kern/56904: null pointer dereference in rtsock.c sysctl_iflist: ifp->if_dl->ifa_addr when ifp->if_dl is null

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/56904: null pointer dereference in rtsock.c sysctl_iflist: ifp->if_dl->ifa_addr when ifp->if_dl is null
From: campbell+netbsd%mumble.net@localhost
Date: Sun, 26 Jun 2022 23:05:01 +0000 (UTC)

>Number:         56904
>Category:       kern
>Synopsis:       null pointer dereference in rtsock.c sysctl_iflist: ifp->if_dl->ifa_addr when ifp->if_dl is null
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 26 23:05:00 +0000 2022
>Originator:     Taylor R Campbell
>Release:        current
>Organization:
Thought NetBSD Fendation
>Environment:
syzbot amd64
>Description:
[ 100.1167764] fatal page fault in supervisor mode
[ 100.1167764] trap type 6 code 0 rip 0xffffffff859e1707 cs 0x8 rflags 0x10246 cr2 0 ilevel 0x4 rsp 0xffffea00878e7980
[ 100.1316679] curlwp 0xffffea0012ae3340 pid 600.600 lowest kstack 0xffffea00878e02c0
kernel: page fault trap, code=0
Stopped in pid 600.600 (dhcpcd) at      netbsd:sysctl_rtable+0x1027:    movq    0(%r14),%r12
?
sysctl_rtable() at netbsd:sysctl_rtable+0x1027 sysctl_iflist sys/net/rtsock.c:319 [inline]
sysctl_rtable() at netbsd:sysctl_rtable+0x1027 sys/net/rtsock.c:477
sysctl_dispatch() at netbsd:sysctl_dispatch+0x526 sys/kern/kern_sysctl.c:461
sys___sysctl() at netbsd:sys___sysctl+0x654 sys/kern/kern_sysctl.c:317
syscall() at netbsd:syscall+0x60c sy_invoke sys/sys/syscallvar.h:94 [inline]
syscall() at netbsd:syscall+0x60c sys/arch/x86/x86/syscall.c:138
--- syscall (number 202) ---

It looks like ifp->if_dl can be set by if_deactivate_sadl, which is called by if_free_sadl, which is called by if_alloc_sadl, which is called by if_set_sadl, which can be called while an interface is attached (i.e., between if_register/if_attach and if_detach) and thus while it may be passively in use by net/rtsock.c.
>How-To-Repeat:
https://syzkaller.appspot.com/bug?id=8edb5d051112e79fb98d52ee454a2e7d5ae2ec0e
>Fix:
Yes, please!

Access to ifp->if_dl should probably be managed with atomics and net/rtsock.c should gracefully handle the case of a null sadl, if this is possible -- or if it is invalid, then the transition from an old sadl to a new sadl must be done atomically without an intermediate null state.

Prev by Date: kern/56903: ppp_create and pppalloc are racy
Next by Date: Re: kern/56900: panic in uvm_map_findspace
Previous by Thread: kern/56903: ppp_create and pppalloc are racy
Next by Thread: Re: kern/56894 (if_lagg.c crashes on alignment-picky architectures)
Indexes:

Home | Main Index | Thread Index | Old Index