Received: by 2002:a05:7412:a9a2:b0:e2:908c:2ebd with SMTP id o34csp2829068rdh; Mon, 30 Oct 2023 08:49:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGr9bZtkysScLYy56MetBD81HAyZmuq4NDDTq+NHy/3oRvzjRcBC1RolFS+b1sKN+cyCVRZ X-Received: by 2002:a17:902:e54a:b0:1cc:3e23:aa60 with SMTP id n10-20020a170902e54a00b001cc3e23aa60mr3504835plf.56.1698680984639; Mon, 30 Oct 2023 08:49:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698680984; cv=none; d=google.com; s=arc-20160816; b=NemuSNfY4g6c1c7/rJnf5jrE0vnqeBQS9QEhY729Y06tID1WUbmlfoKqXFYRwG6LMA 0t1eVhTFlg3robBEaOpdPiuXuK0rxIl2Ioh/oNuJahuw1xZsP7CfzDtU8gNLwTv0NIEo XCb32qcC651MddJzXkqqB/uAMLkQbu4OBPm0xcxKpCF4KCHMSUjLrvFMMuwlbEqVqzk2 Kta/Li4UwvzIjmB5k2Vk27My5sQQUOCvDd2rHbqzT8t6aVjxLYWN4VrBAII1sqn66aNA yx5+QUMQbAy8RWkS8nV5+GvriKWbm5YSAlK9c82pXZABq1tjwcGm6PBVlTeWIYYVMlaX 7oWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=FkWEvSpj4EOzW1FIq48dR5K6zMnw3n6lBUOqN6Xvf9E=; fh=uIRlYFqnPMePVeE/y5PShmh4b0ltjKqCsFZW6RChB8M=; b=BG2uWHhkWjesbojDIBN86wGy4ODow6u0PzaaBzXWiXdbiybIFlCcyUHx9xhC8E99I3 s4OsTFLlV3mqYWZUIgkZ3wDyfVpURA71izZdsnOG9h9OwOEthFykkP1l0zX7+JS3osvW JqLgfF6lpfQl7nGdq871g460E5PjiSHmf8r/5OmabF1BsGENKA9rKei5cR03RZVlP8It KNQpzEQPJV40GMFA+JvwXxqaln1+3A3VqkRtHpVmD/xuovkXSrOxN8Fi92wwGEw+XkBQ xoWrct++BWoxfjLlB/mIaW1WE3U+EdUF30ZtXU7XHhAFjqLuKnPCkk73jCsT93xiK5m3 HzJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=nghZKH6b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id l15-20020a170903244f00b001cc42b19343si2412090pls.524.2023.10.30.08.49.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Oct 2023 08:49:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=nghZKH6b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 6CBED809C910; Mon, 30 Oct 2023 08:49:41 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233630AbjJ3Pt2 (ORCPT + 99 others); Mon, 30 Oct 2023 11:49:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39026 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233551AbjJ3Pt0 (ORCPT ); Mon, 30 Oct 2023 11:49:26 -0400 Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6970BF4 for ; Mon, 30 Oct 2023 08:49:22 -0700 (PDT) Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-54357417e81so4269a12.0 for ; Mon, 30 Oct 2023 08:49:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698680960; x=1699285760; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=FkWEvSpj4EOzW1FIq48dR5K6zMnw3n6lBUOqN6Xvf9E=; b=nghZKH6b+lS1Z/EVQwhZix/byx/bJu0xcffRkCRaH4PS5oTTjZEixMhrDfleD9/iPX 9we+bOgD8C3gPZ9m7ApXONgBa0ZSfZSCFcqx8tXYxTVq2gwCrcFCi3Xezqee6bqISoUO 66Jb/7nKcdSkbm6vtRuCw9uFeEubg2j983J6jH8UwXNbIhAr+kadSsSz9hYXRUG42Es8 dhWhEekCTaAFdkXeVSrOF0UX78VvXt1HUXhIUP7bgRv6MlGdtVo4BSQlMurJE40NNPfs ZukJzHa+5E+wu7xCt5rKXi92NczazCtzyOQDfSWbFsbHrgG5++cUKPAKg1VXh1dTYoCN j9JQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698680960; x=1699285760; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FkWEvSpj4EOzW1FIq48dR5K6zMnw3n6lBUOqN6Xvf9E=; b=h8hQmP/4ZaQyFbLSdaIMJx5oeAjPd7Y+vwE7G2KoSZxplbf0Wm7L6V12OXA9iHla/j SqpjBKTBVLqUIfqmGBUkjAf7ODqqcH//eAPlNwThCqJBXi46bXggffIX6g5BnkKzUYFX GLzriMiUmXeblE7r0JcOcc5482Z/ewHtOjFuYChgvpIHMWXdrtM6SOP+2tGZ4w5qDPRb 6wQxyYXsVXKtBpUHhy0RmYKQjZEoPFs8B8bI7ZJuBgoFK2bKGSAewJMVoWZAfTJclaXD HZyS+hbbZ3cwByk9D/7Qw5Ye6WfuOahot5Rjmo5Q7CpoYIAipRzpm1pwTjS/Wy0Xilhy 5wcA== X-Gm-Message-State: AOJu0YxtmF+Ihz/qzT+Z8r7+VJ1zDFQZkwciBA+hWGbjbJjNp2CKQwe9 IHc+vHBasy+pjzOhUlZ3g7E5MtzxB9MtzFa8QcMRWA== X-Received: by 2002:a50:baee:0:b0:540:e63d:3cfb with SMTP id x101-20020a50baee000000b00540e63d3cfbmr130594ede.3.1698680960030; Mon, 30 Oct 2023 08:49:20 -0700 (PDT) MIME-Version: 1.0 References: <20231028144136.3462-1-bragathemanick0908@gmail.com> In-Reply-To: From: Eric Dumazet Date: Mon, 30 Oct 2023 16:49:06 +0100 Message-ID: Subject: Re: [PATCH net] dccp: check for ccid in ccid_hc_tx_send_packet To: Bragatheswaran Manickavel Cc: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, dccp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 30 Oct 2023 08:49:41 -0700 (PDT) On Mon, Oct 30, 2023 at 4:40=E2=80=AFPM Bragatheswaran Manickavel wrote: > > > On 30/10/23 14:29, Eric Dumazet wrote: > > On Sat, Oct 28, 2023 at 4:41=E2=80=AFPM Bragatheswaran Manickavel > > wrote: > >> ccid_hc_tx_send_packet might be called with a NULL ccid pointer > >> leading to a NULL pointer dereference > >> > >> Below mentioned commit has similarly changes > >> commit 276bdb82dedb ("dccp: check ccid before dereferencing") > >> > >> Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com > >> Closes: https://syzkaller.appspot.com/bug?extid=3Dc71bc336c5061153b502 > >> Signed-off-by: Bragatheswaran Manickavel > >> --- > >> net/dccp/ccid.h | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h > >> index 105f3734dadb..1015dc2b9392 100644 > >> --- a/net/dccp/ccid.h > >> +++ b/net/dccp/ccid.h > >> @@ -163,7 +163,7 @@ static inline int ccid_packet_dequeue_eval(const i= nt return_code) > >> static inline int ccid_hc_tx_send_packet(struct ccid *ccid, struct s= ock *sk, > >> struct sk_buff *skb) > >> { > >> - if (ccid->ccid_ops->ccid_hc_tx_send_packet !=3D NULL) > >> + if (ccid !=3D NULL && ccid->ccid_ops->ccid_hc_tx_send_packet != =3D NULL) > >> return ccid->ccid_ops->ccid_hc_tx_send_packet(sk, skb= ); > >> return CCID_PACKET_SEND_AT_ONCE; > >> } > >> -- > >> 2.34.1 > >> > > If you are willing to fix dccp, I would make sure that some of > > lockless accesses to dccps_hc_tx_ccid > > are also double checked and fixed. > > > > do_dccp_getsockopt() and dccp_get_info() > > > Hi Eric, > > In both do_dccp_getsockopt() and dccp_get_info(), dccps_hc_rx_ccid are > checked properly before access. > Not really, because another thread can change the value at the same time. Adding checks is not solving races.