diff mbox series

[SRU,X/B/C/D/unstable,1/1] UBUNTU: SAUCE: fan: Fix NULL pointer dereference

Message ID 20190118124002.20931-2-juergh@canonical.com
State New
Headers show
Series Crash on "ip link add foo type ipip" (LP: #1811803) | expand

Commit Message

Juerg Haefliger Jan. 18, 2019, 12:40 p.m. UTC 
BugLink: https://bugs.launchpad.net/bugs/1811803

Fix a NULL pointer dereference in fan code that can easily be triggered
by running:
$ sudo ip link add foo type ipip

Which leads to:
[    1.330067] BUG: unable to handle kernel NULL pointer dereference at 0000000000000108
[    1.330792] IP: [<ffffffff817e8132>] ipip_netlink_fan.isra.7+0x12/0x280
[    1.331399] PGD 800000003fb94067 PUD 3fb93067 PMD 0
[    1.331882] Oops: 0000 [#1] SMP
[    1.332200] Modules linked in:
[    1.332492] CPU: 0 PID: 137 Comm: ip Not tainted 4.4.167+ #5
[    1.333001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
[    1.333740] task: ffff88003c38a640 ti: ffff88003fb5c000 task.ti: ffff88003fb5c000
[    1.334375] RIP: 0010:[<ffffffff817e8132>]  [<ffffffff817e8132>] ipip_netlink_fan.isra.7+0x12/0x280
[    1.335193] RSP: 0018:ffff88003fb5f778  EFLAGS: 00010246
[    1.335671] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[    1.336305] RDX: ffff88003fb5f7f0 RSI: ffff88003fa3f840 RDI: 0000000000000000
[    1.336940] RBP: ffff88003fb5f7a0 R08: 000000000000000a R09: 0000000000000092
[    1.337587] R10: 0000000000000000 R11: 00000000000001ad R12: ffff88003fa3f000
[    1.338267] R13: ffff88003fb5f9d0 R14: ffff88003fa3f840 R15: ffffffff81f4b240
[    1.338904] FS:  00007f535979b700(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
[    1.339590] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    1.340066] CR2: 0000000000000108 CR3: 000000003fb60000 CR4: 0000000000000670
[    1.340750] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    1.341341] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    1.341909] Stack:
[    1.342080]  0000000000000000 ffff88003fa3f000 ffff88003fb5f9d0 ffff88003fa3f840
[    1.342725]  ffffffff81f4b240 ffff88003fb5f828 ffffffff817e8515 0000000381356f0e
[    1.343334]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.343943] Call Trace:
[    1.344141]  [<ffffffff817e8515>] ipip_newlink+0xa5/0xc0
[    1.344553]  [<ffffffff81782f5b>] ? __netlink_ns_capable+0x3b/0x40
[    1.345029]  [<ffffffff817651fd>] rtnl_newlink+0x6fd/0x8b0
[    1.345699]  [<ffffffff811f92b1>] ? kmem_cache_alloc+0x1a1/0x1f0
[    1.346165]  [<ffffffff8119abd5>] ? mempool_alloc_slab+0x15/0x20
[    1.346630]  [<ffffffff81436463>] ? validate_nla+0x93/0x1a0
[    1.347060]  [<ffffffff81436680>] ? nla_parse+0xa0/0x100
[    1.347474]  [<ffffffff81436732>] ? nla_strlcpy+0x52/0x60
[    1.347891]  [<ffffffff81762099>] ? rtnl_link_ops_get+0x39/0x50
[    1.348347]  [<ffffffff81764c76>] ? rtnl_newlink+0x176/0x8b0
[    1.348784]  [<ffffffff8176373c>] rtnetlink_rcv_msg+0xec/0x230
[    1.349237]  [<ffffffff811fce3b>] ? __kmalloc_node_track_caller+0x24b/0x310
[    1.349774]  [<ffffffff8173e397>] ? __alloc_skb+0x87/0x1d0
[    1.350198]  [<ffffffff81763650>] ? rtnetlink_rcv+0x30/0x30
[    1.350628]  [<ffffffff81786da6>] netlink_rcv_skb+0xa6/0xc0
[    1.351059]  [<ffffffff81763648>] rtnetlink_rcv+0x28/0x30
[    1.351476]  [<ffffffff81786770>] netlink_unicast+0x190/0x240
[    1.351919]  [<ffffffff81786b5a>] netlink_sendmsg+0x33a/0x3b0
[    1.352363]  [<ffffffff813af211>] ? aa_sock_msg_perm+0x61/0x150
[    1.352820]  [<ffffffff81734bde>] sock_sendmsg+0x3e/0x50
[    1.353235]  [<ffffffff817356a7>] ___sys_sendmsg+0x287/0x2a0
[    1.353672]  [<ffffffff8120ed2b>] ? mem_cgroup_try_charge+0x6b/0x1e0
[    1.354162]  [<ffffffff811cb9ed>] ? handle_mm_fault+0xecd/0x1b80
[    1.354625]  [<ffffffff81239fc7>] ? __alloc_fd+0xc7/0x190
[    1.355044]  [<ffffffff81736021>] __sys_sendmsg+0x51/0x90
[    1.355525]  [<ffffffff81736072>] SyS_sendmsg+0x12/0x20
[    1.355933]  [<ffffffff81866e1b>] entry_SYSCALL_64_fastpath+0x22/0xcb
[    1.356426] Code: 50 01 00 00 01 eb d3 49 8d 94 24 b8 08 00 00 eb ac e8 83 cf 89 ff 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 <48> 8b 9f 08 01 00 00 48 85 db 74 1e 8b 02 85 c0 75 25 44 0f b7
[    1.358557] RIP  [<ffffffff817e8132>] ipip_netlink_fan.isra.7+0x12/0x280
[    1.359086]  RSP <ffff88003fb5f778>
[    1.359359] CR2: 0000000000000108
[    1.359637] ---[ end trace 7820fbc7ced5dd6e ]---

Signed-off-by: Juerg Haefliger <juergh@canonical.com>
---
 net/ipv4/ipip.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Colin Ian King Jan. 18, 2019, 12:42 p.m. UTC | #1 
On 18/01/2019 12:40, Juerg Haefliger wrote:
> BugLink: https://bugs.launchpad.net/bugs/1811803
> 
> Fix a NULL pointer dereference in fan code that can easily be triggered
> by running:
> $ sudo ip link add foo type ipip
> 
> Which leads to:
> [    1.330067] BUG: unable to handle kernel NULL pointer dereference at 0000000000000108
> [    1.330792] IP: [<ffffffff817e8132>] ipip_netlink_fan.isra.7+0x12/0x280
> [    1.331399] PGD 800000003fb94067 PUD 3fb93067 PMD 0
> [    1.331882] Oops: 0000 [#1] SMP
> [    1.332200] Modules linked in:
> [    1.332492] CPU: 0 PID: 137 Comm: ip Not tainted 4.4.167+ #5
> [    1.333001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
> [    1.333740] task: ffff88003c38a640 ti: ffff88003fb5c000 task.ti: ffff88003fb5c000
> [    1.334375] RIP: 0010:[<ffffffff817e8132>]  [<ffffffff817e8132>] ipip_netlink_fan.isra.7+0x12/0x280
> [    1.335193] RSP: 0018:ffff88003fb5f778  EFLAGS: 00010246
> [    1.335671] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> [    1.336305] RDX: ffff88003fb5f7f0 RSI: ffff88003fa3f840 RDI: 0000000000000000
> [    1.336940] RBP: ffff88003fb5f7a0 R08: 000000000000000a R09: 0000000000000092
> [    1.337587] R10: 0000000000000000 R11: 00000000000001ad R12: ffff88003fa3f000
> [    1.338267] R13: ffff88003fb5f9d0 R14: ffff88003fa3f840 R15: ffffffff81f4b240
> [    1.338904] FS:  00007f535979b700(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
> [    1.339590] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [    1.340066] CR2: 0000000000000108 CR3: 000000003fb60000 CR4: 0000000000000670
> [    1.340750] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [    1.341341] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [    1.341909] Stack:
> [    1.342080]  0000000000000000 ffff88003fa3f000 ffff88003fb5f9d0 ffff88003fa3f840
> [    1.342725]  ffffffff81f4b240 ffff88003fb5f828 ffffffff817e8515 0000000381356f0e
> [    1.343334]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [    1.343943] Call Trace:
> [    1.344141]  [<ffffffff817e8515>] ipip_newlink+0xa5/0xc0
> [    1.344553]  [<ffffffff81782f5b>] ? __netlink_ns_capable+0x3b/0x40
> [    1.345029]  [<ffffffff817651fd>] rtnl_newlink+0x6fd/0x8b0
> [    1.345699]  [<ffffffff811f92b1>] ? kmem_cache_alloc+0x1a1/0x1f0
> [    1.346165]  [<ffffffff8119abd5>] ? mempool_alloc_slab+0x15/0x20
> [    1.346630]  [<ffffffff81436463>] ? validate_nla+0x93/0x1a0
> [    1.347060]  [<ffffffff81436680>] ? nla_parse+0xa0/0x100
> [    1.347474]  [<ffffffff81436732>] ? nla_strlcpy+0x52/0x60
> [    1.347891]  [<ffffffff81762099>] ? rtnl_link_ops_get+0x39/0x50
> [    1.348347]  [<ffffffff81764c76>] ? rtnl_newlink+0x176/0x8b0
> [    1.348784]  [<ffffffff8176373c>] rtnetlink_rcv_msg+0xec/0x230
> [    1.349237]  [<ffffffff811fce3b>] ? __kmalloc_node_track_caller+0x24b/0x310
> [    1.349774]  [<ffffffff8173e397>] ? __alloc_skb+0x87/0x1d0
> [    1.350198]  [<ffffffff81763650>] ? rtnetlink_rcv+0x30/0x30
> [    1.350628]  [<ffffffff81786da6>] netlink_rcv_skb+0xa6/0xc0
> [    1.351059]  [<ffffffff81763648>] rtnetlink_rcv+0x28/0x30
> [    1.351476]  [<ffffffff81786770>] netlink_unicast+0x190/0x240
> [    1.351919]  [<ffffffff81786b5a>] netlink_sendmsg+0x33a/0x3b0
> [    1.352363]  [<ffffffff813af211>] ? aa_sock_msg_perm+0x61/0x150
> [    1.352820]  [<ffffffff81734bde>] sock_sendmsg+0x3e/0x50
> [    1.353235]  [<ffffffff817356a7>] ___sys_sendmsg+0x287/0x2a0
> [    1.353672]  [<ffffffff8120ed2b>] ? mem_cgroup_try_charge+0x6b/0x1e0
> [    1.354162]  [<ffffffff811cb9ed>] ? handle_mm_fault+0xecd/0x1b80
> [    1.354625]  [<ffffffff81239fc7>] ? __alloc_fd+0xc7/0x190
> [    1.355044]  [<ffffffff81736021>] __sys_sendmsg+0x51/0x90
> [    1.355525]  [<ffffffff81736072>] SyS_sendmsg+0x12/0x20
> [    1.355933]  [<ffffffff81866e1b>] entry_SYSCALL_64_fastpath+0x22/0xcb
> [    1.356426] Code: 50 01 00 00 01 eb d3 49 8d 94 24 b8 08 00 00 eb ac e8 83 cf 89 ff 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 <48> 8b 9f 08 01 00 00 48 85 db 74 1e 8b 02 85 c0 75 25 44 0f b7
> [    1.358557] RIP  [<ffffffff817e8132>] ipip_netlink_fan.isra.7+0x12/0x280
> [    1.359086]  RSP <ffff88003fb5f778>
> [    1.359359] CR2: 0000000000000108
> [    1.359637] ---[ end trace 7820fbc7ced5dd6e ]---
> 
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
>  net/ipv4/ipip.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
> index 57b718262147..0ea4d9205e5d 100644
> --- a/net/ipv4/ipip.c
> +++ b/net/ipv4/ipip.c
> @@ -627,7 +627,7 @@ static int ipip_netlink_fan(struct nlattr *data[], struct ip_tunnel *t,
>  	struct nlattr *attr;
>  	int rem, rv;
>  
> -	if (!data[IFLA_IPTUN_FAN_MAP])
> +	if (data == NULL || !data[IFLA_IPTUN_FAN_MAP])
>  		return 0;
>  
>  	if (parms->iph.daddr)
> 

Always good to check for nulls.

Acked-by: Colin Ian King <colin.king@canonical.com>
diff mbox series

Patch

diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 57b718262147..0ea4d9205e5d 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -627,7 +627,7 @@  static int ipip_netlink_fan(struct nlattr *data[], struct ip_tunnel *t,
 	struct nlattr *attr;
 	int rem, rv;
 
-	if (!data[IFLA_IPTUN_FAN_MAP])
+	if (data == NULL || !data[IFLA_IPTUN_FAN_MAP])
 		return 0;
 
 	if (parms->iph.daddr)