Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e73a4324 authored by Kaustubh Pandey's avatar Kaustubh Pandey
Browse files

net: core: null pointer derefernce in sockev_client_cb 



sockev_client_cb creates a netlink message and populates
the nlmsg_data using the socket->sock information.
If socket is closed, while the nlmsg_data is being
populated, a null pointer dereference occurs.

BUG: KASAN: null-ptr-deref in sockev_client_cb+0x1e4/0x310
Read of size 2 at addr 0000000000000010 by task syz-executor/9398
CPU: 6 PID: 9398 Comm: syz-executor Tainted: G W O 4.9.92+ #1

Call trace:
[<ffffff94e2bebec4>] sockev_client_cb+0x1e4/0x310
[<ffffff94e14fb20c>] notifier_call_chain+0x94/0xe0
[<ffffff94e14fb894>] __blocking_notifier_call_chain+0x6c/0xb8
[<ffffff94e14fb920>] blocking_notifier_call_chain+0x40/0x50
[<ffffff94e2b727f8>] sockev_notify net/socket.c:180 [inline]
[<ffffff94e2b727f8>] SYSC_listen net/socket.c:1446 [inline]
[<ffffff94e2b727f8>] SyS_listen+0x1e0/0x1f8
[<ffffff94e1483f70>] el0_svc_naked+0x24/0x28

CR's Fixed: 2251042
Change-Id: Iad9eb58cd05fcdc0b5cc1ed24de56b69abb532b4
Signed-off-by: default avatarSharath Chandra Vurukala <sharathv@codeaurora.org>
Signed-off-by: default avatarTejaswi Tanikella <tejaswit@codeaurora.org>
Signed-off-by: default avatarKaustubh Pandey <kapandey@codeaurora.org>
Acked-by: default avatarChinmay Agarwal <chinagar@qti.qualcomm.com>
parent 3901f5f2
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment