Received: by 2002:a05:7412:2a91:b0:fc:a2b0:25d7 with SMTP id u17csp729427rdh;
        Wed, 14 Feb 2024 09:33:44 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCUaJMsUzF3YmA5zZuvcElElvT2RacrmyNbnHpM904oqpR/bpxYIlaJTJAKsevtVyXFakpN8jFvFv+nyGgDX6UP3xgZV6rNThT+zNUGydg==
X-Google-Smtp-Source: AGHT+IEuvRb95qwMvvvKsUWEkX3g3hb9o3EsJIvIh5OMzFyDYOIz8mkUV4JVA+yY3TgoQu1D0X8i
X-Received: by 2002:a17:90b:297:b0:298:b9fc:323a with SMTP id az23-20020a17090b029700b00298b9fc323amr3397050pjb.23.1707932023777;
        Wed, 14 Feb 2024 09:33:43 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707932023; cv=pass;
        d=google.com; s=arc-20160816;
        b=pkDVlxJAcTwAwYJvKaYNQz6TQ+dop98WKUa1HK57j+XoUY40/De4kGxn09sO4Vihr4
         00cIRw4LojQBH5d3a9RDWjz1ae4EKBJcXc1vqzi3rUgR1dBt+NoJyOe03uPkj5fxaLEU
         aYIdj2j8zZ4/M/KNvt3DjgL0q4iDywx1EcO3oC3nI1x3PY3MKBGHe5dFQWSPHvF8+S9u
         E47mqTxQENWy0MA1Q3uDBF/3BivaqMUSiojIwLRCpUvUYpKpb5k2TMQTG8VRG33XxasY
         h2kt2I4TjFg8XNT8dMblrHaS/r1zntASV5y6lWN0cCOziFpApW/coA7rMmddCN7w1BS4
         YFog==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:references:cc:to
         :content-language:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id;
        bh=40ffEjjE7ntfjHf6yL9N0T5SyNSDoXq83Mbo8HcobMk=;
        fh=uGlJvPqudnJTNMj57QbvuEBOckHYvEw6gIhYkxPiigw=;
        b=pTvgE+mnF1/ViSnwjLG8n4vPJCzPNmDbDLpQjJ6Dw4BrSOZVEXNf0oidkSw/oY/KLb
         1J5z10KDBxfk+QH5D2EbSsrqXy14oIP793OdILRN65ofJEBTbRIqrFW76Ne5XWFgCX+x
         VFRG3a2bdnHv2epo6U2jWky1rjWP2TmPlhdvfGaOIxzoZR4rOPAjlqwjUcrTmxSzn7Zt
         ZqcnoDNy4HMD6+L3T+rB0nM5tWVLdfQIqfD65k+mJ7TK996ijrpMPoifMMataXVplmFd
         kCvnnJdUDfrv5oNlPCfkUsCbwxvSl3BJkvx2H/Xna9Eafhn8/h37UYPl8vYz14IM+9rM
         lHVw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=altlinux.org);
       spf=pass (google.com: domain of linux-kernel+bounces-65615-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65615-linux.lists.archive=gmail.com@vger.kernel.org"
X-Forwarded-Encrypted: i=2; AJvYcCVUWbqt9Vmi5Z97kTG3R70qrgwgTN7l4yJMqCRVTmw4i6J0CNZqRONghgISB1fLb4TVJxARj2W9WDHyKNlKLL8p8CY3Pt9MPY/iPbBMbA==
Return-Path: <linux-kernel+bounces-65615-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id mf5-20020a17090b184500b002972e2132eesi1522528pjb.64.2024.02.14.09.33.43
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 14 Feb 2024 09:33:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-65615-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=altlinux.org);
       spf=pass (google.com: domain of linux-kernel+bounces-65615-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65615-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id B08A6B2B485
	for <linux.lists.archive@gmail.com>; Wed, 14 Feb 2024 17:06:33 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1CFEB60BB7;
	Wed, 14 Feb 2024 17:06:21 +0000 (UTC)
Received: from air.basealt.ru (air.basealt.ru [194.107.17.39])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F78E6024D;
	Wed, 14 Feb 2024 17:06:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=194.107.17.39
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1707930380; cv=none; b=aF6JHpTNo7j8Km6AjQHtAYGZ7SK9nxeQO+zZsomDDfBsX4N/xho2MuwZ/g+H2dLrx4j6F6clHOUaOzxsnlWcdXAYqaaoDk5i3ycmiKockQCJoC/d8o917uGj5QD3QRcwU20oSMEKo2DqlkTcedfuCFQqd6jZDWxFQvSGs2I8LTs=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1707930380; c=relaxed/simple;
	bh=crPfgZH3l8kcl+ACAoGhNiyQVwUurz54bo32xrk+ATU=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=WZQoaTWaqjsToHbRT4G1c3eM0IddBpJh/AFGW2KZ+2MtGw7JASz8uhQiVUa9caGa1NhVBcja1MqO6kdVa0MIZabD+cKtBRqBnIXbvqvwiqQ7f3Rp/EqNdesqI4ncMIfw6GfUEQGmdxK4tDxtPzFfjmbP5vi2+ejC+qiAqDjrb94=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org; spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=194.107.17.39
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=altlinux.org
Received: by air.basealt.ru (Postfix, from userid 490)
	id B0E0D2F20258; Wed, 14 Feb 2024 17:06:15 +0000 (UTC)
X-Spam-Level: 
Received: from [192.168.0.103] (unknown [178.76.204.78])
	by air.basealt.ru (Postfix) with ESMTPSA id D805B2F20241;
	Wed, 14 Feb 2024 17:06:12 +0000 (UTC)
Message-ID: <a4463193-fd73-eca3-616b-d75176d947c6@basealt.ru>
Date: Wed, 14 Feb 2024 20:06:12 +0300
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.11.0
Subject: Re: [PATCH ver.2] gtp: fix use-after-free and null-ptr-deref in
 gtp_genl_dump_pdp()
Content-Language: en-US
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
 edumazet@google.com, laforge@gnumonks.org, davem@davemloft.net,
 kuba@kernel.org, pabeni@redhat.com, nickel@altlinux.org,
 oficerovas@altlinux.org, dutyrok@altlinux.org, stable@vger.kernel.org
References: <20240214162733.34214-1-kovalev@altlinux.org>
 <ZczvJKETNyFE5Glm@calendula>
From: kovalev@altlinux.org
In-Reply-To: <ZczvJKETNyFE5Glm@calendula>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

14.02.2024 19:49, Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2024 at 07:27:33PM +0300, kovalev@altlinux.org wrote:
>> From: Vasiliy Kovalev <kovalev@altlinux.org>
>>
>> The gtp_net_ops pernet operations structure for the subsystem must be
>> registered before registering the generic netlink family.
> Thanks for finding a remedy for this.
>
> If your fix is correct, (I didn't test your patch yet) then maybe this
> needs to be fixed in a few more spots in the tree?
>
> net/devlink/core.c-static int __init devlink_init(void)
> net/devlink/core.c-{
> net/devlink/core.c-     int err;
> net/devlink/core.c-
> net/devlink/core.c-     err = genl_register_family(&devlink_nl_family);
> net/devlink/core.c-     if (err)
> net/devlink/core.c-             goto out;
> net/devlink/core.c:     err = register_pernet_subsys(&devlink_pernet_ops);
> net/devlink/core.c-     if (err)
>
> net/handshake/netlink.c-        ret = genl_register_family(&handshake_nl_family);
> net/handshake/netlink.c-        if (ret) {
> net/handshake/netlink.c-                pr_warn("handshake: netlink registration failed (%d)\n", ret);
> net/handshake/netlink.c-                handshake_req_hash_destroy();
> net/handshake/netlink.c-                return ret;
> net/handshake/netlink.c-        }
> net/handshake/netlink.c-
> net/handshake/netlink.c-        /*
> net/handshake/netlink.c-         * ORDER: register_pernet_subsys must be done last.
> net/handshake/netlink.c-         *
> net/handshake/netlink.c-         *      If initialization does not make it past pernet_subsys
> net/handshake/netlink.c-         *      registration, then handshake_net_id will remain 0. That
> net/handshake/netlink.c-         *      shunts the handshake consumer API to return ENOTSUPP
> net/handshake/netlink.c-         *      to prevent it from dereferencing something that hasn't
> net/handshake/netlink.c-         *      been allocated.
> net/handshake/netlink.c-         */
> net/handshake/netlink.c:        ret = register_pernet_subsys(&handshake_genl_net_ops);
>
> net/ipv4/tcp_metrics.c: ret = register_pernet_subsys(&tcp_net_metrics_ops);
> net/ipv4/tcp_metrics.c- if (ret < 0)
> net/ipv4/tcp_metrics.c-         panic("Could not register tcp_net_metrics_ops\n");
> net/ipv4/tcp_metrics.c-
> net/ipv4/tcp_metrics.c- ret = genl_register_family(&tcp_metrics_nl_family);
> net/ipv4/tcp_metrics.c- if (ret < 0)
> net/ipv4/tcp_metrics.c-         panic("Could not register tcp_metrics generic netlink\n");
> net/ipv4/tcp_metrics.c-}
>
> net/ipv6/ioam6.c-int __init ioam6_init(void)
> net/ipv6/ioam6.c-{
> net/ipv6/ioam6.c:       int err = register_pernet_subsys(&ioam6_net_ops);
> net/ipv6/ioam6.c-       if (err)
> net/ipv6/ioam6.c-               goto out;
> net/ipv6/ioam6.c-
> net/ipv6/ioam6.c-       err = genl_register_family(&ioam6_genl_family);
> net/ipv6/ioam6.c-       if (err)
> net/ipv6/ioam6.c-               goto out_unregister_pernet_subsys;
>
> net/ipv6/seg6.c-        err = genl_register_family(&seg6_genl_family);
> net/ipv6/seg6.c-        if (err)
> net/ipv6/seg6.c-                goto out;
> net/ipv6/seg6.c-
> net/ipv6/seg6.c:        err = register_pernet_subsys(&ip6_segments_ops);
> net/ipv6/seg6.c-        if (err)
> net/ipv6/seg6.c-                goto out_unregister_genl;
>
> net/netlink/genetlink.c-        err = genl_register_family(&genl_ctrl);
> net/netlink/genetlink.c-        if (err < 0)
> net/netlink/genetlink.c-                goto problem;
> net/netlink/genetlink.c-
> net/netlink/genetlink.c:        err = register_pernet_subsys(&genl_pernet_ops);
> net/netlink/genetlink.c-        if (err)
> net/netlink/genetlink.c-                goto problem;

Most likely, judging by the backtrace, the bug is the same [1]:

Call Trace:
  <TASK>
  genl_dumpit+0x119/0x220 net/netlink/genetlink.c:1025
  netlink_dump+0x588/0xca0 net/netlink/af_netlink.c:2264
  __netlink_dump_start+0x6d0/0x9c0 net/netlink/af_netlink.c:2370
  genl_family_rcv_msg_dumpit+0x1e1/0x2d0 net/netlink/genetlink.c:1074
  genl_family_rcv_msg net/netlink/genetlink.c:1190 [inline]
  genl_rcv_msg+0x470/0x800 net/netlink/genetlink.c:1208
  netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2543
  genl_rcv+0x28/0x40 net/netlink/genetlink.c:1217
  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
  netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367
  netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1908
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0xd5/0x180 net/socket.c:745
  ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
  ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
  __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f35d567cda9

[1] https://lore.kernel.org/all/0000000000007549a6060f99544d@google.com/T/


-- 
Regards,
Vasiliy Kovalev