Re: [PATCH net] can: raw: fix raw_rcv panic for sock UAF
From: Oliver Hartkopp
Date: Wed Jul 21 2021 - 05:59:29 EST
On 21.07.21 11:29, Ziyang Xuan (William) wrote:
On 7/21/2021 2:35 PM, Oliver Hartkopp wrote:
On 21.07.21 06:53, Greg KH wrote:
On Wed, Jul 21, 2021 at 09:09:37AM +0800, Ziyang Xuan wrote:
We get a bug during ltp can_filter test as following.
===========================================
[60919.264984] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[60919.265223] PGD 8000003dda726067 P4D 8000003dda726067 PUD 3dda727067 PMD 0
[60919.265443] Oops: 0000 [#1] SMP PTI
[60919.265550] CPU: 30 PID: 3638365 Comm: can_filter Kdump: loaded Tainted: G W 4.19.90+ #1
This kernel version 4.19.90 is definitely outdated.
Can you please check your issue with the latest uptream kernel as this problem should have been fixed with this patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8d0caedb759683041d9db82069937525999ada53
("can: bcm/raw/isotp: use per module netdevice notifier")
Thanks!
I have tested it under the latest 5.14-rc2 kernel version which includes commit 8d0caedb7596 before I submit the patch.
Although I failed to get the vmcore-dmesg file after updating the kernel version to 5.14-rc2 to display here.
But we can get the conclusion according to the following debug messages and my problem analysis.
==========================================
[ 1048.953574] unlist_netdevice name[vcan0]
[ 1048.953661] raw_notify 283: enter, waiting
[ 1050.950967] raw_setsockopt 552: ro->bound[1] ro->ifindex[8] sk[ffff9420c5699800]
[ 1053.956002] can: receive list entry not found for dev any, id 000, mask 000
[ 1053.961989] can: receive list entry not found for dev vcan0, id 123, mask 7FF
raw_setsockopt() executes after unlist_netdevice() and before raw_notify().
The problem always exists.
You are right!
In the meantime I sent a new reply to your original patch here:
https://lore.kernel.org/linux-can/11822417-5931-b2d8-ae77-ec4a84b8b895@xxxxxxxxxxxx/
Thanks!