Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1875454ybi; Mon, 1 Jul 2019 01:58:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqzH6MWcQIef2beqRou6vOrImx7vhYKE5AqGHxbpAg/auxt+njNjRC9WvXN6c6a9Vzgl2jny X-Received: by 2002:a17:902:d20a:: with SMTP id t10mr27113055ply.52.1561971490889; Mon, 01 Jul 2019 01:58:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561971490; cv=none; d=google.com; s=arc-20160816; b=xu1csmQTPlYu6Swy3VtQw7vnzwZkS1FLFj1gcX/XmxFQTFLYsxr1qvl79t6OL2VBhm wfIlsHRhU7XX9GzbY65nJk7keYr+IhaDS5dV+nLdQ9XJbeDjiKXCPiJWbI9Fatf2TSyd y+dDeN3UwiJIazKGpvzn7bEicAHHXy9vED58aU6o4ixFwQ3O33TSh7qhLFm1C/OJdV9F 2FSIfujXmU9ns7YoCdDnuYEE8OUbhRfEOO2dAarAZ8KARW+7lIx1F+jod/P+hKmNJYE9 tyCzTC8CvSPe8reyIP0BJYMTDVPpSwNTBWTiSOC12CLRdbsLUXm2YNstR+LXbrBfTDVN 080g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:openpgp:from:references:cc:to:subject; bh=09spr0ZmtbhAtAbGTHnLA1YvhBQiMyELYNMxkams4ns=; b=TtNyn6mfq2bFVK0iInMiQ9xb7BOqjCYbFJbDtARmYkDo9YFC3NfRnxMRfK7COQWsqB G64Lv/ItmZDI/Ug+Y/vNinh9KfLTOBOmEIRoPpzDYXjPPzxpIIdLyKMoytRQRUqMDMgo ifiBcpwvGwG08MGdg36aVJPhfkfzvy4UwYkfwyEP0EUD0XJcqtPj4vZjfxb1mp4jFgyz Mpxcl/PBiq0akhhXp0US9w+jLYrAuMRdYpvllJrPfJeFvV6XYgOUELUKYGL/BMngS4MA 6wVniSNsXPcxK6jNbds9CYCicL1Kled/NpI62ig3CYIactUtrBV/Idzvvtc2L/HPR5Qx CG7A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y193si411345pgd.108.2019.07.01.01.57.55; Mon, 01 Jul 2019 01:58:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728202AbfGAI5n (ORCPT + 99 others); Mon, 1 Jul 2019 04:57:43 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:37607 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726442AbfGAI5m (ORCPT ); Mon, 1 Jul 2019 04:57:42 -0400 Received: by mail-wr1-f67.google.com with SMTP id v14so12850120wrr.4; Mon, 01 Jul 2019 01:57:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=09spr0ZmtbhAtAbGTHnLA1YvhBQiMyELYNMxkams4ns=; b=qMEbd6oNJKhl32M55VZOrp8onAZ0C1xnxEsoX/yVBHUyDOpZfJY56bM9RZlqAMuQmb MN/veqIajiK2UdFhouIZVM/nDW4fI9dWzOiyFkSnTrRuaHkcnw8kPAPg76N/AMVyhXzP guLfJHkWJ9zbkoRv6DQR+xHluW++35MM2jQDFZ3zmuwcy5Lim/zQVBMtBRAlewrUpppa 0kRKT/bHkmUA/6EEDhwruJgArBx8vZj2lvqt5/S/eDzE+GDXrqn/PmahhRGas9VbZJux 6ttfinDeqU2rBVClk/ocayhan7ajKstVYYGj/R+BNIf+ymIE22/fi6o1ywWc75W3P16e xSiw== X-Gm-Message-State: APjAAAUkbYTtVYnd8w+rBCuNePQQzLsrUy+I+HNpRO9H5dWkBinFmIec 2M8ur9uTUpwVsMm/pN6eXYhaW9zt X-Received: by 2002:a5d:6b90:: with SMTP id n16mr7324350wrx.206.1561971459414; Mon, 01 Jul 2019 01:57:39 -0700 (PDT) Received: from ?IPv6:2a0b:e7c0:0:107::70f? ([2a0b:e7c0:0:107::70f]) by smtp.gmail.com with ESMTPSA id o24sm12138063wmh.2.2019.07.01.01.57.37 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Mon, 01 Jul 2019 01:57:38 -0700 (PDT) Subject: Re: [PATCH] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control() To: Gen Zhang , davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20190524031946.GA6463@zhanggen-UX430UQ> From: Jiri Slaby Openpgp: preference=signencrypt Autocrypt: addr=jslaby@suse.cz; prefer-encrypt=mutual; keydata= mQINBE6S54YBEACzzjLwDUbU5elY4GTg/NdotjA0jyyJtYI86wdKraekbNE0bC4zV+ryvH4j rrcDwGs6tFVrAHvdHeIdI07s1iIx5R/ndcHwt4fvI8CL5PzPmn5J+h0WERR5rFprRh6axhOk rSD5CwQl19fm4AJCS6A9GJtOoiLpWn2/IbogPc71jQVrupZYYx51rAaHZ0D2KYK/uhfc6neJ i0WqPlbtIlIrpvWxckucNu6ZwXjFY0f3qIRg3Vqh5QxPkojGsq9tXVFVLEkSVz6FoqCHrUTx wr+aw6qqQVgvT/McQtsI0S66uIkQjzPUrgAEtWUv76rM4ekqL9stHyvTGw0Fjsualwb0Gwdx ReTZzMgheAyoy/umIOKrSEpWouVoBt5FFSZUyjuDdlPPYyPav+hpI6ggmCTld3u2hyiHji2H cDpcLM2LMhlHBipu80s9anNeZhCANDhbC5E+NZmuwgzHBcan8WC7xsPXPaiZSIm7TKaVoOcL 9tE5aN3jQmIlrT7ZUX52Ff/hSdx/JKDP3YMNtt4B0cH6ejIjtqTd+Ge8sSttsnNM0CQUkXps w98jwz+Lxw/bKMr3NSnnFpUZaxwji3BC9vYyxKMAwNelBCHEgS/OAa3EJoTfuYOK6wT6nadm YqYjwYbZE5V/SwzMbpWu7Jwlvuwyfo5mh7w5iMfnZE+vHFwp/wARAQABtBtKaXJpIFNsYWJ5 IDxqc2xhYnlAc3VzZS5jej6JAjgEEwECACIFAk6S6NgCGwMGCwkIBwMCBhUIAgkKCwQWAgMB Ah4BAheAAAoJEL0lsQQGtHBJgDsP/j9wh0vzWXsOPO3rDpHjeC3BT5DKwjVN/KtP7uZttlkB duReCYMTZGzSrmK27QhCflZ7Tw0Naq4FtmQSH8dkqVFugirhlCOGSnDYiZAAubjTrNLTqf7e 5poQxE8mmniH/Asg4KufD9bpxSIi7gYIzaY3hqvYbVF1vYwaMTujojlixvesf0AFlE4x8WKs wpk43fmo0ZLcwObTnC3Hl1JBsPujCVY8t4E7zmLm7kOB+8EHaHiRZ4fFDWweuTzRDIJtVmrH LWvRDAYg+IH3SoxtdJe28xD9KoJw4jOX1URuzIU6dklQAnsKVqxz/rpp1+UVV6Ky6OBEFuoR 613qxHCFuPbkRdpKmHyE0UzmniJgMif3v0zm/+1A/VIxpyN74cgwxjhxhj/XZWN/LnFuER1W zTHcwaQNjq/I62AiPec5KgxtDeV+VllpKmFOtJ194nm9QM9oDSRBMzrG/2AY/6GgOdZ0+qe+ 4BpXyt8TmqkWHIsVpE7I5zVDgKE/YTyhDuqYUaWMoI19bUlBBUQfdgdgSKRMJX4vE72dl8BZ +/ONKWECTQ0hYntShkmdczcUEsWjtIwZvFOqgGDbev46skyakWyod6vSbOJtEHmEq04NegUD al3W7Y/FKSO8NqcfrsRNFWHZ3bZ2Q5X0tR6fc6gnZkNEtOm5fcWLY+NVz4HLaKrJuQINBE6S 54YBEADPnA1iy/lr3PXC4QNjl2f4DJruzW2Co37YdVMjrgXeXpiDvneEXxTNNlxUyLeDMcIQ K8obCkEHAOIkDZXZG8nr4mKzyloy040V0+XA9paVs6/ice5l+yJ1eSTs9UKvj/pyVmCAY1Co SNN7sfPaefAmIpduGacp9heXF+1Pop2PJSSAcCzwZ3PWdAJ/w1Z1Dg/tMCHGFZ2QCg4iFzg5 Bqk4N34WcG24vigIbRzxTNnxsNlU1H+tiB81fngUp2pszzgXNV7CWCkaNxRzXi7kvH+MFHu2 1m/TuujzxSv0ZHqjV+mpJBQX/VX62da0xCgMidrqn9RCNaJWJxDZOPtNCAWvgWrxkPFFvXRl t52z637jleVFL257EkMI+u6UnawUKopa+Tf+R/c+1Qg0NHYbiTbbw0pU39olBQaoJN7JpZ99 T1GIlT6zD9FeI2tIvarTv0wdNa0308l00bas+d6juXRrGIpYiTuWlJofLMFaaLYCuP+e4d8x rGlzvTxoJ5wHanilSE2hUy2NSEoPj7W+CqJYojo6wTJkFEiVbZFFzKwjAnrjwxh6O9/V3O+Z XB5RrjN8hAf/4bSo8qa2y3i39cuMT8k3nhec4P9M7UWTSmYnIBJsclDQRx5wSh0Mc9Y/psx9 B42WbV4xrtiiydfBtO6tH6c9mT5Ng+d1sN/VTSPyfQARAQABiQIfBBgBAgAJBQJOkueGAhsM AAoJEL0lsQQGtHBJN7UQAIDvgxaW8iGuEZZ36XFtewH56WYvVUefs6+Pep9ox/9ZXcETv0vk DUgPKnQAajG/ViOATWqADYHINAEuNvTKtLWmlipAI5JBgE+5g9UOT4i69OmP/is3a/dHlFZ3 qjNk1EEGyvioeycJhla0RjakKw5PoETbypxsBTXk5EyrSdD/I2Hez9YGW/RcI/WC8Y4Z/7FS ITZhASwaCOzy/vX2yC6iTx4AMFt+a6Z6uH/xGE8pG5NbGtd02r+m7SfuEDoG3Hs1iMGecPyV XxCVvSV6dwRQFc0UOZ1a6ywwCWfGOYqFnJvfSbUiCMV8bfRSWhnNQYLIuSv/nckyi8CzCYIg c21cfBvnwiSfWLZTTj1oWyj5a0PPgGOdgGoIvVjYXul3yXYeYOqbYjiC5t99JpEeIFupxIGV ciMk6t3pDrq7n7Vi/faqT+c4vnjazJi0UMfYnnAzYBa9+NkfW0w5W9Uy7kW/v7SffH/2yFiK 9HKkJqkN9xYEYaxtfl5pelF8idoxMZpTvCZY7jhnl2IemZCBMs6s338wS12Qro5WEAxV6cjD VSdmcD5l9plhKGLmgVNCTe8DPv81oDn9s0cIRLg9wNnDtj8aIiH8lBHwfUkpn32iv0uMV6Ae sLxhDWfOR4N+wu1gzXWgLel4drkCJcuYK5IL1qaZDcuGR8RPo3jbFO7Y Message-ID: <1b5f82ae-31a7-db36-dc9d-efc46cda2af3@suse.cz> Date: Mon, 1 Jul 2019 10:57:36 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: <20190524031946.GA6463@zhanggen-UX430UQ> Content-Type: text/plain; charset=iso-8859-2 Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 24. 05. 19, 5:19, Gen Zhang wrote: > In function ip6_ra_control(), the pointer new_ra is allocated a memory > space via kmalloc(). And it is used in the following codes. However, > when there is a memory allocation error, kmalloc() fails. Thus null > pointer dereference may happen. And it will cause the kernel to crash. > Therefore, we should check the return value and handle the error. > > Signed-off-by: Gen Zhang > > --- > diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c > index 40f21fe..0a3d035 100644 > --- a/net/ipv6/ipv6_sockglue.c > +++ b/net/ipv6/ipv6_sockglue.c > @@ -68,6 +68,8 @@ int ip6_ra_control(struct sock *sk, int sel) > return -ENOPROTOOPT; > > new_ra = (sel >= 0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL; > + if (sel >= 0 && !new_ra) > + return -ENOMEM; > > write_lock_bh(&ip6_ra_lock); > for (rap = &ip6_ra_chain; (ra = *rap) != NULL; rap = &ra->next) { > Was this really an omission? There is (!new_ra) handling below the for loop: if (!new_ra) { write_unlock_bh(&ip6_ra_lock); return -ENOBUFS; } It used to handle both (sel >= 0) and (sel == 0) cases and it used to return ENOBUFS in case of failure. For (sel >= 0) it also could at least return EADDRINUSE when a collision was found -- even if memory was exhausted. In anyway, how could this lead to a pointer dereference? And why/how did this get a CVE number? thanks, -- js suse labs