| Message ID | DB3PR10MB6835D68E7E632532155AE585E8A9A@DB3PR10MB6835.EURPRD10.PROD.OUTLOOK.COM (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 8a4f030dbced6fc255cbe67b2d0a129947e18493 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [RESEND] ptp: Fixes a null pointer dereference in ptp_ioctl | expand |
On 11/7/23 21:48, Yuran Pereira wrote: > Syzkaller found a null pointer dereference in ptp_ioctl > originating from the lack of a null check for tsevq. > > ``` > general protection fault, probably for non-canonical > address 0xdffffc000000020b: 0000 [#1] PREEMPT SMP KASAN > KASAN: probably user-memory-access in range > [0x0000000000001058-0x000000000000105f] > CPU: 0 PID: 5053 Comm: syz-executor353 Not tainted > 6.6.0-syzkaller-10396-g4652b8e4f3ff #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, > BIOS Google 10/09/2023 > RIP: 0010:ptp_ioctl+0xcb7/0x1d10 drivers/ptp/ptp_chardev.c:476 > ... > Call Trace: > <TASK> > posix_clock_ioctl+0xf8/0x160 kernel/time/posix-clock.c:86 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:871 [inline] > __se_sys_ioctl fs/ioctl.c:857 [inline] > __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 > do_syscall_x64 arch/x86/entry/common.c:51 [inline] > do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 > entry_SYSCALL_64_after_hwframe+0x63/0x6b > ``` > > This patch fixes the issue by adding a check for tsevq and > ensuring ptp_ioctl returns with an error if tsevq is null. > > Reported-by: syzbot+8a78ecea7ac1a2ea26e5@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=8a78ecea7ac1a2ea26e5 > Fixes: c5a445b1e934 ("ptp: support event queue reader channel masks") > Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com> > --- > drivers/ptp/ptp_chardev.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c > index 282cd7d24077..5b36c34629a0 100644 > --- a/drivers/ptp/ptp_chardev.c > +++ b/drivers/ptp/ptp_chardev.c > @@ -173,6 +173,8 @@ long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, > int enable, err = 0; > > tsevq = pccontext->private_clkdata; > + if (!tsevq) > + return -EINVAL; > > switch (cmd) { > Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
On 11/8/23 11:15, Przemek Kitszel wrote: > On 11/7/23 21:48, Yuran Pereira wrote: >> Syzkaller found a null pointer dereference in ptp_ioctl Ugh, I just noticed that this is a fixed version of previous attempt, for those please always bump version and include changelog, please also comply with: https://www.kernel.org/doc/html/next/process/maintainer-netdev.html if only to don't fool random reviewers (I somewhat assumed that you have just rebased some old patch, PATCH RESEND was misleading here) >> originating from the lack of a null check for tsevq. >> >> ``` >> general protection fault, probably for non-canonical >> address 0xdffffc000000020b: 0000 [#1] PREEMPT SMP KASAN >> KASAN: probably user-memory-access in range >> [0x0000000000001058-0x000000000000105f] >> CPU: 0 PID: 5053 Comm: syz-executor353 Not tainted >> 6.6.0-syzkaller-10396-g4652b8e4f3ff #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, >> BIOS Google 10/09/2023 >> RIP: 0010:ptp_ioctl+0xcb7/0x1d10 drivers/ptp/ptp_chardev.c:476 >> ... >> Call Trace: >> <TASK> >> posix_clock_ioctl+0xf8/0x160 kernel/time/posix-clock.c:86 >> vfs_ioctl fs/ioctl.c:51 [inline] >> __do_sys_ioctl fs/ioctl.c:871 [inline] >> __se_sys_ioctl fs/ioctl.c:857 [inline] >> __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 >> do_syscall_x64 arch/x86/entry/common.c:51 [inline] >> do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 >> entry_SYSCALL_64_after_hwframe+0x63/0x6b >> ``` >> >> This patch fixes the issue by adding a check for tsevq and >> ensuring ptp_ioctl returns with an error if tsevq is null. >> >> Reported-by: syzbot+8a78ecea7ac1a2ea26e5@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=8a78ecea7ac1a2ea26e5 >> Fixes: c5a445b1e934 ("ptp: support event queue reader channel masks") >> Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com> >> --- >> drivers/ptp/ptp_chardev.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c >> index 282cd7d24077..5b36c34629a0 100644 >> --- a/drivers/ptp/ptp_chardev.c >> +++ b/drivers/ptp/ptp_chardev.c >> @@ -173,6 +173,8 @@ long ptp_ioctl(struct posix_clock_context >> *pccontext, unsigned int cmd, >> int enable, err = 0; >> tsevq = pccontext->private_clkdata; >> + if (!tsevq) >> + return -EINVAL; >> switch (cmd) { > > Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> > Still applies, code is fine, thanks!
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Wed, 8 Nov 2023 02:18:36 +0530 you wrote: > Syzkaller found a null pointer dereference in ptp_ioctl > originating from the lack of a null check for tsevq. > > ``` > general protection fault, probably for non-canonical > address 0xdffffc000000020b: 0000 [#1] PREEMPT SMP KASAN > KASAN: probably user-memory-access in range > [0x0000000000001058-0x000000000000105f] > CPU: 0 PID: 5053 Comm: syz-executor353 Not tainted > 6.6.0-syzkaller-10396-g4652b8e4f3ff #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, > BIOS Google 10/09/2023 > RIP: 0010:ptp_ioctl+0xcb7/0x1d10 drivers/ptp/ptp_chardev.c:476 > ... > Call Trace: > <TASK> > posix_clock_ioctl+0xf8/0x160 kernel/time/posix-clock.c:86 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:871 [inline] > __se_sys_ioctl fs/ioctl.c:857 [inline] > __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 > do_syscall_x64 arch/x86/entry/common.c:51 [inline] > do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 > entry_SYSCALL_64_after_hwframe+0x63/0x6b > ``` > > [...] Here is the summary with links: - [RESEND] ptp: Fixes a null pointer dereference in ptp_ioctl https://git.kernel.org/netdev/net/c/8a4f030dbced You are awesome, thank you!
diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c index 282cd7d24077..5b36c34629a0 100644 --- a/drivers/ptp/ptp_chardev.c +++ b/drivers/ptp/ptp_chardev.c @@ -173,6 +173,8 @@ long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, int enable, err = 0; tsevq = pccontext->private_clkdata; + if (!tsevq) + return -EINVAL; switch (cmd) {
Syzkaller found a null pointer dereference in ptp_ioctl originating from the lack of a null check for tsevq. ``` general protection fault, probably for non-canonical address 0xdffffc000000020b: 0000 [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x0000000000001058-0x000000000000105f] CPU: 0 PID: 5053 Comm: syz-executor353 Not tainted 6.6.0-syzkaller-10396-g4652b8e4f3ff #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:ptp_ioctl+0xcb7/0x1d10 drivers/ptp/ptp_chardev.c:476 ... Call Trace: <TASK> posix_clock_ioctl+0xf8/0x160 kernel/time/posix-clock.c:86 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl fs/ioctl.c:857 [inline] __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b ``` This patch fixes the issue by adding a check for tsevq and ensuring ptp_ioctl returns with an error if tsevq is null. Reported-by: syzbot+8a78ecea7ac1a2ea26e5@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8a78ecea7ac1a2ea26e5 Fixes: c5a445b1e934 ("ptp: support event queue reader channel masks") Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com> --- drivers/ptp/ptp_chardev.c | 2 ++ 1 file changed, 2 insertions(+)