diff mbox

[v3] netlink: fix null pointer dereference on nlk->groups

Message ID 1452597043-4298-1-git-send-email-sploving1@gmail.com
State Rejected, archived
Delegated to: David Miller
Headers show

Commit Message

Baozeng Ding Jan. 12, 2016, 11:10 a.m. UTC 
If groups is not 0 and nlk->groups is NULL, it will not return
immediately and cause a null pointer dereference later.

Signed-off-by: Baozeng Ding <sploving1@gmail.com>
---
The v3 version adds WARN_ON, suggested by David Miller. Thanks for
David's feedback.
---
 net/netlink/af_netlink.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Denis Kirjanov Jan. 12, 2016, 11:15 a.m. UTC | #1 
On 1/12/16, Baozeng Ding <sploving1@gmail.com> wrote:
> If groups is not 0 and nlk->groups is NULL, it will not return
> immediately and cause a null pointer dereference later.
>
> Signed-off-by: Baozeng Ding <sploving1@gmail.com>
> ---
> The v3 version adds WARN_ON, suggested by David Miller. Thanks for
> David's feedback.

But can you explain how can we get to this situation?

> ---
>  net/netlink/af_netlink.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 59651af..f93d579 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -1576,7 +1576,10 @@ static int netlink_bind(struct socket *sock, struct
> sockaddr *addr,
>  		}
>  	}
>
> -	if (!groups && (nlk->groups == NULL || !(u32)nlk->groups[0]))
> +	if (WARN_ON(!nlk->groups))
> +		return 0;
> +
> +	if (!groups && !(u32)nlk->groups[0])
>  		return 0;
>
>  	netlink_table_grab();
> --
> 1.9.1
>
>
Herbert Xu Jan. 12, 2016, noon UTC | #2 
Denis Kirjanov <kda@linux-powerpc.org> wrote:
> On 1/12/16, Baozeng Ding <sploving1@gmail.com> wrote:
>> If groups is not 0 and nlk->groups is NULL, it will not return
>> immediately and cause a null pointer dereference later.
>>
>> Signed-off-by: Baozeng Ding <sploving1@gmail.com>
>> ---
>> The v3 version adds WARN_ON, suggested by David Miller. Thanks for
>> David's feedback.
> 
> But can you explain how can we get to this situation?

Indeed, this patch makes no sense as it stands.  If groups is
not NULL, then we should have allocated nlk->groups prior to
reaching this point.  If that allocation failed, then we should
have already bailed out long ago.  Perhaps we have a race condition
that needs to be closed with a lock?

Cheers,
David Miller Jan. 12, 2016, 7:40 p.m. UTC | #3 
From: Baozeng Ding <sploving1@gmail.com>
Date: Tue, 12 Jan 2016 19:10:43 +0800

> If groups is not 0 and nlk->groups is NULL, it will not return
> immediately and cause a null pointer dereference later.
> 
> Signed-off-by: Baozeng Ding <sploving1@gmail.com>
> ---
> The v3 version adds WARN_ON, suggested by David Miller. Thanks for
> David's feedback.

My feedback was also that the situation is illegal, and therefore you
have to explain to us how this can actually occur.
diff mbox

Patch

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 59651af..f93d579 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1576,7 +1576,10 @@  static int netlink_bind(struct socket *sock, struct sockaddr *addr,
 		}
 	}
 
-	if (!groups && (nlk->groups == NULL || !(u32)nlk->groups[0]))
+	if (WARN_ON(!nlk->groups))
+		return 0;
+
+	if (!groups && !(u32)nlk->groups[0])
 		return 0;
 
 	netlink_table_grab();