From patchwork Mon Mar 5 16:51:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 881568 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="qIbiru3q"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zw5Wx5q7jz9sZf for ; Tue, 6 Mar 2018 03:51:09 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751764AbeCEQvH (ORCPT ); Mon, 5 Mar 2018 11:51:07 -0500 Received: from mail-pg0-f66.google.com ([74.125.83.66]:44042 "EHLO mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751486AbeCEQvF (ORCPT ); Mon, 5 Mar 2018 11:51:05 -0500 Received: by mail-pg0-f66.google.com with SMTP id l4so7040443pgp.11 for ; Mon, 05 Mar 2018 08:51:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=dT5gm8M2YabQv/iKYaSqBHC0yy+GkhCFi74N1p66Ulo=; b=qIbiru3qFFAWdm2NzSpwSE5bKSHCxbAptBoW1dpO5cYqn+8tN0NybLjOJcDf8r0vcB ZUcBCuoGo8Eiyzrvx6IceyxUh/0xeOBzAvZ7unTLqZDn+gEbvJmUr3AlEHu8K00Awyyj EJik9VYQ8D4V7q5w/5cX2ViBjp4LSbxXLqpw52LDLuyZziNJbkWxkYjEvN/8pOgPDa1w e7l7S1asmIjblJaH/EpgnZAUw9ZKItEIxxdcL8j0nyTo2YVGTGgS2D3WLwoD3bwIS5Yq qxDpBjXvcV/MdPQUf+v7qcnFnDKS7E5ExVCHvdvZN9NfqIe7nyFcIKSSyRxKc6JN0xOT nSSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=dT5gm8M2YabQv/iKYaSqBHC0yy+GkhCFi74N1p66Ulo=; b=M+Dotgr7hG0uYB0m8OJktxT+T1jTeyVNK9UDLYkbW8Hr+fd0JCaJCqAdFJ+svU12IB 6HKAuPg6p8LWam2MIGVW+XrwQDypzTOyerMzbHtan/qyK3NiwKfqKeplcuukF4mToOon 4t+whv4aA/FKBGGJfk146XVpZpRKONN/W2eDBBlR3BNL1X6aWI1A4iXP+rNDu9sK1KHT gWkpIC9EiAviyM6bL+UQuYcDSO8qq72jVsoe5AG4ejYKzO1yWrUfhmiOlmsVHJMkT/5B k99u7G6QZmG2MrpB8f7mQJ5mLVCKQvZfoU8LCZgX/cC/2UVsnAarTO7ZlYfrW6Tj5NtJ HNxA== X-Gm-Message-State: APf1xPDU8w1rGZW11pXLu5GyZUN9NNb0v0RLkAitNzlcbqHzut4+Mdsk OKOcL0HfNz7YvGF72x6oX60= X-Google-Smtp-Source: AG47ELt54Xr3pDZc9EtBQrFE5j+wpbQQAGpJiPFv3nmEvrw6g9o6+N4obhDPMrPFbHg+keeGeO7N7w== X-Received: by 10.99.116.69 with SMTP id e5mr12979729pgn.437.1520268665497; Mon, 05 Mar 2018 08:51:05 -0800 (PST) Received: from ?IPv6:2a00:79e1:abc:100:641:391c:2715:1239? ([2a00:79e1:abc:100:641:391c:2715:1239]) by smtp.googlemail.com with ESMTPSA id l19sm23228987pgn.31.2018.03.05.08.51.03 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 05 Mar 2018 08:51:04 -0800 (PST) Message-ID: <1520268663.109662.5.camel@gmail.com> Subject: [PATCH net] ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() From: Eric Dumazet To: David Miller Cc: netdev , Alexander Aring , Stefan Schmidt Date: Mon, 05 Mar 2018 08:51:03 -0800 X-Mailer: Evolution 3.22.6-1+deb9u1 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet A tun device type can trivially be set to arbitrary value using TUNSETLINK ioctl(). Therefore, lowpan_device_event() must really check that ieee802154_ptr is not NULL. Fixes: 2c88b5283f60d ("ieee802154: 6lowpan: remove check on null") Signed-off-by: Eric Dumazet Cc: Alexander Aring Cc: Stefan Schmidt Reported-by: syzbot Acked-by: Stefan Schmidt ---  net/ieee802154/6lowpan/core.c |   12 ++++++++----  1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/net/ieee802154/6lowpan/core.c b/net/ieee802154/6lowpan/core.c index 974765b7d92a..e9f0489e4229 100644 --- a/net/ieee802154/6lowpan/core.c +++ b/net/ieee802154/6lowpan/core.c @@ -206,9 +206,13 @@ static inline void lowpan_netlink_fini(void) static int lowpan_device_event(struct notifier_block *unused, unsigned long event, void *ptr) { - struct net_device *wdev = netdev_notifier_info_to_dev(ptr); + struct net_device *ndev = netdev_notifier_info_to_dev(ptr); + struct wpan_dev *wpan_dev; - if (wdev->type != ARPHRD_IEEE802154) + if (ndev->type != ARPHRD_IEEE802154) + return NOTIFY_DONE; + wpan_dev = ndev->ieee802154_ptr; + if (!wpan_dev) return NOTIFY_DONE; switch (event) { @@ -217,8 +221,8 @@ static int lowpan_device_event(struct notifier_block *unused, * also delete possible lowpan interfaces which belongs * to the wpan interface. */ - if (wdev->ieee802154_ptr->lowpan_dev) - lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL); + if (wpan_dev->lowpan_dev) + lowpan_dellink(wpan_dev->lowpan_dev, NULL); break; default: return NOTIFY_DONE;