Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
net: rmnet: fix NULL pointer dereference in rmnet_changelink()
In the rmnet_changelink(), it uses IFLA_LINK without checking
NULL pointer.
tb[IFLA_LINK] could be NULL pointer.
So, NULL-ptr-deref could occur.
rmnet already has a lower interface (real_dev).
So, after this patch, rmnet_changelink() does not use IFLA_LINK anymore.
Test commands:
modprobe rmnet
ip link add dummy0 type dummy
ip link add rmnet0 link dummy0 type rmnet mux_id 1
ip link set rmnet0 type rmnet mux_id 2
Splat looks like:
[ 73.784702][ T944] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 I
[ 73.786128][ T944] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 73.786894][ T944] CPU: 0 PID: 944 Comm: ip Not tainted 5.5.0+ torvalds#406
[ 73.787573][ T944] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 73.788865][ T944] RIP: 0010:rmnet_changelink+0x5a/0x8a0 [rmnet]
[ 73.789895][ T944] Code: 83 ec 20 48 c1 ea 03 80 3c 02 00 0f 85 6f 07 00 00 48 8b 5e 28 48 b8 00 00 00 00 00 fc ff d0
[ 73.792187][ T944] RSP: 0018:ffff88804ca571b8 EFLAGS: 00010247
[ 73.792939][ T944] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88804ca578b0
[ 73.793880][ T944] RDX: 0000000000000000 RSI: ffff88804ca574a0 RDI: 0000000000000004
[ 73.794904][ T944] RBP: ffff88806241f400 R08: 0000000000000002 R09: 0000000000000002
[ 73.796720][ T944] R10: ffffffffc03f2a80 R11: 0000000000000000 R12: ffff88804d094000
[ 73.797721][ T944] R13: ffff88804d094000 R14: ffff88806241e800 R15: 0000000000000000
[ 73.798770][ T944] FS: 00007fc9d81650c0(0000) GS:ffff88806c000000(0000) knlGS:0000000000000000
[ 73.800184][ T944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 73.801265][ T944] CR2: 0000557c57167458 CR3: 0000000066eea003 CR4: 00000000000606f0
[ 73.802297][ T944] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 73.803290][ T944] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 73.804433][ T944] Call Trace:
[ 73.804855][ T944] __rtnl_newlink+0x922/0x1270
[ 73.805459][ T944] ? lock_downgrade+0x6e0/0x6e0
[ 73.806068][ T944] ? rtnl_link_unregister+0x220/0x220
[ 73.806737][ T944] ? lock_acquire+0x164/0x3b0
[ 73.807328][ T944] ? is_bpf_image_address+0xff/0x1d0
[ 73.807983][ T944] ? rtnl_newlink+0x4c/0x90
[ 73.808540][ T944] ? kernel_text_address+0x111/0x140
[ 73.809196][ T944] ? __kernel_text_address+0xe/0x30
[ 73.809859][ T944] ? unwind_get_return_address+0x5f/0xa0
[ 73.810560][ T944] ? create_prof_cpu_mask+0x20/0x20
[ 73.811614][ T944] ? arch_stack_walk+0x83/0xb0
[ 73.812350][ T944] ? stack_trace_save+0x82/0xb0
[ 73.812976][ T944] ? stack_trace_consume_entry+0x160/0x160
[ 73.814174][ T944] ? deactivate_slab.isra.78+0x2c5/0x800
[ 73.814920][ T944] ? kasan_unpoison_shadow+0x30/0x40
[ 73.815594][ T944] ? kmem_cache_alloc_trace+0x135/0x350
[ 73.816789][ T944] ? rtnl_newlink+0x4c/0x90
[ 73.817357][ T944] rtnl_newlink+0x65/0x90
[ ... ]
Fixes: 23790ef ("net: qualcomm: rmnet: Allow to configure flags for existing devices")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>- Loading branch information
1 parent
f329139
commit 4a1a40a