Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3753295pxb;
        Mon, 30 Aug 2021 09:51:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwUP+26eWJYlJzDcFv8u4ItW4155iMJWPlefDoT3ewvF8aXVlQLrzsCqZA4yWZTHYS/re+T
X-Received: by 2002:a92:d582:: with SMTP id a2mr18069348iln.261.1630342298099;
        Mon, 30 Aug 2021 09:51:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1630342298; cv=none;
        d=google.com; s=arc-20160816;
        b=nIXO87qKWRpPL3BNV6Q4bVLtCUFAaEqAMLjp7ZkQThm/xJ2WGsPmwZQTTKPY+M1n0E
         sVyvvXImTURgIotUYknHfTY+mEHdxOa3BQFK/P9uPnS4ZSto0h7iGu8Om8FIj0JNePbS
         /djZlHkGWPph+ip81p8CNkPK5UEd5PILq5JIxqCshZgbpbXOYzMRGdrsV7HVZx9hUYaz
         TxcG3zlwBMJHaKlQXG/DZb0cBYn1c2S2nONTfzeXpHU/CprMhHu6fA8IsOYSG5ReT2p5
         imepDi0ojusnoM+Iji0cZdk9SwepHJhn4sTAzMJBkD7AdrM1MwHwP/jkjjoVuswh6TIw
         bOFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=bQVMvYcjCnMFgvYOVDQREa1BXf8UCBlf+lOOy+41N5U=;
        b=kvJrptVDZyV4RlheYaUzA1yv3Dj/bkb/kqKaIkT3U/W9hFARpsU0m0maBFmWDANm1k
         k8qmeaeIYOmNoY/tPkSDpASZxyYOyvIwBHWdLI+0n7wWrLHsNbFJiEzxMcb0olmD6Hi7
         haj9h91Q1e2APcYS0aq9u1p5O1Imo4fJnIMvLusFRtiqIIDLQrMlkIXMB/mmf7iPW6Hp
         xf3XkErM8VKQ4W0++lO3qSY5VwP+Rdj3SV0JiMQrkEM6fGS0HUNPOitsgbRzX2B+slgz
         KGleEW6/pn8BxiE8ynrN1705sGPSEjWikgbKLYFat1uKG3X6M6TLAe4Q/vFCoJHJxM9a
         zcBA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=obzbb1pz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e11si11484497ili.46.2021.08.30.09.51.26;
        Mon, 30 Aug 2021 09:51:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=obzbb1pz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231234AbhH3Qvi (ORCPT <rfc822;liunan257@gmail.com> + 99 others);
        Mon, 30 Aug 2021 12:51:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54102 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237808AbhH3Qvh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Aug 2021 12:51:37 -0400
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8886AC061760
        for <linux-kernel@vger.kernel.org>; Mon, 30 Aug 2021 09:50:43 -0700 (PDT)
Received: by mail-ej1-x630.google.com with SMTP id u3so32433750ejz.1
        for <linux-kernel@vger.kernel.org>; Mon, 30 Aug 2021 09:50:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=bQVMvYcjCnMFgvYOVDQREa1BXf8UCBlf+lOOy+41N5U=;
        b=obzbb1pzaE1LR8FOGj+GTvRiG8gJkpP+lR1f98oUFk0zlgW9DVHYeNoJPhjBDHIW98
         47IEBb+gsKPIwsCtga4z5CpSMw1iboO+i7+MDAU1P7/JWMEe8kvW6FrNxT8NCgFlCGSD
         ePfyC2Npipk2h3J/gWBvCDfA7vUpiwI54PTOm+w26AFvwnpmeamGky/4GnYqw7r8vedF
         F2d3w3EA9YMq2G9pTFz+NTUjARmEt0VQVCdEy0ub7t6eNo+giW4piBQgkFReTSdxUecm
         Jj64UtjFvvfxkJc3lv28hZqhJe1PF7GpNxLYtJeGk2UXlBUt1aZJXa/4LeFOuWmcFX3x
         v80A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=bQVMvYcjCnMFgvYOVDQREa1BXf8UCBlf+lOOy+41N5U=;
        b=qBmCAjD/lk3aPOj/H4tbMAyUq23Ao8JhZ5sE1UEZPj86/wkxvSYtJ0IRd+XPuQkvkI
         lZo1okFnVrc1aQt7sN4zVojvrDc3XesQ/QtTxRipghYNI3yz9P0cUh8JlM6eGW+9pD5I
         4gz5bvg6iwnyT1T68s3k5c3Bpxn7xrtsukklnOgq0QwzwRTouz6Rc6ukSCWWYSiMyDrh
         yZNGTjpx9oVgV4n4mr8DIuyxJb/1VBJ6FbVFgvfd4+LKsp2ywHj8E87Jbs2RU3kvJyi8
         ygu6jKOTJvDlMztnSbaQ7aGRimzxI2IXWM42Xhc7izZ6F8ST9/Mnzda+SV3qQGmFfO0x
         2uRA==
X-Gm-Message-State: AOAM5323BdsogOATJL++LcI+ux4Jpy3teCi1HGHD/PyDT9+1VGOFq+Rn
        WG43B48kTmHWPEfEkGkHzjtoIUJ0SS10BKgr2Nok
X-Received: by 2002:a17:906:b845:: with SMTP id ga5mr26745803ejb.106.1630342242114;
 Mon, 30 Aug 2021 09:50:42 -0700 (PDT)
MIME-Version: 1.0
References: <c6864908-d093-1705-76ce-94d6af85e092@linux.alibaba.com>
 <18f0171e-0cc8-6ae6-d04a-a69a2a3c1a39@linux.alibaba.com> <CAHC9VhTEs9E+ZeGGp96NnOhmr-6MZLXf6ckHeG8w5jh3AfgKiQ@mail.gmail.com>
 <20210830094525.3c97e460@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
In-Reply-To: <20210830094525.3c97e460@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Mon, 30 Aug 2021 12:50:31 -0400
Message-ID: <CAHC9VhRHx=+Fek7W4oyZWVBUENQ8VnD+mWXUytKPKg+9p-J4LQ@mail.gmail.com>
Subject: Re: [PATCH v2] net: fix NULL pointer reference in cipso_v4_doi_free
To:     Jakub Kicinski <kuba@kernel.org>,
        =?UTF-8?B?546L6LSH?= <yun.wang@linux.alibaba.com>
Cc:     "David S. Miller" <davem@davemloft.net>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        David Ahern <dsahern@kernel.org>, netdev@vger.kernel.org,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Aug 30, 2021 at 12:45 PM Jakub Kicinski <kuba@kernel.org> wrote:
> On Mon, 30 Aug 2021 10:17:05 -0400 Paul Moore wrote:
> > On Mon, Aug 30, 2021 at 6:28 AM =E7=8E=8B=E8=B4=87 <yun.wang@linux.alib=
aba.com> wrote:
> > >
> > > In netlbl_cipsov4_add_std() when 'doi_def->map.std' alloc
> > > failed, we sometime observe panic:
> > >
> > >   BUG: kernel NULL pointer dereference, address:
> > >   ...
> > >   RIP: 0010:cipso_v4_doi_free+0x3a/0x80
> > >   ...
> > >   Call Trace:
> > >    netlbl_cipsov4_add_std+0xf4/0x8c0
> > >    netlbl_cipsov4_add+0x13f/0x1b0
> > >    genl_family_rcv_msg_doit.isra.15+0x132/0x170
> > >    genl_rcv_msg+0x125/0x240
> > >
> > > This is because in cipso_v4_doi_free() there is no check
> > > on 'doi_def->map.std' when doi_def->type got value 1, which
> > > is possibe, since netlbl_cipsov4_add_std() haven't initialize
> > > it before alloc 'doi_def->map.std'.
> > >
> > > This patch just add the check to prevent panic happen in similar
> > > cases.
> > >
> > > Reported-by: Abaci <abaci@linux.alibaba.com>
> > > Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
> > > ---
> > >  net/netlabel/netlabel_cipso_v4.c | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > I see this was already merged, but it looks good to me, thanks for
> > making those changes.
>
> FWIW it looks like v1 was also merged:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=
=3D733c99ee8b

Yeah, that is unfortunate, there was a brief discussion about that
over on one of the -stable patches for the v1 patch (odd that I never
saw a patchbot post for the v1 patch?).  Having both merged should be
harmless, but we want to revert the v1 patch as soon as we can.
Michael, can you take care of this?

--=20
paul moore
www.paul-moore.com