[net,0/2] vsock: null-ptr-deref when SO_LINGER enabled

Message ID	20250204-vsock-linger-nullderef-v1-0-6eb1760fa93e@rbox.co (mailing list archive)
Headers	show Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com [185.226.149.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A0A0288DA for <netdev@vger.kernel.org>; Tue, 4 Feb 2025 00:30:43 +0000 (UTC) From: Michal Luczaj <mhal@rbox.co> Subject: [PATCH net 0/2] vsock: null-ptr-deref when SO_LINGER enabled Date: Tue, 04 Feb 2025 01:29:51 +0100 Message-Id: <20250204-vsock-linger-nullderef-v1-0-6eb1760fa93e@rbox.co> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: Stefano Garzarella <sgarzare@redhat.com>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org> Cc: netdev@vger.kernel.org, Michal Luczaj <mhal@rbox.co>, syzbot+9d55b199192a4be7d02c@syzkaller.appspotmail.com
Series	vsock: null-ptr-deref when SO_LINGER enabled \| expand [net,0/2] vsock: null-ptr-deref when SO_LINGER enabled [net,1/2] vsock: Orphan socket after transport release [net,2/2] vsock/test: Add test for SO_LINGER null ptr deref

Message ID

20250204-vsock-linger-nullderef-v1-0-6eb1760fa93e@rbox.co (mailing list archive)

Headers

From: Michal Luczaj <mhal@rbox.co>
Subject: [PATCH net 0/2] vsock: null-ptr-deref when SO_LINGER enabled
Date: Tue, 04 Feb 2025 01:29:51 +0100
Message-Id: <20250204-vsock-linger-nullderef-v1-0-6eb1760fa93e@rbox.co>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: Stefano Garzarella <sgarzare@redhat.com>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Simon Horman <horms@kernel.org>
Cc: netdev@vger.kernel.org, Michal Luczaj <mhal@rbox.co>,
 syzbot+9d55b199192a4be7d02c@syzkaller.appspotmail.com

Series

vsock: null-ptr-deref when SO_LINGER enabled | expand

Message

Michal Luczaj Feb. 4, 2025, 12:29 a.m. UTC

syzbot pointed out that a recent patching of a use-after-free introduced a
null-ptr-deref. This series fixes the problem and adds a test.

Fixes fcdd2242c023 ("vsock: Keep the binding until socket destruction").

Signed-off-by: Michal Luczaj <mhal@rbox.co>
---
Michal Luczaj (2):
      vsock: Orphan socket after transport release
      vsock/test: Add test for SO_LINGER null ptr deref

 net/vmw_vsock/af_vsock.c         |  3 ++-
 tools/testing/vsock/vsock_test.c | 41 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)
---
base-commit: 0e6dc66b5c5fa186a9f96c66421af74212ebcf66
change-id: 20250203-vsock-linger-nullderef-cbe4402ad306

Best regards,

Comments

Luigi Leonardi Feb. 4, 2025, 2:45 p.m. UTC | #1

On Tue, Feb 04, 2025 at 01:29:51AM +0100, Michal Luczaj wrote:
>syzbot pointed out that a recent patching of a use-after-free introduced a
>null-ptr-deref. This series fixes the problem and adds a test.
>
>Fixes fcdd2242c023 ("vsock: Keep the binding until socket destruction").
>
>Signed-off-by: Michal Luczaj <mhal@rbox.co>
>---
>Michal Luczaj (2):
>      vsock: Orphan socket after transport release
>      vsock/test: Add test for SO_LINGER null ptr deref
>
> net/vmw_vsock/af_vsock.c         |  3 ++-
> tools/testing/vsock/vsock_test.c | 41 ++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 43 insertions(+), 1 deletion(-)
>---
>base-commit: 0e6dc66b5c5fa186a9f96c66421af74212ebcf66
>change-id: 20250203-vsock-linger-nullderef-cbe4402ad306
>
>Best regards,
>-- 
>Michal Luczaj <mhal@rbox.co>
>

I ran the vsock test suite and the reproducer with and without the fix 
in place.

Thanks,
Luigi

Tested-by: Luigi Leonardi <leonardi@redhat.com>