[thirdparty/kernel/stable-queue.git] / releases / 4.9.11 / ping-fix-a-null-pointer-dereference.patch

From foo@baz Tue Feb 14 17:03:08 PST 2017
From: WANG Cong <xiyou.wangcong@gmail.com>
Date: Tue, 7 Feb 2017 12:59:46 -0800
Subject: ping: fix a null pointer dereference

From: WANG Cong <xiyou.wangcong@gmail.com>


[ Upstream commit 73d2c6678e6c3af7e7a42b1e78cd0211782ade32 ]

Andrey reported a kernel crash:

  general protection fault: 0000 [#1] SMP KASAN
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  task: ffff880060048040 task.stack: ffff880069be8000
  RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
  RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
  RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
  RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
  RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
  RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
  R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
  R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
  FS:  00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
  Call Trace:
   inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
   sock_sendmsg_nosec net/socket.c:635 [inline]
   sock_sendmsg+0xca/0x110 net/socket.c:645
   SYSC_sendto+0x660/0x810 net/socket.c:1687
   SyS_sendto+0x40/0x50 net/socket.c:1655
   entry_SYSCALL_64_fastpath+0x1f/0xc2

This is because we miss a check for NULL pointer for skb_peek() when
the queue is empty. Other places already have the same check.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ping.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -642,6 +642,8 @@ static int ping_v4_push_pending_frames(s
 {
 	struct sk_buff *skb = skb_peek(&sk->sk_write_queue);
 
+	if (!skb)
+		return 0;
 	pfh->wcheck = csum_partial((char *)&pfh->icmph,
 		sizeof(struct icmphdr), pfh->wcheck);
 	pfh->icmph.checksum = csum_fold(pfh->wcheck);
Commit	Line	Data
c1ebd610 GKH	1	From foo@baz Tue Feb 14 17:03:08 PST 2017
	2	From: WANG Cong <xiyou.wangcong@gmail.com>
	3	Date: Tue, 7 Feb 2017 12:59:46 -0800
	4	Subject: ping: fix a null pointer dereference
	5
	6	From: WANG Cong <xiyou.wangcong@gmail.com>
	7
	8
	9	[ Upstream commit 73d2c6678e6c3af7e7a42b1e78cd0211782ade32 ]
	10
	11	Andrey reported a kernel crash:
	12
	13	general protection fault: 0000 [#1] SMP KASAN
	14	Dumping ftrace buffer:
	15	(ftrace buffer empty)
	16	Modules linked in:
	17	CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124
	18	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
	19	task: ffff880060048040 task.stack: ffff880069be8000
	20	RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
	21	RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
	22	RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
	23	RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
	24	RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
	25	RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
	26	R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
	27	R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
	28	FS: 00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
	29	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	30	CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
	31	Call Trace:
	32	inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
	33	sock_sendmsg_nosec net/socket.c:635 [inline]
	34	sock_sendmsg+0xca/0x110 net/socket.c:645
	35	SYSC_sendto+0x660/0x810 net/socket.c:1687
	36	SyS_sendto+0x40/0x50 net/socket.c:1655
	37	entry_SYSCALL_64_fastpath+0x1f/0xc2
	38
	39	This is because we miss a check for NULL pointer for skb_peek() when
	40	the queue is empty. Other places already have the same check.
	41
	42	Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
	43	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	44	Tested-by: Andrey Konovalov <andreyknvl@google.com>
	45	Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
	46	Signed-off-by: David S. Miller <davem@davemloft.net>
	47	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	48	---
	49	net/ipv4/ping.c \| 2 ++
	50	1 file changed, 2 insertions(+)
	51
	52	--- a/net/ipv4/ping.c
	53	+++ b/net/ipv4/ping.c
	54	@@ -642,6 +642,8 @@ static int ping_v4_push_pending_frames(s
	55	{
	56	struct sk_buff *skb = skb_peek(&sk->sk_write_queue);
	57
	58	+ if (!skb)
	59	+ return 0;
	60	pfh->wcheck = csum_partial((char *)&pfh->icmph,
	61	sizeof(struct icmphdr), pfh->wcheck);
	62	pfh->icmph.checksum = csum_fold(pfh->wcheck);