Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp431353pxb; Thu, 31 Mar 2022 08:36:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwOnPkkYi8dKmedi1ciOTCJu6NvzFLOFHWCDa6Hv9QOii4zH5XwHGNM4IXddfWVZpszDg76 X-Received: by 2002:a17:907:8a0c:b0:6df:8b04:1a65 with SMTP id sc12-20020a1709078a0c00b006df8b041a65mr5403009ejc.331.1648740995612; Thu, 31 Mar 2022 08:36:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648740995; cv=none; d=google.com; s=arc-20160816; b=OPtOs4zBszqtHffijQgfuQV9cR90Ms/7F8iVJQL6sK47dqxFRUoetEJYkzNxUxcg+O FqOwfnLMSjusxSeCvO/OQ01rjpRFB6RGaXHDcVuthe0s9+t5VcaiRVhCpYHcqAJ/0As/ jvbVy+8pQuV0+4RsaZDgAlvH1p0L5E3pfV/o4ZhA03AblzwODcrYo6PS637FDRKE440X x+9Ldu+Gp2TRNWr2ixgmN5UH/uYO2Q3Fai5oRm13Atq7SNmoekh8gjXdVDl9JBxi4GBN 9rrcsEqOeCElTwkkjX9tM0B3hH82YLeKpM+RO1i93tYHwjeJ4d/+tCVdRUNmovbarVqL LypQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=vj6g3gUSYO2QDZVoTiKffZeF2Z9UD7UuSg72XYT1ggQ=; b=eCD5Vk1n/mz0VqPn9zPTwcBpsBDakzgHPJZ+C/xCCgmlnyziN4l5QR6qPACH1ao1EX YfJ5cYv9j6ZONytCx46G1QYO+WW+mHNMf1XO/MLj44kA0OcwAFf3FPTSDNOTYxKA0eT7 Da+hhouCyFkWARWvD1pUIKDTlVhW+klKim/VmIpIDJOP2rV/oYNn7KJHZ7xFFQf11vZm hfvEu3+ugC5/2X2j6Iu/W+l7yGwC8sO8JLkpnFDEJDlyzUb/ukLND77iWA0EUNUpMb7f mLVBUC/eaA+jmtRg53ghmhysjP/4m5Uj8i7K6vM2RJ/PEVv07ip/5p3Qjwt72225NxMf 2wyg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=NzBtD4h9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jx18-20020a170906ca5200b006df86220ec4si21756843ejb.917.2022.03.31.08.36.07; Thu, 31 Mar 2022 08:36:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=NzBtD4h9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234690AbiCaKpw (ORCPT + 99 others); Thu, 31 Mar 2022 06:45:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232615AbiCaKpt (ORCPT ); Thu, 31 Mar 2022 06:45:49 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 40C313BA49 for ; Thu, 31 Mar 2022 03:44:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648723441; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vj6g3gUSYO2QDZVoTiKffZeF2Z9UD7UuSg72XYT1ggQ=; b=NzBtD4h96L6EXnGvhrk5mc7Dj3UboDVuhaAQ6CPBwWbGRI18Wv7bFlmSkNE/KqNtyJbbNt g2wZkjM6cadzHmqJ7GAel8CeG6+hRV3JGlJqDJjoo0QHNTCbf4I9Dwp8M+2r1Dj0D1MtPk FNRsr2bKs5IEZNJGK95+ekQBMv9wzCs= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-449-WwfGybJ3MvaYdm50-TH6eQ-1; Thu, 31 Mar 2022 06:43:59 -0400 X-MC-Unique: WwfGybJ3MvaYdm50-TH6eQ-1 Received: by mail-wm1-f71.google.com with SMTP id r64-20020a1c2b43000000b0038b59eb1940so1529000wmr.0 for ; Thu, 31 Mar 2022 03:43:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=vj6g3gUSYO2QDZVoTiKffZeF2Z9UD7UuSg72XYT1ggQ=; b=FnXYwlYvb4WNnFmE/AbUp4AL4mLzwIBcVgb97KVV0GSInd8P4RJ9pLOgWWS10evK// pBi0oet9/ha9baQszM7fcsJdJ8zEQs6sHn0oJAZLr6boSwuOuNbl6DxXd0Bh9Ky5T02Q 0kH40+YyA1rz3cqGO+8Dap1/JL7E8jP8rXg1WV/g96qtinJvpz/zcLgtIMPCes/qV8q/ vUfI1aMQ343gpUHqnagBLCWO0rX9lV4IIqmbhVbO1l44Y8IZDx2g8KPDb5awjZn1kUZx 8jsV1/MSghy1biRtChZypqxPGEgqJrVBZJg6fElvNk7GHGEXTjwLoy9IxnKRzCPo06ME APng== X-Gm-Message-State: AOAM533M4KZwstYXAc03/f7+vbyyT/gEisTRWd0VBXa7y/c8jZlMliXB NnzTLvoU1kMSAQ1DQLrRhxjjGiUXpaYoaborwJGORupVQFQ2aZB1kXBxFjxH5quDomtJzoTcXWr 37tQl2QYHh0dLnpimZoClNszk X-Received: by 2002:adf:ef11:0:b0:205:b266:68eb with SMTP id e17-20020adfef11000000b00205b26668ebmr3781279wro.310.1648723438636; Thu, 31 Mar 2022 03:43:58 -0700 (PDT) X-Received: by 2002:adf:ef11:0:b0:205:b266:68eb with SMTP id e17-20020adfef11000000b00205b26668ebmr3781266wro.310.1648723438388; Thu, 31 Mar 2022 03:43:58 -0700 (PDT) Received: from gerbillo.redhat.com (146-241-243-142.dyn.eolo.it. [146.241.243.142]) by smtp.gmail.com with ESMTPSA id o14-20020a5d47ce000000b00203e0a21c16sm23333978wrc.3.2022.03.31.03.43.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 31 Mar 2022 03:43:57 -0700 (PDT) Message-ID: <4de651adc35341c5fa99db54b9295d4845648563.camel@redhat.com> Subject: Re: [PATCH net] rxrpc: fix some null-ptr-deref bugs in server_key.c From: Paolo Abeni To: David Howells , netdev@vger.kernel.org Cc: Xiaolong Huang , Marc Dionne , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org Date: Thu, 31 Mar 2022 12:43:56 +0200 In-Reply-To: <164865013439.2941502.8966285221215590921.stgit@warthog.procyon.org.uk> References: <164865013439.2941502.8966285221215590921.stgit@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 (3.42.4-1.fc35) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2022-03-30 at 15:22 +0100, David Howells wrote: > From: Xiaolong Huang > > Some function calls are not implemented in rxrpc_no_security, there are > preparse_server_key, free_preparse_server_key and destroy_server_key. > When rxrpc security type is rxrpc_no_security, user can easily trigger a > null-ptr-deref bug via ioctl. So judgment should be added to prevent it > > The crash log: > user@syzkaller:~$ ./rxrpc_preparse_s > [ 37.956878][T15626] BUG: kernel NULL pointer dereference, address: 0000000000000000 > [ 37.957645][T15626] #PF: supervisor instruction fetch in kernel mode > [ 37.958229][T15626] #PF: error_code(0x0010) - not-present page > [ 37.958762][T15626] PGD 4aadf067 P4D 4aadf067 PUD 4aade067 PMD 0 > [ 37.959321][T15626] Oops: 0010 [#1] PREEMPT SMP > [ 37.959739][T15626] CPU: 0 PID: 15626 Comm: rxrpc_preparse_ Not tainted 5.17.0-01442-gb47d5a4f6b8d #43 > [ 37.960588][T15626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 > [ 37.961474][T15626] RIP: 0010:0x0 > [ 37.961787][T15626] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. > [ 37.962480][T15626] RSP: 0018:ffffc9000d9abdc0 EFLAGS: 00010286 > [ 37.963018][T15626] RAX: ffffffff84335200 RBX: ffff888012a1ce80 RCX: 0000000000000000 > [ 37.963727][T15626] RDX: 0000000000000000 RSI: ffffffff84a736dc RDI: ffffc9000d9abe48 > [ 37.964425][T15626] RBP: ffffc9000d9abe48 R08: 0000000000000000 R09: 0000000000000002 > [ 37.965118][T15626] R10: 000000000000000a R11: f000000000000000 R12: ffff888013145680 > [ 37.965836][T15626] R13: 0000000000000000 R14: ffffffffffffffec R15: ffff8880432aba80 > [ 37.966441][T15626] FS: 00007f2177907700(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 > [ 37.966979][T15626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 37.967384][T15626] CR2: ffffffffffffffd6 CR3: 000000004aaf1000 CR4: 00000000000006f0 > [ 37.967864][T15626] Call Trace: > [ 37.968062][T15626] > [ 37.968240][T15626] rxrpc_preparse_s+0x59/0x90 > [ 37.968541][T15626] key_create_or_update+0x174/0x510 > [ 37.968863][T15626] __x64_sys_add_key+0x139/0x1d0 > [ 37.969165][T15626] do_syscall_64+0x35/0xb0 > [ 37.969451][T15626] entry_SYSCALL_64_after_hwframe+0x44/0xae > [ 37.969824][T15626] RIP: 0033:0x43a1f9 > > Signed-off-by: Xiaolong Huang > Tested-by: Xiaolong Huang > Signed-off-by: David Howells > Acked-by: Marc Dionne > cc: linux-afs@lists.infradead.org > Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005069.html It looks like we can add a couple of fixes tag to help stable teams: Fixes: d5953f6543b5 ("rxrpc: Allow security classes to give more info on server keys") Fixes: 12da59fcab5a ("xrpc: Hand server key parsing off to the security class") Does the above looks good to you? Thanks! Paolo