Bug 8155

Summary: NULL pointer dereference in do_ipv6_setsockopt
Product: Networking Reporter: Gabriel Campana (campana.gabriel)
Component: IPV6Assignee: Olaf Kirch (okir)
Status: CLOSED CODE_FIX    
Severity: normal CC: okir
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.17.11 Subsystem:
Regression: --- Bisected commit-id:

Description Gabriel Campana 2007-03-08 16:02:08 UTC 
Distribution: Ubuntu Edgy Eft
Hardware Environment: i686/Pentium M
Software Environment: Kernel 2.6.17-11-386
Problem Description:

There is a NULL pointer dereference in the function do_ipv6_setsockopt in
net/ipv6/ipv6_sockglue.c.
Line 417, opt can be NULL and dereferenced :
		opt = ipv6_renew_options(sk, np->opt, optname,    // opt = NULL
					 (struct ipv6_opt_hdr __user *)optval,
					 optlen);
		if (IS_ERR(opt)) {
			retv = PTR_ERR(opt);
			break;
		}

		/* routing header option needs extra check */
		if (optname == IPV6_RTHDR && opt->srcrt) {        // Oops


Those few lines reproduce the bug :

#include <netinet/in.h>

int main(int argc, char **argv) {
  int s, optval;

  s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
  setsockopt(s, SOL_IPV6, IPV6_RTHDR, &optval, 0);

  return 0;
}


Kernel Oops here :

Mar  8 23:57:17 localhost kernel: BUG: unable to handle kernel NULL pointer
dereference at virtual address 00000010
Mar  8 23:57:17 localhost kernel:  printing eip:
Mar  8 23:57:17 localhost kernel: f8ebb270
Mar  8 23:57:17 localhost kernel: *pde = 00000000
Mar  8 23:57:17 localhost kernel: Oops: 0000 [#1]
Mar  8 23:57:17 localhost kernel: Modules linked in: binfmt_misc rfcomm hidp
l2cap bluetooth fglrx speedstep_centrino cpufreq_userspace cpufreq_stats
freq_table cpufreq_powersave cpufreq_ondemand cpufreq_conservative video
tc1100_wmi sbs sony_acpi pcc_acpi i2c_ec i2c_core hotkey dev_acpi button battery
container ac asus_acpi dm_mod md_mod sr_mod sbp2 scsi_mod ipv6 parport_pc lp
parport 8139cp joydev tsdev usbhid pcmcia tifm_7xx1 tifm_core sdhci mmc_core
8139too mii snd_intel8x0 snd_ac97_codec snd_ac97_bus ipw2200 snd_pcm_oss
snd_mixer_oss yenta_socket rsrc_nonstatic pcmcia_core snd_pcm ieee80211
ieee80211_crypt psmouse serio_raw evdev snd_timer shpchp pci_hotplug intel_agp
agpgart snd soundcore snd_page_alloc rtc ext3 jbd ohci1394 ieee1394 ehci_hcd
uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic thermal
processor fan capability commoncap vesafb fbcon tileblit font bitblit softcursor
Mar  8 23:57:17 localhost kernel: CPU:    0
Mar  8 23:57:17 localhost kernel: EIP:    0060:[<f8ebb270>]    Tainted: P      VLI
Mar  8 23:57:17 localhost kernel: EFLAGS: 00010246   (2.6.17-11-386 #2) 
Mar  8 23:57:17 localhost kernel: EIP is at ipv6_setsockopt+0xa90/0xc40 [ipv6]
Mar  8 23:57:17 localhost kernel: eax: 00000000   ebx: f0cfca40   ecx: 00000039
  edx: 00000000
Mar  8 23:57:17 localhost kernel: esi: 00000000   edi: 00000000   ebp: 00000039
  esp: f25a9da8
Mar  8 23:57:17 localhost kernel: ds: 007b   es: 007b   ss: 0068
Mar  8 23:57:17 localhost kernel: Process null_deref (pid: 5076,
threadinfo=f25a8000 task=f24a7580)
Mar  8 23:57:17 localhost kernel: Stack: 00000000 00000000 c199ce00 f8c9a4ff
00000001 00000000 f0cfce58 ee42e9c0 
Mar  8 23:57:17 localhost kernel:        c18e1e7c c0179c74 3b9aca00 c199ce00
c18e1de0 ee42e9c0 c18e1e7c 00000000 
Mar  8 23:57:17 localhost kernel:        c199ce00 00000000 ee42e9c0 c18e1e7c
00000000 c013c78b 00001000 c0359330 
Mar  8 23:57:17 localhost kernel: Call Trace:
Mar  8 23:57:17 localhost kernel:  <c0179c74> __mark_inode_dirty+0x34/0x170 
<c013c78b> do_generic_mapping_read+0x42b/0x540
Mar  8 23:57:17 localhost kernel:  <c0154f74> cache_alloc_refill+0x314/0x4d0 
<c01cc98c> vsnprintf+0x55c/0x640
Mar  8 23:57:17 localhost kernel:  <c016f0b7> d_alloc+0x27/0x190  <c016f059>
d_instantiate+0x49/0x80
Mar  8 23:57:17 localhost kernel:  <f8eba7e0> ipv6_setsockopt+0x0/0xc40 [ipv6] 
<c0289966> tcp_setsockopt+0x36/0x370
Mar  8 23:57:17 localhost kernel:  <c0259e83> sock_common_setsockopt+0x23/0x30 
<c02587d5> sys_setsockopt+0x75/0xd0
Mar  8 23:57:17 localhost kernel:  <c0259a19> sys_socketcall+0x209/0x280 
<c02c7a00> do_page_fault+0x0/0x6e0
Mar  8 23:57:17 localhost kernel:  <c0102dbb> sysenter_past_esp+0x54/0x79 
Mar  8 23:57:17 localhost kernel: Code: 00 00 d0 54 2a c0 ff 0d 80 88 ee f8 83
3d 80 87 ee f8 02 0f 85 34 fc ff ff a1 08 89 ee f8 31 ff e8 56 ab 25 c7 e9 d5 f6
ff ff 90 <8b> 50 10 85 d2 0f 84 3e f9 ff ff 80 7a 02 00 90 75 13 0f b6 42 
Mar  8 23:57:17 localhost kernel: EIP: [<f8ebb270>] ipv6_setsockopt+0xa90/0xc40
[ipv6] SS:ESP 0068:f25a9da8
Comment 1 Olaf Kirch 2007-03-12 00:44:59 UTC 
A patch for this was accepted by davem, and is scheduled to go into the
next -stable kernel as well.