mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-02 15:18:19 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Dave Wysochanski 8019d7074d SUNRPC: Handle 0 length opaque XDR object data properly 
[ Upstream commit e4a7d1f770 ]

When handling an auth_gss downcall, it's possible to get 0-length
opaque object for the acceptor.  In the case of a 0-length XDR
object, make sure simple_get_netobj() fills in dest->data = NULL,
and does not continue to kmemdup() which will set
dest->data = ZERO_SIZE_PTR for the acceptor.

The trace event code can handle NULL but not ZERO_SIZE_PTR for a
string, and so without this patch the rpcgss_context trace event
will crash the kernel as follows:

[  162.887992] BUG: kernel NULL pointer dereference, address: 0000000000000010
[  162.898693] #PF: supervisor read access in kernel mode
[  162.900830] #PF: error_code(0x0000) - not-present page
[  162.902940] PGD 0 P4D 0
[  162.904027] Oops: 0000 [#1] SMP PTI
[  162.905493] CPU: 4 PID: 4321 Comm: rpc.gssd Kdump: loaded Not tainted 5.10.0 #133
[  162.908548] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  162.910978] RIP: 0010:strlen+0x0/0x20
[  162.912505] Code: 48 89 f9 74 09 48 83 c1 01 80 39 00 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee c3 0f 1f 80 00 00 00 00 <80> 3f 00 74 10 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 31
[  162.920101] RSP: 0018:ffffaec900c77d90 EFLAGS: 00010202
[  162.922263] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffde697
[  162.925158] RDX: 000000000000002f RSI: 0000000000000080 RDI: 0000000000000010
[  162.928073] RBP: 0000000000000010 R08: 0000000000000e10 R09: 0000000000000000
[  162.930976] R10: ffff8e698a590cb8 R11: 0000000000000001 R12: 0000000000000e10
[  162.933883] R13: 00000000fffde697 R14: 000000010034d517 R15: 0000000000070028
[  162.936777] FS:  00007f1e1eb93700(0000) GS:ffff8e6ab7d00000(0000) knlGS:0000000000000000
[  162.940067] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  162.942417] CR2: 0000000000000010 CR3: 0000000104eba000 CR4: 00000000000406e0
[  162.945300] Call Trace:
[  162.946428]  trace_event_raw_event_rpcgss_context+0x84/0x140 [auth_rpcgss]
[  162.949308]  ? __kmalloc_track_caller+0x35/0x5a0
[  162.951224]  ? gss_pipe_downcall+0x3a3/0x6a0 [auth_rpcgss]
[  162.953484]  gss_pipe_downcall+0x585/0x6a0 [auth_rpcgss]
[  162.955953]  rpc_pipe_write+0x58/0x70 [sunrpc]
[  162.957849]  vfs_write+0xcb/0x2c0
[  162.959264]  ksys_write+0x68/0xe0
[  162.960706]  do_syscall_64+0x33/0x40
[  162.962238]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  162.964346] RIP: 0033:0x7f1e1f1e57df

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-02-23 14:00:30 +01:00
..
6lowpan 6lowpan: Off by one handling ->nexthdr 2020-01-27 14:46:30 +01:00
9p net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid 2020-11-05 11:06:57 +01:00
802
8021q net: vlan: avoid leaks on register_vlan_dev() failures 2021-01-17 13:58:58 +01:00
appletalk appletalk: Set error code if register_snap_client failed 2019-12-17 20:38:59 +01:00
atm atm: fix a memory leak of vcc->user_back 2020-10-01 13:12:42 +02:00
ax25 AX.25: Prevent integer overflows in connect and sendmsg 2020-07-31 16:44:44 +02:00
batman-adv batman-adv: set .owner to THIS_MODULE 2020-12-02 08:34:42 +01:00
bluetooth Bluetooth: Fix null pointer dereference in hci_event_packet() 2020-12-29 13:46:52 +01:00
bpf
bridge net: bridge: vlan: fix error return code in __vlan_add() 2020-12-29 13:46:45 +01:00
caif net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
can can: af_can: prevent potential access of uninitialized member in canfd_rcv() 2020-11-24 13:05:47 +01:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-11-05 11:07:03 +01:00
core net_sched: gen_estimator: support large ewma log 2021-02-07 14:47:40 +01:00
dcb net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands 2021-01-23 15:48:46 +01:00
dccp net: ipv6: add net argument to ip6_dst_lookup_flow 2020-05-20 08:17:02 +02:00
decnet net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 14:00:14 +01:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-24 08:01:25 +02:00
dsa net: dsa: Fix duplicate frames flooded by learning 2020-04-02 16:34:24 +02:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:17:59 +01:00
hsr hsr: check protocol version in hsr_newlink() 2020-04-24 08:00:52 +02:00
ieee802154 nl802154: add missing attribute validation for dev_type 2020-03-20 10:54:10 +01:00
ife
ipv4 ipv4: fix race condition between route lookup and invalidation 2021-02-10 09:12:08 +01:00
ipv6 ipv6: create multicast route with RTPROT_KERNEL 2021-01-30 13:31:15 +01:00
ipx
iucv net/af_iucv: set correct sk_protocol for child sockets 2020-12-08 10:17:32 +01:00
kcm
key af_key: relax availability checks for skb size calculation 2021-02-23 14:00:29 +01:00
l2tp l2tp: remove skb_dst_set() from l2tp_xmit_skb() 2020-07-22 09:22:19 +02:00
l3mdev
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:12:08 +01:00
llc llc: make sure applications use ARPHRD_ETHER 2020-07-22 09:22:20 +02:00
mac80211 mac80211: fix station rate table updates on assoc 2021-02-10 09:12:09 +01:00
mac802154 mac802154: tx: fix use-after-free 2020-10-01 13:12:50 +02:00
mpls net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup 2020-05-20 08:17:02 +02:00
ncsi net/ncsi: Use real net-device for response handler 2021-01-12 20:09:07 +01:00
netfilter netfilter: nft_dynset: add timeout extension to template 2021-02-03 23:22:22 +01:00
netlabel netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() 2020-11-24 13:05:40 +01:00
netlink genetlink: remove genl_bind 2020-07-22 09:22:19 +02:00
netrom net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node 2020-05-02 17:24:17 +02:00
nfc NFC: fix possible resource leak 2021-02-03 23:22:23 +01:00
nsh
openvswitch openvswitch: handle DNAT tuple collision 2020-10-14 09:51:12 +02:00
packet net/packet: fix overflow in tpacket_rcv 2020-10-14 09:51:09 +02:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
psample net: psample: fix skb_over_panic 2019-12-05 15:38:15 +01:00
qrtr net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() 2020-06-03 08:17:38 +02:00
rds rds: Prevent kernel-infoleak in rds_notify_queue_get() 2020-08-05 10:06:50 +02:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:11:57 +01:00
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-12-08 10:17:32 +01:00
rxrpc rxrpc: Fix handling of an unsupported token type in rxrpc_read() 2021-01-23 15:48:47 +01:00
sched net_sched: reject silly cell_log in qdisc_get_rtab() 2021-02-07 14:47:40 +01:00
sctp sctp: change to hold/put transport for proto_unreach_timer 2020-11-24 13:05:41 +01:00
smc net/smc: check for valid ib_client_data 2020-03-20 10:54:20 +01:00
strparser
sunrpc SUNRPC: Handle 0 length opaque XDR object data properly 2021-02-23 14:00:30 +01:00
switchdev
tipc tipc: fix NULL deref in tipc_link_xmit() 2021-01-23 15:48:47 +01:00
tls
unix skbuff: fix a data race in skb_queue_len() 2020-10-01 13:12:33 +02:00
vmw_vsock vsock: use ns_capable_noaudit() on socket create 2020-11-10 10:29:05 +01:00
wimax
wireless wext: fix NULL-ptr-dereference with cfg80211's lack of commit() 2021-02-03 23:22:21 +01:00
x25 net/x25: prevent a couple of overflows 2020-12-08 10:17:33 +01:00
xfrm xfrm: Fix oops in xfrm_replay_advance_bmp 2021-02-03 23:22:22 +01:00
compat.c net/compat: Add missing sock updates for SCM_RIGHTS 2020-08-21 09:48:18 +02:00
Kconfig
Makefile
socket.c net: Set fput_needed iff FDPUT_FPUT is set 2020-08-21 09:48:14 +02:00
sysctl_net.c