In the Linux kernel, the following vulnerability has been resolved:
fou: Fix null-ptr-deref in GRO.
We observed a null-ptr-deref in fougroreceive() while shutting down a host. [0]
The NULL pointer is sk->skuserdata, and the offset 8 is of protocol in struct fou.
When fourelease() is called due to netns dismantle or explicit tunnel teardown, udptunnelsockrelease() sets NULL to sk->skuserdata. Then, the tunnel socket is destroyed after a single RCU grace period.
So, in-flight udp4groreceive() could find the socket and execute the FOU GRO handler, where sk->skuserdata could be NULL.
Let's use rcudereferenceskuserdata() in foufromsock() and add NULL checks in FOU GRO handlers.
PF: supervisor read access in kernel mode PF: errorcode(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x8664 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fougroreceive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? showtraceloglvl (arch/x86/kernel/dumpstack.c:259) ? _diebody.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? nocontext (arch/x86/mm/fault.c:752) ? excpagefault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asmexcpagefault (arch/x86/include/asm/idtentry.h:571) ? fougroreceive (net/ipv4/fou.c:233) [fou] udpgroreceive (include/linux/netdevice.h:2552 net/ipv4/udpoffload.c:559) udp4groreceive (net/ipv4/udpoffload.c:604) inetgroreceive (net/ipv4/afinet.c:1549 (discriminator 7)) devgroreceive (net/core/dev.c:6035 (discriminator 4)) napigroreceive (net/core/dev.c:6170) enacleanrxirq (drivers/amazon/net/ena/enanetdev.c:1558) [ena] enaiopoll (drivers/amazon/net/ena/enanetdev.c:1742) [ena] napipoll (net/core/dev.c:6847) netrxaction (net/core/dev.c:6917) _dosoftirq (arch/x86/include/asm/jumplabel.h:25 include/linux/jumplabel.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asmcallirqonstack (arch/x86/entry/entry64.S:809) </IRQ> dosoftirqownstack (arch/x86/include/asm/irqstack.h:27 arch/x86/include/asm/irqstack.h:77 arch/x86/kernel/irq64.c:77) irqexitrcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) commoninterrupt (arch/x86/kernel/irq.c:239) asmcommoninterrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpiidledoentry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processoridle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---