diff mbox series

flow_dissector: prevent NULL pointer dereference in __skb_flow_dissect

Message ID 20240320125635.1444-1-abelova@astralinux.ru (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series flow_dissector: prevent NULL pointer dereference in __skb_flow_dissect | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 942 this patch: 942
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 2 maintainers not CCed: pabeni@redhat.com rkannoth@marvell.com
netdev/build_clang success Errors and warnings before: 957 this patch: 957
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 959 this patch: 959
netdev/checkpatch warning CHECK: Alignment should match open parenthesis
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2024-03-20--15-00 (tests: 908)

Commit Message

Anastasia Belova March 20, 2024, 12:56 p.m. UTC 
skb is an optional parameter, so it may be NULL.
Add check defore dereference in eth_hdr.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
---
 net/core/flow_dissector.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jiri Pirko March 20, 2024, 1:38 p.m. UTC | #1 
Wed, Mar 20, 2024 at 01:56:35PM CET, abelova@astralinux.ru wrote:
>skb is an optional parameter, so it may be NULL.
>Add check defore dereference in eth_hdr.
>
>Found by Linux Verification Center (linuxtesting.org) with SVACE.

Either drop this line which provides no value, or attach a link to the
actual report.


>
>Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")

This looks incorrect. I believe that this is the offending commit:
commit 690e36e726d00d2528bc569809048adf61550d80
Author: David S. Miller <davem@davemloft.net>
Date:   Sat Aug 23 12:13:41 2014 -0700

    net: Allow raw buffers to be passed into the flow dissector.



>Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
>---
> net/core/flow_dissector.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
>index 272f09251343..05db3a8aa771 100644
>--- a/net/core/flow_dissector.c
>+++ b/net/core/flow_dissector.c
>@@ -1137,7 +1137,7 @@ bool __skb_flow_dissect(const struct net *net,
> 		rcu_read_unlock();
> 	}
> 
>-	if (dissector_uses_key(flow_dissector,
>+	if (skb && dissector_uses_key(flow_dissector,
> 			       FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
> 		struct ethhdr *eth = eth_hdr(skb);
> 		struct flow_dissector_key_eth_addrs *key_eth_addrs;

Looks like FLOW_DISSECT_RET_OUT_BAD should be returned in case the
FLOW_DISSECTOR_KEY_ETH_ADDRS are selected and there is no skb, no?


pw-bot: cr

>-- 
>2.30.2
>
Eric Dumazet March 20, 2024, 1:43 p.m. UTC | #2 
On Wed, Mar 20, 2024 at 2:38 PM Jiri Pirko <jiri@resnulli.us> wrote:
>
> Wed, Mar 20, 2024 at 01:56:35PM CET, abelova@astralinux.ru wrote:
> >skb is an optional parameter, so it may be NULL.
> >Add check defore dereference in eth_hdr.
> >
> >Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Either drop this line which provides no value, or attach a link to the
> actual report.
>
>
> >
> >Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
>
> This looks incorrect. I believe that this is the offending commit:
> commit 690e36e726d00d2528bc569809048adf61550d80
> Author: David S. Miller <davem@davemloft.net>
> Date:   Sat Aug 23 12:13:41 2014 -0700
>
>     net: Allow raw buffers to be passed into the flow dissector.
>
>
>
> >Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
> >---
> > net/core/flow_dissector.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> >diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> >index 272f09251343..05db3a8aa771 100644
> >--- a/net/core/flow_dissector.c
> >+++ b/net/core/flow_dissector.c
> >@@ -1137,7 +1137,7 @@ bool __skb_flow_dissect(const struct net *net,
> >               rcu_read_unlock();
> >       }
> >
> >-      if (dissector_uses_key(flow_dissector,
> >+      if (skb && dissector_uses_key(flow_dissector,
> >                              FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
> >               struct ethhdr *eth = eth_hdr(skb);
> >               struct flow_dissector_key_eth_addrs *key_eth_addrs;
>
> Looks like FLOW_DISSECT_RET_OUT_BAD should be returned in case the
> FLOW_DISSECTOR_KEY_ETH_ADDRS are selected and there is no skb, no?
>

It would be nice knowing in which context we could have a NULL skb and
FLOW_DISSECTOR_KEY_ETH_ADDRS
at the same time.

It seems this fix is based on some kind of static analysis, but no real bug.
Jiri Pirko March 20, 2024, 1:54 p.m. UTC | #3 
Wed, Mar 20, 2024 at 02:43:22PM CET, edumazet@google.com wrote:
>On Wed, Mar 20, 2024 at 2:38 PM Jiri Pirko <jiri@resnulli.us> wrote:
>>
>> Wed, Mar 20, 2024 at 01:56:35PM CET, abelova@astralinux.ru wrote:
>> >skb is an optional parameter, so it may be NULL.
>> >Add check defore dereference in eth_hdr.
>> >
>> >Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Either drop this line which provides no value, or attach a link to the
>> actual report.
>>
>>
>> >
>> >Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
>>
>> This looks incorrect. I believe that this is the offending commit:
>> commit 690e36e726d00d2528bc569809048adf61550d80
>> Author: David S. Miller <davem@davemloft.net>
>> Date:   Sat Aug 23 12:13:41 2014 -0700
>>
>>     net: Allow raw buffers to be passed into the flow dissector.
>>
>>
>>
>> >Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
>> >---
>> > net/core/flow_dissector.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> >diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
>> >index 272f09251343..05db3a8aa771 100644
>> >--- a/net/core/flow_dissector.c
>> >+++ b/net/core/flow_dissector.c
>> >@@ -1137,7 +1137,7 @@ bool __skb_flow_dissect(const struct net *net,
>> >               rcu_read_unlock();
>> >       }
>> >
>> >-      if (dissector_uses_key(flow_dissector,
>> >+      if (skb && dissector_uses_key(flow_dissector,
>> >                              FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
>> >               struct ethhdr *eth = eth_hdr(skb);
>> >               struct flow_dissector_key_eth_addrs *key_eth_addrs;
>>
>> Looks like FLOW_DISSECT_RET_OUT_BAD should be returned in case the
>> FLOW_DISSECTOR_KEY_ETH_ADDRS are selected and there is no skb, no?
>>
>
>It would be nice knowing in which context we could have a NULL skb and
>FLOW_DISSECTOR_KEY_ETH_ADDRS
>at the same time.
>
>It seems this fix is based on some kind of static analysis, but no real bug.

Yeah, I agree. That's the main reason I asked for the link to the report.
Anastasia Belova March 21, 2024, 9:36 a.m. UTC | #4 
20/03/24 16:38, Jiri Pirko пишет:
> Wed, Mar 20, 2024 at 01:56:35PM CET, abelova@astralinux.ru wrote:
>> skb is an optional parameter, so it may be NULL.
>> Add check defore dereference in eth_hdr.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> Either drop this line which provides no value, or attach a link to the
> actual report.
>

It is an established practice for our project. You can find 700+ applied
patches with similar line:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=linuxtesting.org


>> Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
> This looks incorrect. I believe that this is the offending commit:
> commit 690e36e726d00d2528bc569809048adf61550d80
> Author: David S. Miller <davem@davemloft.net>
> Date:   Sat Aug 23 12:13:41 2014 -0700
>
>      net: Allow raw buffers to be passed into the flow dissector.
>

Got it.

>
>> Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
>> ---
>> net/core/flow_dissector.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
>> index 272f09251343..05db3a8aa771 100644
>> --- a/net/core/flow_dissector.c
>> +++ b/net/core/flow_dissector.c
>> @@ -1137,7 +1137,7 @@ bool __skb_flow_dissect(const struct net *net,
>> 		rcu_read_unlock();
>> 	}
>>
>> -	if (dissector_uses_key(flow_dissector,
>> +	if (skb && dissector_uses_key(flow_dissector,
>> 			       FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
>> 		struct ethhdr *eth = eth_hdr(skb);
>> 		struct flow_dissector_key_eth_addrs *key_eth_addrs;
> Looks like FLOW_DISSECT_RET_OUT_BAD should be returned in case the
> FLOW_DISSECTOR_KEY_ETH_ADDRS are selected and there is no skb, no?

I agree, I'll send the second version.

Anastasia Belova
Jiri Pirko March 21, 2024, 10:57 a.m. UTC | #5 
Thu, Mar 21, 2024 at 10:36:53AM CET, abelova@astralinux.ru wrote:
>
>
>20/03/24 16:38, Jiri Pirko пишет:
>> Wed, Mar 20, 2024 at 01:56:35PM CET, abelova@astralinux.ru wrote:
>> > skb is an optional parameter, so it may be NULL.
>> > Add check defore dereference in eth_hdr.
>> > 
>> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
>> Either drop this line which provides no value, or attach a link to the
>> actual report.
>> 
>
>It is an established practice for our project. You can find 700+ applied
>patches with similar line:
>https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=linuxtesting.org

Okay. So would it be possible to attach a link to the actual report?

>
>
>> > Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
>> This looks incorrect. I believe that this is the offending commit:
>> commit 690e36e726d00d2528bc569809048adf61550d80
>> Author: David S. Miller <davem@davemloft.net>
>> Date:   Sat Aug 23 12:13:41 2014 -0700
>> 
>>      net: Allow raw buffers to be passed into the flow dissector.
>> 
>
>Got it.
>
>> 
>> > Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
>> > ---
>> > net/core/flow_dissector.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>> > 
>> > diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
>> > index 272f09251343..05db3a8aa771 100644
>> > --- a/net/core/flow_dissector.c
>> > +++ b/net/core/flow_dissector.c
>> > @@ -1137,7 +1137,7 @@ bool __skb_flow_dissect(const struct net *net,
>> > 		rcu_read_unlock();
>> > 	}
>> > 
>> > -	if (dissector_uses_key(flow_dissector,
>> > +	if (skb && dissector_uses_key(flow_dissector,
>> > 			       FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
>> > 		struct ethhdr *eth = eth_hdr(skb);
>> > 		struct flow_dissector_key_eth_addrs *key_eth_addrs;
>> Looks like FLOW_DISSECT_RET_OUT_BAD should be returned in case the
>> FLOW_DISSECTOR_KEY_ETH_ADDRS are selected and there is no skb, no?
>
>I agree, I'll send the second version.
>
>Anastasia Belova
>
Denis Kirjanov March 21, 2024, 11:39 a.m. UTC | #6 
On 3/21/24 13:57, Jiri Pirko wrote:
> Thu, Mar 21, 2024 at 10:36:53AM CET, abelova@astralinux.ru wrote:
>>
>>
>> 20/03/24 16:38, Jiri Pirko пишет:
>>> Wed, Mar 20, 2024 at 01:56:35PM CET, abelova@astralinux.ru wrote:
>>>> skb is an optional parameter, so it may be NULL.
>>>> Add check defore dereference in eth_hdr.
>>>>
>>>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>> Either drop this line which provides no value, or attach a link to the
>>> actual report.
>>>
>>
>> It is an established practice for our project. You can find 700+ applied
>> patches with similar line:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=linuxtesting.org
> 
> Okay. So would it be possible to attach a link to the actual report?
> 
>>
>>
>>>> Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
>>> This looks incorrect. I believe that this is the offending commit:
>>> commit 690e36e726d00d2528bc569809048adf61550d80
>>> Author: David S. Miller <davem@davemloft.net>
>>> Date:   Sat Aug 23 12:13:41 2014 -0700
>>>
>>>      net: Allow raw buffers to be passed into the flow dissector.
>>>
>>
>> Got it.

Looks like it's a static checker, there is no actual bug report or kernel oops/crash 

>>
>>>
>>>> Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
>>>> ---
>>>> net/core/flow_dissector.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
>>>> index 272f09251343..05db3a8aa771 100644
>>>> --- a/net/core/flow_dissector.c
>>>> +++ b/net/core/flow_dissector.c
>>>> @@ -1137,7 +1137,7 @@ bool __skb_flow_dissect(const struct net *net,
>>>> 		rcu_read_unlock();
>>>> 	}
>>>>
>>>> -	if (dissector_uses_key(flow_dissector,
>>>> +	if (skb && dissector_uses_key(flow_dissector,
>>>> 			       FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
>>>> 		struct ethhdr *eth = eth_hdr(skb);
>>>> 		struct flow_dissector_key_eth_addrs *key_eth_addrs;
>>> Looks like FLOW_DISSECT_RET_OUT_BAD should be returned in case the
>>> FLOW_DISSECTOR_KEY_ETH_ADDRS are selected and there is no skb, no?
>>
>> I agree, I'll send the second version.
>>
>> Anastasia Belova
>>
>
Anastasia Belova March 21, 2024, 12:04 p.m. UTC | #7 
21/03/24 13:57, Jiri Pirko пишет:
> Thu, Mar 21, 2024 at 10:36:53AM CET, abelova@astralinux.ru wrote:
>>
>> 20/03/24 16:38, Jiri Pirko пишет:
>>> Wed, Mar 20, 2024 at 01:56:35PM CET, abelova@astralinux.ru wrote:
>>>> skb is an optional parameter, so it may be NULL.
>>>> Add check defore dereference in eth_hdr.
>>>>
>>>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>> Either drop this line which provides no value, or attach a link to the
>>> actual report.
>>>
>> It is an established practice for our project. You can find 700+ applied
>> patches with similar line:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=linuxtesting.org
> Okay. So would it be possible to attach a link to the actual report?

Unfortunately no as far as results of the SVACE static analysis tool are
not available publicly at the moment.


Also I agree that this is quite a minor fix, but I still insist
that it would be better to add a check.

>
>>
>>>> Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
>>> This looks incorrect. I believe that this is the offending commit:
>>> commit 690e36e726d00d2528bc569809048adf61550d80
>>> Author: David S. Miller <davem@davemloft.net>
>>> Date:   Sat Aug 23 12:13:41 2014 -0700
>>>
>>>       net: Allow raw buffers to be passed into the flow dissector.
>>>
>> Got it.
>>
>>>> Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
>>>> ---
>>>> net/core/flow_dissector.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
>>>> index 272f09251343..05db3a8aa771 100644
>>>> --- a/net/core/flow_dissector.c
>>>> +++ b/net/core/flow_dissector.c
>>>> @@ -1137,7 +1137,7 @@ bool __skb_flow_dissect(const struct net *net,
>>>> 		rcu_read_unlock();
>>>> 	}
>>>>
>>>> -	if (dissector_uses_key(flow_dissector,
>>>> +	if (skb && dissector_uses_key(flow_dissector,
>>>> 			       FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
>>>> 		struct ethhdr *eth = eth_hdr(skb);
>>>> 		struct flow_dissector_key_eth_addrs *key_eth_addrs;
>>> Looks like FLOW_DISSECT_RET_OUT_BAD should be returned in case the
>>> FLOW_DISSECTOR_KEY_ETH_ADDRS are selected and there is no skb, no?
>> I agree, I'll send the second version.
>>
>> Anastasia Belova
>>
Jiri Pirko March 21, 2024, 12:42 p.m. UTC | #8 
Thu, Mar 21, 2024 at 01:04:22PM CET, abelova@astralinux.ru wrote:
>
>
>21/03/24 13:57, Jiri Pirko пишет:
>> Thu, Mar 21, 2024 at 10:36:53AM CET, abelova@astralinux.ru wrote:
>> > 
>> > 20/03/24 16:38, Jiri Pirko пишет:
>> > > Wed, Mar 20, 2024 at 01:56:35PM CET, abelova@astralinux.ru wrote:
>> > > > skb is an optional parameter, so it may be NULL.
>> > > > Add check defore dereference in eth_hdr.
>> > > > 
>> > > > Found by Linux Verification Center (linuxtesting.org) with SVACE.
>> > > Either drop this line which provides no value, or attach a link to the
>> > > actual report.
>> > > 
>> > It is an established practice for our project. You can find 700+ applied
>> > patches with similar line:
>> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=linuxtesting.org
>> Okay. So would it be possible to attach a link to the actual report?
>
>Unfortunately no as far as results of the SVACE static analysis tool are
>not available publicly at the moment.

So, don't mention it, has no value what so ever. No place for
advertisements like this.


>
>
>Also I agree that this is quite a minor fix, but I still insist
>that it would be better to add a check.

It is not possible (prove us wrong) to hit this bug in real world.
No point to fix nobug.


>
>> 
>> > 
>> > > > Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
>> > > This looks incorrect. I believe that this is the offending commit:
>> > > commit 690e36e726d00d2528bc569809048adf61550d80
>> > > Author: David S. Miller <davem@davemloft.net>
>> > > Date:   Sat Aug 23 12:13:41 2014 -0700
>> > > 
>> > >       net: Allow raw buffers to be passed into the flow dissector.
>> > > 
>> > Got it.
>> > 
>> > > > Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
>> > > > ---
>> > > > net/core/flow_dissector.c | 2 +-
>> > > > 1 file changed, 1 insertion(+), 1 deletion(-)
>> > > > 
>> > > > diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
>> > > > index 272f09251343..05db3a8aa771 100644
>> > > > --- a/net/core/flow_dissector.c
>> > > > +++ b/net/core/flow_dissector.c
>> > > > @@ -1137,7 +1137,7 @@ bool __skb_flow_dissect(const struct net *net,
>> > > > 		rcu_read_unlock();
>> > > > 	}
>> > > > 
>> > > > -	if (dissector_uses_key(flow_dissector,
>> > > > +	if (skb && dissector_uses_key(flow_dissector,
>> > > > 			       FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
>> > > > 		struct ethhdr *eth = eth_hdr(skb);
>> > > > 		struct flow_dissector_key_eth_addrs *key_eth_addrs;
>> > > Looks like FLOW_DISSECT_RET_OUT_BAD should be returned in case the
>> > > FLOW_DISSECTOR_KEY_ETH_ADDRS are selected and there is no skb, no?
>> > I agree, I'll send the second version.
>> > 
>> > Anastasia Belova
>> > 
>
>
diff mbox series

Patch

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 272f09251343..05db3a8aa771 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1137,7 +1137,7 @@  bool __skb_flow_dissect(const struct net *net,
 		rcu_read_unlock();
 	}
 
-	if (dissector_uses_key(flow_dissector,
+	if (skb && dissector_uses_key(flow_dissector,
 			       FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
 		struct ethhdr *eth = eth_hdr(skb);
 		struct flow_dissector_key_eth_addrs *key_eth_addrs;