• Wei Yongjun's avatar
    ip6_gre: fix null-ptr-deref in ip6gre_init_net() · abcf95e0
    Wei Yongjun authored
    [ Upstream commit 46ef5b89 ]
    
    KASAN report null-ptr-deref error when register_netdev() failed:
    
    KASAN: null-ptr-deref in range [0x00000000000003c0-0x00000000000003c7]
    CPU: 2 PID: 422 Comm: ip Not tainted 5.8.0-rc4+ #12
    Call Trace:
     ip6gre_init_net+0x4ab/0x580
     ? ip6gre_tunnel_uninit+0x3f0/0x3f0
     ops_init+0xa8/0x3c0
     setup_net+0x2de/0x7e0
     ? rcu_read_lock_bh_held+0xb0/0xb0
     ? ops_init+0x3c0/0x3c0
     ? kasan_unpoison_shadow+0x33/0x40
     ? __kasan_kmalloc.constprop.0+0xc2/0xd0
     copy_net_ns+0x27d/0x530
     create_new_namespaces+0x382/0xa30
     unshare_nsproxy_namespaces+0xa1/0x1d0
     ksys_unshare+0x39c/0x780
     ? walk_process_tree+0x2a0/0x2a0
     ? trace_hardirqs_on+0x4a/0x1b0
     ? _raw_spin_unlock_irq+0x1f/0x30
     ? syscall_trace_enter+0x1a7/0x330
     ? do_syscall_64+0x1c/0xa0
     __x64_sys_unshare+0x2d/0x40
     do_syscall_64+0x56/0xa0
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    ip6gre_tunnel_uninit() has set 'ign->fb_tunnel_dev' to NULL, later
    access to ign->fb_tunnel_dev cause null-ptr-deref. Fix it by saving
    'ign->fb_tunnel_dev' to local variable ndev.
    
    Fixes: dafabb65 ("ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()")
    Reported-by: default avatarHulk Robot <hulkci@huawei.com>
    Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
    Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    abcf95e0
ip6_gre.c 58.4 KB