From 537de0c8ca2b2fd49046e06194425f56e6246148 Mon Sep 17 00:00:00 2001 From: Ido Schimmel Date: Thu, 4 Jul 2019 19:26:38 +0300 Subject: ipv4: Fix NULL pointer dereference in ipv4_neigh_lookup() Both ip_neigh_gw4() and ip_neigh_gw6() can return either a valid pointer or an error pointer, but the code currently checks that the pointer is not NULL. Fix this by checking that the pointer is not an error pointer, as this can result in a NULL pointer dereference [1]. Specifically, I believe that what happened is that ip_neigh_gw4() returned '-EINVAL' (0xffffffffffffffea) to which the offset of 'refcnt' (0x70) was added, which resulted in the address 0x000000000000005a. [1] BUG: KASAN: null-ptr-deref in refcount_inc_not_zero_checked+0x6e/0x180 Read of size 4 at addr 000000000000005a by task swapper/2/0 CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.2.0-rc6-custom-reg-179657-gaa32d89 #396 Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 Call Trace: dump_stack+0x73/0xbb __kasan_report+0x188/0x1ea kasan_report+0xe/0x20 refcount_inc_not_zero_checked+0x6e/0x180 ipv4_neigh_lookup+0x365/0x12c0 __neigh_update+0x1467/0x22f0 arp_process.constprop.6+0x82e/0x1f00 __netif_receive_skb_one_core+0xee/0x170 process_backlog+0xe3/0x640 net_rx_action+0x755/0xd90 __do_softirq+0x29b/0xae7 irq_exit+0x177/0x1c0 smp_apic_timer_interrupt+0x164/0x5e0 apic_timer_interrupt+0xf/0x20 Fixes: 5c9f7c1dfc2e ("ipv4: Add helpers for neigh lookup for nexthop") Signed-off-by: Ido Schimmel Reported-by: Shalom Toledo Reviewed-by: Jiri Pirko Reviewed-by: David Ahern Signed-off-by: David S. Miller --- net/ipv4/route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net/ipv4/route.c') diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 8ea0735a6754..b2b35b38724d 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -447,7 +447,7 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst, n = ip_neigh_gw4(dev, pkey); } - if (n && !refcount_inc_not_zero(&n->refcnt)) + if (!IS_ERR(n) && !refcount_inc_not_zero(&n->refcnt)) n = NULL; rcu_read_unlock_bh(); -- cgit v1.2.3-58-ga151