| Message ID | 1469004191-30920-1-git-send-email-vegard.nossum@oracle.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
Hi, On 07/20/2016 10:43 AM, Vegard Nossum wrote: > I've observed a NULL pointer dereference in ieee802154_del_iface() during > netlink fuzzing. It's the ->wpan_phy dereference here: > > phy = dev->ieee802154_ptr->wpan_phy; > > My bet is that we're not checking that this is an IEEE802154 interface, > so let's do what ieee802154_nl_get_dev() is doing. (Maybe we should even > be calling this directly?) > > Cc: Lennert Buytenhek <buytenh@wantstofly.org> > Cc: Alexander Aring <alex.aring@gmail.com> > Cc: Marcel Holtmann <marcel@holtmann.org> > Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> > Cc: Sergey Lapin <slapin@ossfans.org> > Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Alexander Aring <aar@pengutronix.de> thanks for letting us known that this bug exists. Unfortunate I don't care much about this code. This code is part of the old UAPI for 802.15.4 subsystems and there are many bugs known. Nevertheless I added my ack here and would like that Marcel apply this patch into his bluetooth tree repository. The new netlink api exists since 3.19 and highly recommended to don't use the old stuff. The ieee802154 never got out the experimental state, there was a patch [0] which globally remove the experimental Kconfig entry, but no maintainer ever said that this branch isn't in experimental state anymore. I will prepare a RFC series to remove all deprecated handling which we have replacements for it, these are: - old netlink api - af_802154 raw sockets, will replaced by AF_PACKET RAW - Alex [0] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/ieee802154/Kconfig?id=f4671a90c418b5aae14b61a9fc9d79c629403ca0 -- To unsubscribe from this list: send the line "unsubscribe linux-wpan" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hello Marcel, could you apply this to bluetooth-next? regards Stefan Schmidt On 23/07/16 14:21, Alexander Aring wrote: > > Hi, > > On 07/20/2016 10:43 AM, Vegard Nossum wrote: >> I've observed a NULL pointer dereference in ieee802154_del_iface() during >> netlink fuzzing. It's the ->wpan_phy dereference here: >> >> phy = dev->ieee802154_ptr->wpan_phy; >> >> My bet is that we're not checking that this is an IEEE802154 interface, >> so let's do what ieee802154_nl_get_dev() is doing. (Maybe we should even >> be calling this directly?) >> >> Cc: Lennert Buytenhek <buytenh@wantstofly.org> >> Cc: Alexander Aring <alex.aring@gmail.com> >> Cc: Marcel Holtmann <marcel@holtmann.org> >> Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> >> Cc: Sergey Lapin <slapin@ossfans.org> >> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> > > Acked-by: Alexander Aring <aar@pengutronix.de> > > thanks for letting us known that this bug exists. > > Unfortunate I don't care much about this code. This code is part of the > old UAPI for 802.15.4 subsystems and there are many bugs known. > > Nevertheless I added my ack here and would like that Marcel apply this > patch into his bluetooth tree repository. > > The new netlink api exists since 3.19 and highly recommended to don't > use the old stuff. The ieee802154 never got out the experimental state, > there was a patch [0] which globally remove the experimental Kconfig > entry, but no maintainer ever said that this branch isn't in > experimental state anymore. > > I will prepare a RFC series to remove all deprecated handling which we > have replacements for it, these are: > > - old netlink api > - af_802154 raw sockets, will replaced by AF_PACKET RAW > > - Alex > > [0] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/ieee802154/Kconfig?id=f4671a90c418b5aae14b61a9fc9d79c629403ca0 > -- > To unsubscribe from this list: send the line "unsubscribe linux-wpan" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-wpan" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c index 77d7301..dc2960b 100644 --- a/net/ieee802154/nl-phy.c +++ b/net/ieee802154/nl-phy.c @@ -286,9 +286,12 @@ int ieee802154_del_iface(struct sk_buff *skb, struct genl_info *info) if (name[nla_len(info->attrs[IEEE802154_ATTR_DEV_NAME]) - 1] != '\0') return -EINVAL; /* name should be null-terminated */ + rc = -ENODEV; dev = dev_get_by_name(genl_info_net(info), name); if (!dev) - return -ENODEV; + return rc; + if (dev->type != ARPHRD_IEEE802154) + goto out; phy = dev->ieee802154_ptr->wpan_phy; BUG_ON(!phy); @@ -342,6 +345,7 @@ nla_put_failure: nlmsg_free(msg); out_dev: wpan_phy_put(phy); +out: if (dev) dev_put(dev);
I've observed a NULL pointer dereference in ieee802154_del_iface() during netlink fuzzing. It's the ->wpan_phy dereference here: phy = dev->ieee802154_ptr->wpan_phy; My bet is that we're not checking that this is an IEEE802154 interface, so let's do what ieee802154_nl_get_dev() is doing. (Maybe we should even be calling this directly?) Cc: Lennert Buytenhek <buytenh@wantstofly.org> Cc: Alexander Aring <alex.aring@gmail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> Cc: Sergey Lapin <slapin@ossfans.org> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> --- net/ieee802154/nl-phy.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)