Message ID | 20221027142455.3975224-1-chenzhihao@meizu.com (mailing list archive) |
---|---|
State | Awaiting Upstream |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | xfrm:fix access to the null pointer in __xfrm_state_delete() | expand |
Hi Chen, You wrote on Thu, Oct 27, 2022 at 02:24:55PM +0000: > Validate the byseq node before removing it from the hlist of state_byseq. > km.seq cannot be used to determine whether the SA is in the byseq hlist > because xfrm_add_sa() may initialize km.seq to 0 and the SA is not inserted > into hlist. In later network communication, the seq field will increase > after the valid packet is received. > > In the above case, the NULL pointer will be accessed and cause a kernel > panic when the SA is being removed from hlist by checking km.seq field in > __xfrm_state_delete(). thanks for your patch! The solution is pretty close already, it's pfkey_send_new_mapping() from af_key.c messing with "x->km.seq" if a new NAT-T mapping is detected. I'll send a patch for the root cause on Monday, the commit message will be the most delicate thing. I already checked different PF_KEYv2 based IPSec implementations how they behave regarding SADB_X_NAT_T_NEW_MAPPING. Some details are public here already: https://github.com/strongswan/strongswan/issues/992#issuecomment-1294651331 If you are using a modern IPSec userspace application like strongswan 5.x, one can use the netlink xfrm interface and disable CONFIG_NET_KEY in the kernel to completely avoid the issue with PF_KEYv2. Also unloading the "af_key" kernel module helps. Perhaps it might make sense to extend your patch to WARN_ON in case we run into this situation again in the future? Then we would not sweep the issue under the rug. Cheers, Thomas
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 3d2fe7712ac5..72a6426baef4 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -687,7 +687,7 @@ int __xfrm_state_delete(struct xfrm_state *x) list_del(&x->km.all); hlist_del_rcu(&x->bydst); hlist_del_rcu(&x->bysrc); - if (x->km.seq) + if (x->km.seq && !hlist_unhashed(&x->byseq)) hlist_del_rcu(&x->byseq); if (x->id.spi) hlist_del_rcu(&x->byspi);