From: Stephen Hemminger <stephen@networkplumber.org>
To: netdev@vger.kernel.org
Subject: Fw: [Bug 202561] BUG: Null pointer dereference in __skb_unlink()
Date: Tue, 12 Feb 2019 14:45:47 -0800 [thread overview]
Message-ID: <20190212144547.27dca239@shemminger-XPS-13-9360> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=202561
Backtrace:
[ 3.589241] BUG: unable to handle kernel NULL pointer dereference at
0000000000000008
[ 3.598006] IP: __skb_try_recv_from_queue+0x4e/0x1b0
[ 3.606376] Oops: 0002 [#1] PREEMPT SMP NOPTI
[ 3.720520] RIP: 0010:__skb_try_recv_from_queue+0x4e/0x1b0
[ 3.726645] RSP: 0018:ffffb03400e53ac8 EFLAGS: 00010046
[ 3.732470] RAX: ffff9040a78988c8 RBX: ffff904096bbef00 RCX: 000000000000000
[ 3.740441] RDX: 0000000000000000 RSI: ffff9040a78988c8 RDI: fff9040a7898800
[ 3.748411] RBP: ffffb03400e53ae8 R08: ffffb03400e53bf8 R09: fffb03400e53bfc
[ 3.756382] R10: ffff904096989d00 R11: 0000000000000000 R12: fff9040a78988dc
[ 3.764345] R13: ffff9040a78988c8 R14: 0000000000000202 R15: fffb03400e53ba8
[ 3.772305] FS: 00007feb1ef2f740(0000) GS:ffff9040bfd00000(0000)
knlGS:0000000000000000
[ 3.781342] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3.787757] CR2: 0000000000000008 CR3: 00000001e87fa000 CR4:
00000000003406a0
[ 3.795725] Call Trace:
[ 3.798456] ? preempt_count_add+0x22/0x30
[ 3.803027] __skb_try_recv_datagram+0xe2/0x160
[ 3.808086] __skb_recv_datagram+0x8a/0xc0
[ 3.812657] skb_recv_datagram+0x3a/0x50
[ 3.817035] netlink_recvmsg+0x4e/0x3c0
[ 3.821315] ? copy_msghdr_from_user+0xcf/0x150
[ 3.826372] sock_recvmsg+0x3b/0x50
[ 3.830264] ___sys_recvmsg+0xd4/0x180
[ 3.834441] ? poll_select_copy_remaining+0x140/0x140
[ 3.840080] ? poll_select_copy_remaining+0x140/0x140
[ 3.845721] ? __switch_to_asm+0x34/0x70
[ 3.850098] ? __switch_to_asm+0x40/0x70
[ 3.854473] ? __switch_to_asm+0x34/0x70
[ 3.858849] ? __switch_to_asm+0x40/0x70
[ 3.863228] ? __switch_to_asm+0x34/0x70
[ 3.867604] ? __fget+0x71/0xa0
[ 3.871108] __sys_recvmsg+0x4c/0x90
[ 3.875097] ? __sys_recvmsg+0x4c/0x90
[ 3.879280] SyS_recvmsg+0x9/0x10
[ 3.882979] do_syscall_64+0x7e/0x350
[ 3.887064] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 3.892315] entry_SYSCALL_64_after_hwframe+0x42/0xb7
Original report from sharathkernel@gmail.com:
NULL POINTER DEFERENCE DURING __skb_unlink()
In the function call, __skb_try_recv_from_queue() (net/core/datagram.c),
sbk_queue_walk() walks through the queue without checking if the next member in the queue has valid next pointer/address. When a socket buffer has to unlink, __skb_unlink() is called.
Inside __skb_unlink() function, it doesn't verify if skb->next has a valid address. skb->next is assigned and used, without verifying the value inside it.
What could be probable solution, in this scenario? Should we check if skb->next is not NULL, before calling __skb_unlink()?
--------------------------------------------------------------------------
--------------------------------------------------------------------------
net/core/datagram.c
struct sk_buff *__skb_try_recv_from_queue(struct sock *sk, struct sk_buff_head *queue, unsigned int flags,void (*destructor)(struct sock *sk, struct sk_buff *skb),int *peeked, int *off, int *err, struct sk_buff **last)
{
...
...
...
skb_queue_walk(queue, skb) {
...
...
...
} else {
==> __skb_unlink(skb, queue);
if(destructor){
....
...
...
}
next reply other threads:[~2019-02-12 22:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-12 22:45 Stephen Hemminger [this message]
2019-02-13 19:30 ` Fw: [Bug 202561] BUG: Null pointer dereference in __skb_unlink() Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190212144547.27dca239@shemminger-XPS-13-9360 \
--to=stephen@networkplumber.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).