAL],
	kernel list, syzbot+9ec037722d2603a9f52e

Hi,

On Mon, 5 Apr 2021 at 01:45, Pavel Skripkin <paskripkin@gmail.com> wrote:
>
> Hi!
>
...
> >
>
> I forgot to check the patch with ./scripts/checkpatch.pl :(
>
> > Dumb question: What is the meaning of it?
>
> This is for gerrit code review. This is required to push changes to
> gerrit public mirror. I'm using it to check patches with syzbot. Change
> ids are useless outside gerrit, so it shouldn't be here.
>
> Btw, should I sent v2 or this is already fixed?

Otherwise the patch looks good. May Stefan can fix this.

Acked-by: Alexander Aring <aahringo@redhat.com>

- Alex

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2] net: mac802154: Fix general protection fault
  2021-04-05 11:50             ` Alexander Aring
@ 2021-04-06 20:43               ` Stefan Schmidt
  0 siblings, 0 replies; 10+ messages in thread
From: Stefan Schmidt @ 2021-04-06 20:43 UTC (permalink / raw)
  To: Alexander Aring, Pavel Skripkin
  Cc: David S. Miller, linux-wpan - ML, open list:NETWORKING [GENERAL],
	kernel list, syzbot+9ec037722d2603a9f52e

Hello.

On 05.04.21 13:50, Alexander Aring wrote:
> Hi,
> 
> On Mon, 5 Apr 2021 at 01:45, Pavel Skripkin <paskripkin@gmail.com> wrote:
>>
>> Hi!
>>
> ...
>>>
>>
>> I forgot to check the patch with ./scripts/checkpatch.pl :(
>>
>>> Dumb question: What is the meaning of it?
>>
>> This is for gerrit code review. This is required to push changes to
>> gerrit public mirror. I'm using it to check patches with syzbot. Change
>> ids are useless outside gerrit, so it shouldn't be here.
>>
>> Btw, should I sent v2 or this is already fixed?
> 
> Otherwise the patch looks good. May Stefan can fix this.
> 
> Acked-by: Alexander Aring <aahringo@redhat.com>

I removed the Change-ID locally here.

This patch has been applied to the wpan tree and will be
part of the next pull request to net. Thanks!

regards
Stefan Schmidt

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, back to index

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-03 16:27 [PATCH] net: mac802154: Fix null pointer dereference Pavel Skripkin
2021-03-04  2:40 ` Alexander Aring
2021-03-04  9:23   ` Pavel Skripkin
2021-03-04 14:22     ` Alexander Aring
2021-03-04 15:21       ` [PATCH v2] net: mac802154: Fix general protection fault Pavel Skripkin
2021-03-08  8:27         ` Stefan Schmidt
2021-04-05  0:43         ` Alexander Aring
2021-04-05  5:45           ` Pavel Skripkin
2021-04-05 11:50             ` Alexander Aring
2021-04-06 20:43               ` Stefan Schmidt

Linux-WPAN Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wpan/0 linux-wpan/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wpan linux-wpan/ https://lore.kernel.org/linux-wpan \
		linux-wpan@vger.kernel.org
	public-inbox-index linux-wpan

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wpan


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git