Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp340104rdb; Mon, 29 Jan 2024 04:08:47 -0800 (PST) X-Google-Smtp-Source: AGHT+IFTxIWO6wo643TmPQqyEOCpnkg3qpJauLSWSG5RzoWgnwzfyUU1F5YL0xOPuSVIDb2wq9ge X-Received: by 2002:a05:6358:7e83:b0:178:7f7d:91a6 with SMTP id o3-20020a0563587e8300b001787f7d91a6mr24789rwn.46.1706530127034; Mon, 29 Jan 2024 04:08:47 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706530126; cv=pass; d=google.com; s=arc-20160816; b=Nr4G6DZ+EdWqBuwipguOFG5zqllM0/00UPFcYWitfcprnVHdNhToPACP0PAxnavMBq N/089/QDDrULtTgy3VXBrnnndLcI0tuTFM4H01R7bEObAu7G1bIb0Sk6/HGztZx4v5vW grP7wLlUab5lEkZ/3ib8dp/j2WgM3YnxTVvwB0v5GWY6XyEEXc2fSEjdHt6SEnwvJa6c dM5bfl3R0PFDYCtybPLWHyk4RW3k+K/Uw8nnBLc4NxW6+ZjRuCVRmedvoXqk3acRUu1x n0p6elJ7X5vml9T4IVuTbIO70M2vM+Yls+iZg1vo7PlrCTOrnB8Y1PhHHUMuRAIG2eku EB3Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=1rqvMduNBYnvSjOEfiFuSdL4SdmRiQafFZ8EBlla5jw=; fh=VLCKiiffDnIRfYkFcvTqAXGUXg8/rVz0tjdXfobHdcI=; b=Cy781uwNMPPR5b7A9P6b8xefK7aTJ4SvAIn3aFqQIZmcSrdLSXgEj4UZBhjQzJIyhV DKViXa2Qi3/+wkwIW/3ia3XmaFios1aTdnJYJeVq1IzWaOlSIU4mKXV8PUdD29PXL74y SPpf8prDKAJXgPm45LEN4/vbmt2w6EUzVMjJpux+TLiaeLR72GnMk4mBFONC5GcXEok9 LW3Sq1b5kajM22kf655wDFgm7FVScM7Am4OEojmpJmZGWVNyFJJSxVlQ0C++B8bXyDKb GEE06Ml2vmzzsyS2rcdq5i5TMhMMcoVp2BPNhP6R9A0MtAWeeZ+KXjt+JDI8FiAQIPQO 0utA== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=gnumonks.org); spf=pass (google.com: domain of linux-kernel+bounces-42662-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-42662-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id r73-20020a632b4c000000b005cdf8b03384si5436387pgr.805.2024.01.29.04.08.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 04:08:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-42662-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=gnumonks.org); spf=pass (google.com: domain of linux-kernel+bounces-42662-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-42662-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id C4125B21628 for ; Mon, 29 Jan 2024 12:03:05 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E054D5FDB2; Mon, 29 Jan 2024 12:02:56 +0000 (UTC) Received: from ganesha.gnumonks.org (ganesha.gnumonks.org [213.95.27.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 45AD35F544; Mon, 29 Jan 2024 12:02:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.95.27.120 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706529776; cv=none; b=J3d6g5vHuUIuWjEGyQUbQvW0X/x8H17OW12LwsHsDSGNj+JvxwcqET89tgYJy0vzfd86430IluJOP7aoL/GAyqB7ihzaHIhrm539gCi/C/9aqEyCUNkRbtJSnq/APaaA9yy5x+q0UESulXJCswWDcohDYZs7xR1d3pYYEcYq9GE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706529776; c=relaxed/simple; bh=pGbJ27JnYljmxLcfm9joJeRrsJ7Caqlg7bLtcQgUIhk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=CotbZ3B1CIharL16B77Uz9DOnKeVk/1vO3hqKL3tPucIlOaqFyx65CTGjDAIGwMD9BG5nqr626z55DyB0JUFZiG9QxN9VZPWZCCH/BtHLTZSf+M09cQU4FGcxmnd/w7bzAtM3GBTxnbAjL5R5iBbHNK0RLO5rrerTyw8Bcgg6Sg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=gnumonks.org; arc=none smtp.client-ip=213.95.27.120 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gnumonks.org Received: from [78.30.41.52] (port=53984 helo=gnumonks.org) by ganesha.gnumonks.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rUQLY-00DalQ-0n; Mon, 29 Jan 2024 13:02:42 +0100 Date: Mon, 29 Jan 2024 13:02:39 +0100 From: Pablo Neira Ayuso To: kovalev@altlinux.org Cc: Eric Dumazet , laforge@gnumonks.org, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, nickel@altlinux.org, oficerovas@altlinux.org, dutyrok@altlinux.org Subject: Re: [PATCH 1/1] gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() Message-ID: References: <20240124101404.161655-1-kovalev@altlinux.org> <20240124101404.161655-2-kovalev@altlinux.org> <1144600e-52f1-4c1a-4854-c53e05af5b45@basealt.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1144600e-52f1-4c1a-4854-c53e05af5b45@basealt.ru> X-Spam-Score: -1.9 (-) Hi, On Wed, Jan 24, 2024 at 02:20:04PM +0300, kovalev@altlinux.org wrote: > 24.01.2024 13:57, Eric Dumazet wrote: > > Oh wait, this is a 5.10 kernel ? > > Yes, but the bug is reproduced on the latest stable kernels. > > > Please generate a stack trace using a recent tree, it is possible the > > bug has been fixed already. __netlink_dump_start() is called at the beginning of the dump, which is grabbing a reference on this module. do you have a reproducer? > See [PATCH 0/1] above, there's a stack for the 6.6.13 kernel at the bottom > of the message. > > [ 523.915255] Call Trace: > [ 523.915255] > [ 523.915255] ? __die+0x1f/0x70 > [ 523.915255] ? page_fault_oops+0x14d/0x4a0 > [ 523.915255] ? exc_page_fault+0x7b/0x180 > [ 523.915255] ? asm_exc_page_fault+0x22/0x30 > [ 523.915255] ? gtp_genl_dump_pdp+0x82/0x190 [gtp] > [ 523.915255] ? gtp_genl_dump_pdp+0x82/0x190 [gtp] > [ 523.915255] genl_dumpit+0x2f/0x90 > [ 523.915255] netlink_dump+0x126/0x320 > [ 523.915255] __netlink_dump_start+0x1da/0x2a0 > [ 523.915255] genl_family_rcv_msg_dumpit+0x93/0x100 > [ 523.915255] ? __pfx_genl_start+0x10/0x10 > [ 523.915255] ? __pfx_genl_dumpit+0x10/0x10 > [ 523.915255] ? __pfx_genl_done+0x10/0x10 > [ 523.915255] genl_rcv_msg+0x112/0x2a0 > [ 523.915255] ? __pfx_gtp_genl_dump_pdp+0x10/0x10 [gtp] > [ 523.915255] ? __pfx_genl_rcv_msg+0x10/0x10 > [ 523.915255] netlink_rcv_skb+0x54/0x110 > [ 523.915255] genl_rcv+0x24/0x40 > [ 523.915255] netlink_unicast+0x19f/0x290 > [ 523.915255] netlink_sendmsg+0x250/0x4e0 > [ 523.915255] ____sys_sendmsg+0x376/0x3b0 > [ 523.915255] ? copy_msghdr_from_user+0x6d/0xb0 > [ 523.915255] ___sys_sendmsg+0x86/0xe0 > [ 523.915255] ? do_fault+0x296/0x470 > [ 523.915255] ? __handle_mm_fault+0x771/0xda0 > [ 523.915255] __sys_sendmsg+0x57/0xb0 > [ 523.915255] do_syscall_64+0x59/0x90 > [ 523.915255] ? ct_kernel_exit.isra.0+0x71/0x90 > [ 523.915255] ? __ct_user_enter+0x5a/0xd0 > [ 523.915255] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 > [ 523.915255] RIP: 0033:0x7f2bcb93cd49 > > -- > Regards, > Vasiliy Kovalev >