iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet 9b1f19d810 dccp: fool proof ccid_hc_[rt]x_parse_options() 
Similarly to commit 276bdb82dedb ("dccp: check ccid before dereferencing")
it is wise to test for a NULL ccid.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc3+ #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
kobject: 'loop5' (0000000080f78fc1): kobject_uevent_env
RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0defa33518 CR3: 000000008db5e000 CR4: 00000000001406e0
kobject: 'loop5' (0000000080f78fc1): fill_kobj_path: path = '/devices/virtual/block/loop5'
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 dccp_rcv_state_process+0x2b6/0x1af6 net/dccp/input.c:654
 dccp_v4_do_rcv+0x100/0x190 net/dccp/ipv4.c:688
 sk_backlog_rcv include/net/sock.h:936 [inline]
 __sk_receive_skb+0x3a9/0xea0 net/core/sock.c:473
 dccp_v4_rcv+0x10cb/0x1f80 net/dccp/ipv4.c:880
 ip_protocol_deliver_rcu+0xb6/0xa20 net/ipv4/ip_input.c:208
 ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 ip_local_deliver+0x1f0/0x740 net/ipv4/ip_input.c:255
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0x1f4/0x2f0 net/ipv4/ip_input.c:414
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 ip_rcv+0xed/0x620 net/ipv4/ip_input.c:524
 __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 process_backlog+0x206/0x750 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x76d/0x1930 net/core/dev.c:6412
 __do_softirq+0x30b/0xb11 kernel/softirq.c:292
 run_ksoftirqd kernel/softirq.c:654 [inline]
 run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
 smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 58a0ba03bea2c376 ]---
RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0defa33518 CR3: 0000000009871000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-01 14:49:10 -08:00
..
6lowpan
6lowpan: convert to DEFINE_SHOW_ATTRIBUTE
2018-12-19 00:28:05 +01:00
9p
9p/net: put a lower bound on msize
2018-12-25 17:07:49 +09:00
802
8021q
net: core: dev: Add extack argument to dev_change_flags()
2018-12-06 13:26:07 -08:00
appletalk
atm
Revert "net: simplify sock_poll_wait"
2018-10-23 10:57:06 -07:00
ax25
ax25: fix possible use-after-free
2019-01-23 11:18:00 -08:00
batman-adv
Here are some batman-adv bugfixes:
2019-02-01 10:19:26 -08:00
bluetooth
Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
2018-12-27 13:53:32 -08:00
bpf
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
2018-12-10 18:00:43 -08:00
bpfilter
net: bpfilter: change section name of bpfilter UMH blob.
2019-01-16 15:46:46 -08:00
bridge
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
2019-01-28 10:51:51 -08:00
caif
Revert "net: simplify sock_poll_wait"
2018-10-23 10:57:06 -07:00
can
can: bcm: check timer values before ktime conversion
2019-01-22 11:33:46 +01:00
ceph
libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
2019-01-21 14:53:12 +01:00
core
net: set default network namespace in init_dummy_netdev()
2019-01-29 11:29:55 -08:00
dcb
dccp
dccp: fool proof ccid_hc_[rt]x_parse_options()
2019-02-01 14:49:10 -08:00
decnet
decnet: fix DN_IFREQ_SIZE
2019-01-27 23:11:55 -08:00
dns_resolver
dns: Allow the dns resolver to retrieve a server set
2018-10-04 09:40:52 -07:00
dsa
net: dsa: ksz: Add STP multicast handling
2018-12-16 14:23:33 -08:00
ethernet
net: ethernet: provide nvmem_get_mac_address()
2018-12-03 15:40:30 -08:00
hsr
ieee802154
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-12-24 16:19:56 -08:00
ife
ipv4
net: ip_gre: always reports o_key to userspace
2019-01-30 14:00:02 -08:00
ipv6
ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation
2019-01-30 14:06:12 -08:00
iucv
iucv: Remove SKB list assumptions.
2018-11-10 16:55:11 -08:00
kcm
Revert "kcm: remove any offset before parsing messages"
2018-09-17 18:43:42 -07:00
key
af_key: fix indentation on declaration statement
2018-11-15 18:09:32 +01:00
l2tp
l2tp: copy 4 more bytes to linear part if necessary
2019-01-31 08:58:46 -08:00
l3mdev
l3mdev: add function to retreive upper master
2018-12-03 14:15:26 -08:00
lapb
llc
llc: do not use sk_eat_skb()
2018-10-22 19:59:20 -07:00
mac80211
mac80211: ensure that mgmt tx skbs have tailroom for encryption
2019-02-01 11:08:02 +01:00
mac802154
mac802154: Remove VLA usage of skcipher
2018-09-28 12:46:07 +08:00
mpls
net/mpls: Handle kernel side filtering of route dumps
2018-10-16 00:14:07 -07:00
ncsi
net/ncsi: Add NCSI Mellanox OEM command
2018-11-27 16:37:20 -08:00
netfilter
netfilter: nfnetlink_osf: add missing fmatch check
2019-01-28 11:09:11 +01:00
netlabel
netlabel: check for IPV4MASK in addrinfo_get
2018-09-21 18:58:34 -07:00
netlink
net: netlink: rename NETLINK_DUMP_STRICT_CHK -> NETLINK_GET_STRICT_CHK
2018-12-14 11:44:31 -08:00
netrom
netrom: switch to sock timer API
2019-01-27 10:38:04 -08:00
nfc
net: Revert recent Spectre-v1 patches.
2018-12-23 16:01:35 -08:00
nsh
openvswitch
openvswitch: Avoid OOB read when parsing flow nlattrs
2019-01-16 13:35:21 -08:00
packet
af_packet: fix raw sockets over 6in4 tunnel
2019-01-17 15:54:45 -08:00
phonet
net: Revert recent Spectre-v1 patches.
2018-12-23 16:01:35 -08:00
psample
qrtr
rds
rds: fix refcount bug in rds_sock_addref
2019-01-31 09:43:27 -08:00
rfkill
rfkill: gpio: Remove unused include
2018-12-18 13:13:56 +01:00
rose
net/rose: fix NULL ax25_cb kernel panic
2019-01-27 10:40:01 -08:00
rxrpc
Revert "rxrpc: Allow failed client calls to be retried"
2019-01-15 21:33:36 -08:00
sched
net/sched: cls_flower: allocate mask dynamically in fl_change()
2019-01-17 14:40:59 -08:00
sctp
sctp: walk the list of asoc safely
2019-02-01 10:41:46 -08:00
smc
net/smc: fix use of variable in cleared area
2019-02-01 14:45:45 -08:00
strparser
bpf, sockmap: convert to generic sk_msg interface
2018-10-15 12:23:19 -07:00
sunrpc
SUNRPC: Address Kerberos performance/behavior regression
2019-01-15 15:36:41 -05:00
switchdev
net: switchdev: Add extack to switchdev_handle_port_obj_add() callback
2018-12-12 16:34:22 -08:00
tipc
tipc: fix uninit-value in tipc_nl_compat_doit
2019-01-15 20:29:21 -08:00
tls
net: tls: Fix deadlock in free_resources tx
2019-01-28 23:07:08 -08:00
unix
Revert "net: simplify sock_poll_wait"
2018-10-23 10:57:06 -07:00
vmw_vsock
VSOCK: Send reset control packet when socket is partially bound
2018-12-18 11:53:42 -08:00
wimax
wireless
cfg80211: call disconnect_wk when AP stops
2019-02-01 11:12:50 +01:00
x25
net/x25: handle call collisions
2018-11-29 14:25:36 -08:00
xdp
xsk: Check if a queue exists during umem setup
2019-01-15 20:51:57 +01:00
xfrm
xfrm: Make set-mark default behavior backward compatible
2019-01-16 13:10:55 +01:00
compat.c
Remove 'type' argument from access_ok() function
2019-01-03 18:57:57 -08:00
Kconfig
net: convert bridge_nf to use skb extension infrastructure
2018-12-19 11:21:37 -08:00
Makefile
socket.c
net: socket: make bond ioctls go through compat_ifreq_ioctl()
2019-01-30 10:19:31 -08:00
sysctl_net.c