[net] xfrm: Fix ignored return value in xfrm6_init()

Message ID	20221103090713.188740-1-chenzhongjin@huawei.com (mailing list archive)
State	Awaiting Upstream
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Chen Zhongjin <chenzhongjin@huawei.com> To: <linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org> CC: <steffen.klassert@secunet.com>, <herbert@gondor.apana.org.au>, <davem@davemloft.net>, <yoshfuji@linux-ipv6.org>, <dsahern@kernel.org>, <edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com>, <mkubecek@suse.cz>, <chenzhongjin@huawei.com> Subject: [PATCH net] xfrm: Fix ignored return value in xfrm6_init() Date: Thu, 3 Nov 2022 17:07:13 +0800 Message-ID: <20221103090713.188740-1-chenzhongjin@huawei.com> MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk
Series	[net] xfrm: Fix ignored return value in xfrm6_init() \| expand [net] xfrm: Fix ignored return value in xfrm6_init()

Context	Check	Description
netdev/tree_selection	success	Clearly marked for net
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/subject_prefix	success	Link
netdev/cover_letter	success	Single patches do not need cover letters
netdev/patch_count	success	Link
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers	success	CCed 10 of 10 maintainers
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/module_param	success	Was 0 now: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 14 lines checked
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Chen Zhongjin Nov. 3, 2022, 9:07 a.m. UTC

When IPv6 module initializing in xfrm6_init(), register_pernet_subsys()
is possible to fail but its return value is ignored.

If IPv6 initialization fails later and xfrm6_fini() is called,
removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref:

KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 330 Comm: insmod
RIP: 0010:unregister_pernet_operations+0xc9/0x450
Call Trace:
 <TASK>
 unregister_pernet_subsys+0x31/0x3e
 xfrm6_fini+0x16/0x30 [ipv6]
 ip6_route_init+0xcd/0x128 [ipv6]
 inet6_init+0x29c/0x602 [ipv6]
 ...

Fix it by catching the error return value of register_pernet_subsys().

Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
---
 net/ipv6/xfrm6_policy.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Leon Romanovsky Nov. 6, 2022, 7:08 p.m. UTC | #1

On Thu, Nov 03, 2022 at 05:07:13PM +0800, Chen Zhongjin wrote:
> When IPv6 module initializing in xfrm6_init(), register_pernet_subsys()
> is possible to fail but its return value is ignored.
> 
> If IPv6 initialization fails later and xfrm6_fini() is called,
> removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref:
> 
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> CPU: 1 PID: 330 Comm: insmod
> RIP: 0010:unregister_pernet_operations+0xc9/0x450
> Call Trace:
>  <TASK>
>  unregister_pernet_subsys+0x31/0x3e
>  xfrm6_fini+0x16/0x30 [ipv6]
>  ip6_route_init+0xcd/0x128 [ipv6]
>  inet6_init+0x29c/0x602 [ipv6]
>  ...
> 
> Fix it by catching the error return value of register_pernet_subsys().
> 
> Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces")
> Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
> ---
>  net/ipv6/xfrm6_policy.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

I see same error in net/ipv4/xfrm4_policy.c which introduced by same
commit mentioned in Fixes line.

Thanks

> 
> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 4a4b0e49ec92..ea435eba3053 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -287,9 +287,13 @@ int __init xfrm6_init(void)
>  	if (ret)
>  		goto out_state;
>  
> -	register_pernet_subsys(&xfrm6_net_ops);
> +	ret = register_pernet_subsys(&xfrm6_net_ops);
> +	if (ret)
> +		goto out_protocol;
>  out:
>  	return ret;
> +out_protocol:
> +	xfrm6_protocol_fini();
>  out_state:
>  	xfrm6_state_fini();
>  out_policy:
> -- 
> 2.17.1
>

Chen Zhongjin Nov. 7, 2022, 3:22 a.m. UTC | #2

Hi,

On 2022/11/7 3:08, Leon Romanovsky wrote:
> On Thu, Nov 03, 2022 at 05:07:13PM +0800, Chen Zhongjin wrote:
>> When IPv6 module initializing in xfrm6_init(), register_pernet_subsys()
>> is possible to fail but its return value is ignored.
>>
>> If IPv6 initialization fails later and xfrm6_fini() is called,
>> removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref:
>>
>> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
>> CPU: 1 PID: 330 Comm: insmod
>> RIP: 0010:unregister_pernet_operations+0xc9/0x450
>> Call Trace:
>>   <TASK>
>>   unregister_pernet_subsys+0x31/0x3e
>>   xfrm6_fini+0x16/0x30 [ipv6]
>>   ip6_route_init+0xcd/0x128 [ipv6]
>>   inet6_init+0x29c/0x602 [ipv6]
>>   ...
>>
>> Fix it by catching the error return value of register_pernet_subsys().
>>
>> Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces")
>> Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
>> ---
>>   net/ipv6/xfrm6_policy.c | 6 +++++-
>>   1 file changed, 5 insertions(+), 1 deletion(-)
> I see same error in net/ipv4/xfrm4_policy.c which introduced by same
> commit mentioned in Fixes line.

It's true that in xfrm4_init() the ops->init is possible to fail as well.

However there is no error handling or exit path for ipv4, so IIUC the 
ops won't be unregistered anyway.

Considering that ipv4 don't handle most of error in initialization, 
maybe it's better to keep it as it is?


Best,

Chen

> Thanks
>

Leon Romanovsky Nov. 7, 2022, 8:06 a.m. UTC | #3

On Mon, Nov 07, 2022 at 11:22:40AM +0800, Chen Zhongjin wrote:
> Hi,
> 
> On 2022/11/7 3:08, Leon Romanovsky wrote:
> > On Thu, Nov 03, 2022 at 05:07:13PM +0800, Chen Zhongjin wrote:
> > > When IPv6 module initializing in xfrm6_init(), register_pernet_subsys()
> > > is possible to fail but its return value is ignored.
> > > 
> > > If IPv6 initialization fails later and xfrm6_fini() is called,
> > > removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref:
> > > 
> > > KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> > > CPU: 1 PID: 330 Comm: insmod
> > > RIP: 0010:unregister_pernet_operations+0xc9/0x450
> > > Call Trace:
> > >   <TASK>
> > >   unregister_pernet_subsys+0x31/0x3e
> > >   xfrm6_fini+0x16/0x30 [ipv6]
> > >   ip6_route_init+0xcd/0x128 [ipv6]
> > >   inet6_init+0x29c/0x602 [ipv6]
> > >   ...
> > > 
> > > Fix it by catching the error return value of register_pernet_subsys().
> > > 
> > > Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces")
> > > Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
> > > ---
> > >   net/ipv6/xfrm6_policy.c | 6 +++++-
> > >   1 file changed, 5 insertions(+), 1 deletion(-)
> > I see same error in net/ipv4/xfrm4_policy.c which introduced by same
> > commit mentioned in Fixes line.
> 
> It's true that in xfrm4_init() the ops->init is possible to fail as well.
> 
> However there is no error handling or exit path for ipv4, so IIUC the ops
> won't be unregistered anyway.
> 
> Considering that ipv4 don't handle most of error in initialization, maybe
> it's better to keep it as it is?

Yeah, makes sense.

Thanks,
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>

Steffen Klassert Nov. 17, 2022, 6:33 a.m. UTC | #4

On Mon, Nov 07, 2022 at 10:06:48AM +0200, Leon Romanovsky wrote:
> On Mon, Nov 07, 2022 at 11:22:40AM +0800, Chen Zhongjin wrote:
> > Hi,
> > 
> > On 2022/11/7 3:08, Leon Romanovsky wrote:
> > > On Thu, Nov 03, 2022 at 05:07:13PM +0800, Chen Zhongjin wrote:
> > > > When IPv6 module initializing in xfrm6_init(), register_pernet_subsys()
> > > > is possible to fail but its return value is ignored.
> > > > 
> > > > If IPv6 initialization fails later and xfrm6_fini() is called,
> > > > removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref:
> > > > 
> > > > KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> > > > CPU: 1 PID: 330 Comm: insmod
> > > > RIP: 0010:unregister_pernet_operations+0xc9/0x450
> > > > Call Trace:
> > > >   <TASK>
> > > >   unregister_pernet_subsys+0x31/0x3e
> > > >   xfrm6_fini+0x16/0x30 [ipv6]
> > > >   ip6_route_init+0xcd/0x128 [ipv6]
> > > >   inet6_init+0x29c/0x602 [ipv6]
> > > >   ...
> > > > 
> > > > Fix it by catching the error return value of register_pernet_subsys().
> > > > 
> > > > Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces")
> > > > Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
> > > > ---
> > > >   net/ipv6/xfrm6_policy.c | 6 +++++-
> > > >   1 file changed, 5 insertions(+), 1 deletion(-)
> > > I see same error in net/ipv4/xfrm4_policy.c which introduced by same
> > > commit mentioned in Fixes line.
> > 
> > It's true that in xfrm4_init() the ops->init is possible to fail as well.
> > 
> > However there is no error handling or exit path for ipv4, so IIUC the ops
> > won't be unregistered anyway.
> > 
> > Considering that ipv4 don't handle most of error in initialization, maybe
> > it's better to keep it as it is?
> 
> Yeah, makes sense.
> 
> Thanks,
> Reviewed-by: Leon Romanovsky <leonro@nvidia.com>

Applied, thanks a lot!

[net] xfrm: Fix ignored return value in xfrm6_init()

Checks

Commit Message

Comments

Patch