[PATCH] ipv4: gre: Fix null pointer dereference in gre_cisco_err()

[PATCH] ipv4: gre: Fix null pointer dereference in gre_cisco_err()

[Wei Zhang]

When use the gre vport, openvswitch register a gre_cisco_protocol but
does not supply a err_handler with it. The gre_cisco_err() call the
err_handler without existence check, cause the kernel crash.

This patch base on v3.14-rc7. But the bug affect all kernel newer than
3.11!

Signed-off-by: Wei Zhang <asuka.com@163.com>
---
 net/ipv4/gre_demux.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c
index 1863422..56b0d67 100644
--- a/net/ipv4/gre_demux.c
+++ b/net/ipv4/gre_demux.c
@@ -250,7 +250,7 @@ static void gre_cisco_err(struct sk_buff *skb, u32 info)
 		struct gre_cisco_protocol *proto;
 
 		proto = rcu_dereference(gre_cisco_proto_list[i]);
-		if (!proto)
+		if (!proto || !proto->err_handler)
 			continue;
 
 		if (proto->err_handler(skb, info, &tpi) == PACKET_RCVD)
-- 
1.7.1

Re:[PATCH] ipv4: gre: Fix null pointer dereference in gre_cisco_err()

[wei zhang]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 4303 bytes --]

The crash is occur on Centos 6.4, when we use gre vport of openvswitch!

<1>BUG: unable to handle kernel NULL pointer dereference at (null)
<1>IP: [<(null)>] (null)
<4>PGD c2910b067 PUD c2927d067 PMD 0 
<4>Oops: 0010 [#1] SMP 
<4>last sysfs file: /sys/devices/virtual/net/gretap0/flags
<4>CPU 20 
<4>Modules linked in: ip_gre ip_tunnel xt_conntrack act_police cls_basic sch_ingress veth ipt_REDIRECT ipmi_devintf ipv6 openvswitch vxlan iptable_filter iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_mangle iptable_raw iptable_security ip_tables power_meter sg dcdbas microcode sb_edac edac_core iTCO_wdt iTCO_vendor_support shpchp tg3 ext4 jbd2 mbcache sd_mod crc_t10dif ahci wmi megaraid_sas dm_mirror dm_region_hash dm_log dm_mod [last unloaded: speedstep_lib]
<4>
<4>Pid: 2358, comm: ovs-vswitchd Not tainted 2.6.32-358.123.2.openstack.el6.x86_64 #1 Dell Inc. PowerEdge R620/0D2D5F
<4>RIP: 0010:[<0000000000000000>]  [<(null)>] (null)
<4>RSP: 0018:ffff880053743c70  EFLAGS: 00010282
<4>RAX: ffffffffa01cbe20 RBX: ffff880bda46ecc0 RCX: 0000000000000000
<4>RDX: ffff880053743c78 RSI: 0000000000000000 RDI: ffff880bda46ecc0
<4>RBP: ffff880053743ca8 R08: 000000005617f772 R09: 0000000000000000
<4>R10: 0000000000000000 R11: 0000000000000000 R12: ffff880053743c78
<4>R13: 0000000000000000 R14: ffff880be5a5b244 R15: 0000000000000000
<4>FS:  00007fe5d5f837c0(0000) GS:ffff880053740000(0000) knlGS:0000000000000000
<4>CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>CR2: 0000000000000000 CR3: 0000000c2a804000 CR4: 00000000000407e0
<4>DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
<4>DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
<4>Process ovs-vswitchd (pid: 2358, threadinfo ffff880c284e0000, task ffff880c28d1f500)
<4>Stack:
<4> ffffffff814c6e61 00000000aba73000 0000000000000000 ffff880053743cc8
<4><d> 000000000000002f ffff880bda46ecc0 ffff881800deb200 ffff880053743cb8
<4><d> ffffffff814c676b ffff880053743cf8 ffffffff814afa91 ffff880053743ce8
<4>Call Trace:
<4> <IRQ> 
<4> [<ffffffff814c6e61>] ? gre_cisco_err+0x71/0x80
<4> [<ffffffff814c676b>] gre_err+0x4b/0x50
<4> [<ffffffff814afa91>] icmp_unreach+0x141/0x2e0
<4> [<ffffffff814b02e0>] icmp_rcv+0x290/0x330
<4> [<ffffffff814a8c71>] ? raw_local_deliver+0x221/0x250
<4> [<ffffffff8148222d>] ip_local_deliver_finish+0xdd/0x2d0
<4> [<ffffffff814824b8>] ip_local_deliver+0x98/0xa0
<4> [<ffffffff8148197d>] ip_rcv_finish+0x12d/0x440
<4> [<ffffffff81481f05>] ip_rcv+0x275/0x350
<4> [<ffffffffa01ca503>] ? ovs_netdev_frame_hook+0xb3/0x110 [openvswitch]
<4> [<ffffffff81449e6b>] __netif_receive_skb+0x4ab/0x750
<4> [<ffffffff8144a1aa>] process_backlog+0x9a/0x100
<4> [<ffffffff8144f483>] net_rx_action+0x103/0x2f0
<4> [<ffffffff810770b1>] __do_softirq+0xc1/0x1e0
<4> [<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
<4> [<ffffffff8100c1cc>] call_softirq+0x1c/0x30
<4> <EOI> 
<4> [<ffffffff8100de05>] ? do_softirq+0x65/0xa0
<4> [<ffffffff81076f3a>] local_bh_enable+0x9a/0xb0
<4> [<ffffffffa01c3b9c>] ovs_packet_cmd_execute+0x20c/0x240 [openvswitch]
<4> [<ffffffff81476013>] genl_rcv_msg+0x203/0x250
<4> [<ffffffff81475e10>] ? genl_rcv_msg+0x0/0x250
<4> [<ffffffff81474ca9>] netlink_rcv_skb+0xa9/0xd0
<4> [<ffffffff81475df5>] genl_rcv+0x25/0x40
<4> [<ffffffff814748db>] netlink_unicast+0x2db/0x320
<4> [<ffffffff81475350>] netlink_sendmsg+0x2c0/0x3d0
<4> [<ffffffff81436b33>] sock_sendmsg+0x123/0x150
<4> [<ffffffff814387e3>] ? sock_recvmsg+0x133/0x160
<4> [<ffffffff81096da0>] ? autoremove_wake_function+0x0/0x40
<4> [<ffffffff81197af0>] ? pollwake+0x0/0x60
<4> [<ffffffff81197af0>] ? pollwake+0x0/0x60
<4> [<ffffffff8118c687>] ? pipe_read+0x2a7/0x4e0
<4> [<ffffffff81197af0>] ? pollwake+0x0/0x60
<4> [<ffffffff81438326>] __sys_sendmsg+0x406/0x420
<4> [<ffffffff811c7c54>] ? ep_scan_ready_list+0x194/0x1a0
<4> [<ffffffff811c7dae>] ? ep_poll+0x12e/0x330
<4> [<ffffffff8121cb26>] ? security_file_permission+0x16/0x20
<4> [<ffffffff81438549>] sys_sendmsg+0x49/0x90
<4> [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b
<4>Code:  Bad RIP value.
<1>RIP  [<(null)>] (null)
<4> RSP <ffff880053743c70>
<4>CR2: 0000000000000000ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥

Re: [PATCH] ipv4: gre: Fix null pointer dereference in gre_cisco_err()

[David Miller]

From: Wei Zhang <asuka.com@163.com>
Date: Mon, 24 Mar 2014 15:34:31 +0800

> When use the gre vport, openvswitch register a gre_cisco_protocol but
> does not supply a err_handler with it. The gre_cisco_err() call the
> err_handler without existence check, cause the kernel crash.
> 
> This patch base on v3.14-rc7. But the bug affect all kernel newer than
> 3.11!
> 
> Signed-off-by: Wei Zhang <asuka.com@163.com>

Rather, openvswitch should provide an appropriate ->err_handler() that
returns PACKET_RCVD or PACKET_REJECT.

I'm not applying this patch.

Re: [PATCH] ipv4: gre: Fix null pointer dereference in gre_cisco_err()

[wei zhang]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 965 bytes --]

At 2014-03-25 03:14:17,"David Miller" <davem@davemloft.net> wrote:
>From: Wei Zhang <asuka.com@163.com>
>Date: Mon, 24 Mar 2014 15:34:31 +0800
>
>> When use the gre vport, openvswitch register a gre_cisco_protocol but
>> does not supply a err_handler with it. The gre_cisco_err() call the
>> err_handler without existence check, cause the kernel crash.
>> 
>> This patch base on v3.14-rc7. But the bug affect all kernel newer than
>> 3.11!
>> 
>> Signed-off-by: Wei Zhang <asuka.com@163.com>
>
>Rather, openvswitch should provide an appropriate ->err_handler() that
>returns PACKET_RCVD or PACKET_REJECT.

Thank you for your explanation, I misunderstand it .
I'm very sorry about this bothering!

>
>I'm not applying this patch.ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥