Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3126958ybi; Mon, 29 Jul 2019 01:20:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqxMYDflNU0SEKSX1XxsKyw6RHRvf5hMmtXXblMNM/aoOfkXqpr/D9TQILlnKPozDtEesK5M X-Received: by 2002:a17:902:b20d:: with SMTP id t13mr103755851plr.229.1564388444211; Mon, 29 Jul 2019 01:20:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564388444; cv=none; d=google.com; s=arc-20160816; b=ZccsicnY+sMSdP7toyd/vGo7L+WwYkWv02HuhunwiNsECfech0iCfYqqIX0BNzEsda SVq2EN6ZiCpwQTlZDpCW/XxBJbgjllDPaHEyBEwKGeeR1b+dqmqqegSp+PhbNSXCMN3H 38VnKId9pYceOTUPySFS0qzK1wUyzFc0YHtNmBi7uiaMEJJRFFZpdnS9HlJyOepapo/k IudEvrX9ZIui8dMi8SwYzTqcKWKmg8cO7uo/N5VUAEuLVQ7tKAAgnn6n5Mskb3E95zMz UdKWWVz9SZRM5SXgZWKkjHfiFPpYTkwB30w6BxE9X9EzRhJHmJeOE/FEndZsd8FA5xlO CxGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=2pAUhDKwxtf6yA9o6haMqMvNurh2OyNtCVDu9kkP27Y=; b=vWkDi/FsBQRAVbcECb8doEy8Q380Y2VzTJcjDrsvoVkImIbY7wjqXJG/qZDpjIO9Fp 5t7UWYNFiYd1dl0WxSV4oNiYgON/Z2V+LjxxVT1OdrTnrZgnhhCU4aH9fjDh27SwP+Tc /EirKsq+C1FIPWKK9LKRryqbKGxBN8pQDdjCQx+c65wkApth+uEkPdOwumh5DTw1i2h/ efb5x+rzI2nT4B2dEl/Wh8FSALUmfE6FRXKUc9q79dvgFnEGBOoxG7k/IQ5Uyo7KzSQs qTLXVYA6U62yyJ8oN0j8HbEJkmFrfioHD+aF79umxtPXeVBW4wN4wH/U6Jn4TGVHTg1r Iq1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ko33qF85; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y187si29586490pgb.480.2019.07.29.01.20.28; Mon, 29 Jul 2019 01:20:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ko33qF85; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727509AbfG2IGm (ORCPT + 99 others); Mon, 29 Jul 2019 04:06:42 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:33601 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726680AbfG2IGl (ORCPT ); Mon, 29 Jul 2019 04:06:41 -0400 Received: by mail-pl1-f196.google.com with SMTP id c14so27130385plo.0; Mon, 29 Jul 2019 01:06:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=2pAUhDKwxtf6yA9o6haMqMvNurh2OyNtCVDu9kkP27Y=; b=ko33qF85rx7Kj/E/p5ck0ZVyIEiFrZO3mZoaMCfKVZZdYNT8mU2KWrXNMKiO5sI2q+ /M6SFPAWaN9+AzqzI0E7Ta1p3yXmthvXvK2oGyn4lkJzELNMf5hovxHQ0XUIAPAHLrPt VrrGYOzKw/yLNVy7muXO9Bl/rvdOVzUr9Qp5B8wwTEWWnwHmMaS49eVI55TyzZdcQ8LG kmnLmZOOxcKyFGKjAsWVWvyOMgKNJO1L1cry8KR9wbTT1Q62enY+H4L3+ZWh08lcN1+d AkXIaYW+PCOj0vK4etWWQWxdbjYoBkXMC7CkxiiWAADMLcr0SryyCIyULLSFUgnkZlmA p2VA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=2pAUhDKwxtf6yA9o6haMqMvNurh2OyNtCVDu9kkP27Y=; b=XqljnwzGxJP6A07Xf00O3QsGZkdMASDw0dggtyMDBplZZKEnDG0Nm0Imrj/hUTXBdy ytZZ9bdkKbfrqVey90Nv77kP4iRRYitDEJi5LynDo3h2diHRXEakdNe96msbJZLtTkyg OWE0o/+uqEQjLfaR/rlN1xn+jjxnNuUMaPltIXdHx1mbbxv54Vrk8pXKFcTU6RvUTeE/ GcScTh2AK6fvTRrg92upXnQSaMrol2NxfDJCewvrKBHH704Cjgt+iZfUJCZHNq7q0dIi RUcf128DY53MCyrwcjb7lz/2m6QHAAuNTo/YOnuW8TYOvKLWQB+dPnQIzfPs2S6yceql 16ZQ== X-Gm-Message-State: APjAAAXXzkJ/8tQDBEq/43fiwTupTNsY6BJqcZeAbK42jRaSStTzsQO4 6OTjW/mCZgDcsiaC1gBrMfXE6SaD X-Received: by 2002:a17:902:b612:: with SMTP id b18mr82187232pls.8.1564387600832; Mon, 29 Jul 2019 01:06:40 -0700 (PDT) Received: from ?IPv6:2402:f000:4:72:808::177e? ([2402:f000:4:72:808::177e]) by smtp.gmail.com with ESMTPSA id 21sm60230844pjh.25.2019.07.29.01.06.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Jul 2019 01:06:40 -0700 (PDT) Subject: Re: [BUG] net: xfrm: possible null-pointer dereferences in xfrm_policy() To: Steffen Klassert Cc: herbert@gondor.apana.org.au, davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <464bb93d-75b2-c21b-ee32-25a10ff61622@gmail.com> <20190729080341.GJ2879@gauss3.secunet.de> From: Jia-Ju Bai Message-ID: Date: Mon, 29 Jul 2019 16:06:40 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20190729080341.GJ2879@gauss3.secunet.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019/7/29 16:03, Steffen Klassert wrote: > On Mon, Jul 29, 2019 at 11:43:49AM +0800, Jia-Ju Bai wrote: >> In xfrm_policy(), the while loop on lines 3802-3830 ends when dst->xfrm is >> NULL. > We don't have a xfrm_policy() function, and as said already the > line numbers does not help much as long as you don't say which > tree/branch this is and which commit is the head commit. > >> Then, dst->xfrm is used on line 3840: >>     xfrm_state_mtu(dst->xfrm, mtu); >>         if (x->km.state != XFRM_STATE_VALID...) >>         aead = x->data; >> >> Thus, possible null-pointer dereferences may occur. > I guess you refer to xfrm_bundle_ok(). The dst pointer > is reoaded after the loop, so the dereferenced pointer > is not the one that had NULL at dst->xfrm. > >> These bugs are found by a static analysis tool STCheck written by us. >> >> I do not know how to correctly fix these bugs, so I only report them. > I'd suggest you to manually review the reports of your > tool and to fix the tool accordingly. Oh, sorry for my mistakes. I have found that dst is updated:     dst = &xdst->u.dst; I will fix my tool, thanks. Best wishes, Jia-Ju Bai