• Ido Schimmel's avatar
    ipv4: Fix NULL pointer dereference in ipv4_neigh_lookup() · 537de0c8
    Ido Schimmel authored
    Both ip_neigh_gw4() and ip_neigh_gw6() can return either a valid pointer
    or an error pointer, but the code currently checks that the pointer is
    not NULL.
    
    Fix this by checking that the pointer is not an error pointer, as this
    can result in a NULL pointer dereference [1]. Specifically, I believe
    that what happened is that ip_neigh_gw4() returned '-EINVAL'
    (0xffffffffffffffea) to which the offset of 'refcnt' (0x70) was added,
    which resulted in the address 0x000000000000005a.
    
    [1]
     BUG: KASAN: null-ptr-deref in refcount_inc_not_zero_checked+0x6e/0x180
     Read of size 4 at addr 000000000000005a by task swapper/2/0
    
     CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.2.0-rc6-custom-reg-179657-gaa32d89 #396
     Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
     Call Trace:
     <IRQ>
     dump_stack+0x73/0xbb
     __kasan_report+0x188/0x1ea
     kasan_report+0xe/0x20
     refcount_inc_not_zero_checked+0x6e/0x180
     ipv4_neigh_lookup+0x365/0x12c0
     __neigh_u...
    537de0c8
route.c 83.2 KB