]>
Commit | Line | Data |
---|---|---|
c1ebd610 GKH |
1 | From foo@baz Tue Feb 14 17:03:08 PST 2017 |
2 | From: WANG Cong <xiyou.wangcong@gmail.com> | |
3 | Date: Tue, 7 Feb 2017 12:59:46 -0800 | |
4 | Subject: ping: fix a null pointer dereference | |
5 | ||
6 | From: WANG Cong <xiyou.wangcong@gmail.com> | |
7 | ||
8 | ||
9 | [ Upstream commit 73d2c6678e6c3af7e7a42b1e78cd0211782ade32 ] | |
10 | ||
11 | Andrey reported a kernel crash: | |
12 | ||
13 | general protection fault: 0000 [#1] SMP KASAN | |
14 | Dumping ftrace buffer: | |
15 | (ftrace buffer empty) | |
16 | Modules linked in: | |
17 | CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124 | |
18 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 | |
19 | task: ffff880060048040 task.stack: ffff880069be8000 | |
20 | RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline] | |
21 | RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837 | |
22 | RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206 | |
23 | RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000 | |
24 | RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2 | |
25 | RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000 | |
26 | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0 | |
27 | R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000 | |
28 | FS: 00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000 | |
29 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
30 | CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0 | |
31 | Call Trace: | |
32 | inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744 | |
33 | sock_sendmsg_nosec net/socket.c:635 [inline] | |
34 | sock_sendmsg+0xca/0x110 net/socket.c:645 | |
35 | SYSC_sendto+0x660/0x810 net/socket.c:1687 | |
36 | SyS_sendto+0x40/0x50 net/socket.c:1655 | |
37 | entry_SYSCALL_64_fastpath+0x1f/0xc2 | |
38 | ||
39 | This is because we miss a check for NULL pointer for skb_peek() when | |
40 | the queue is empty. Other places already have the same check. | |
41 | ||
42 | Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") | |
43 | Reported-by: Andrey Konovalov <andreyknvl@google.com> | |
44 | Tested-by: Andrey Konovalov <andreyknvl@google.com> | |
45 | Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> | |
46 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
47 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
48 | --- | |
49 | net/ipv4/ping.c | 2 ++ | |
50 | 1 file changed, 2 insertions(+) | |
51 | ||
52 | --- a/net/ipv4/ping.c | |
53 | +++ b/net/ipv4/ping.c | |
54 | @@ -642,6 +642,8 @@ static int ping_v4_push_pending_frames(s | |
55 | { | |
56 | struct sk_buff *skb = skb_peek(&sk->sk_write_queue); | |
57 | ||
58 | + if (!skb) | |
59 | + return 0; | |
60 | pfh->wcheck = csum_partial((char *)&pfh->icmph, | |
61 | sizeof(struct icmphdr), pfh->wcheck); | |
62 | pfh->icmph.checksum = csum_fold(pfh->wcheck); |