Paths

Table of Contentst

-
head/sys/netinet/
-
sys/
-
netinet/
5/10
tcp_reass.c

Differential D19254

Avoid dereferencing a NULL pointer when TCP_REASS_LOGGING is enabled
ClosedPublic
Actions

Authored by tuexen on Feb 19 2019, 10:14 PM.

Details

Reviewers

bz
rrs

Group Reviewers

transport

Commits

rS344516: MFC r344428:
rS344428: This patch addresses an issue brought up by bz@ in D18968:

Summary

This patch addresses an issue brought up by bz@ in D18968: When TCP_REASS_LOGGING is defined (which doesn't compile right now), a NULL pointer dereference would happen, if user data was received during the TCP handshake and BB logging is used.

A KASSERT is also added to detect tcp_reass() calls with illegal parameter combinations.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

tuexen created this revision.Feb 19 2019, 10:14 PM

Herald added a reviewer: transport. · View Herald TranscriptFeb 19 2019, 10:14 PM

Herald added a subscriber: imp. · View Herald Transcript

Harbormaster completed remote builds in B22585: Diff 54094.Feb 19 2019, 10:14 PM

tuexen retitled this revision from Avoid dereferencing a NULL point when TCP_REASS_LOGGING is enabled to Avoid dereferencing a NULL pointer when TCP_REASS_LOGGING is enabled.Feb 20 2019, 6:05 PM

bz added inline comments.Feb 20 2019, 6:30 PM

sys/netinet/tcp_reass.c
547 ↗	(On Diff #54094)	Please add %p and others to the printf so people will be able to have pointers to the tp, th, ..., m for debugging in case this fires. Will also help them to find out which illegal combination it was.

Address bz@'s comment.

Harbormaster completed remote builds in B22625: Diff 54147.Feb 20 2019, 7:23 PM

tuexen marked an inline comment as done.Feb 20 2019, 7:26 PM

tuexen added inline comments.

sys/netinet/tcp_reass.c
547 ↗	(On Diff #54094)	Good suggestion.Diff updated.

rrs accepted this revision.Feb 20 2019, 8:31 PM

This revision is now accepted and ready to land.Feb 20 2019, 8:31 PM

tuexen marked an inline comment as done.Feb 21 2019, 1:03 AM

Closed by commit rS344428: This patch addresses an issue brought up by bz@ in D18968: (authored by tuexen). · Explain WhyFeb 21 2019, 9:34 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

head/

sys/

netinet/

tcp_reass.c

22 lines

Diff 54176

View Options

head/sys/netinet/tcp_reass.c

Show First 20 Lines • Show All 293 Lines • ▼ Show 20 Lines	#ifdef KDB
if (debugger_on_trap) {		if (debugger_on_trap) {
kdb_why = KDB_WHY_TRAP;		kdb_why = KDB_WHY_TRAP;
handled = kdb_trap(frame->tf_scause & SCAUSE_CODE, 0, frame);		handled = kdb_trap(frame->tf_scause & SCAUSE_CODE, 0, frame);
kdb_why = KDB_WHY_UNSET;		kdb_why = KDB_WHY_UNSET;
if (handled)		if (handled)
return;		return;
}		}
#endif		#endif
panic("Fatal page fault at %#lx: %#016lx", frame->tf_sepc, stval);		panic("Fatal page fault at %#lx: %#lx", frame->tf_sepc, stval);
}		}

void		void
do_trap_supervisor(struct trapframe *frame)		do_trap_supervisor(struct trapframe *frame)
{		{
uint64_t exception;		uint64_t exception;

/* Ensure we came from supervisor mode, interrupts disabled */		/* Ensure we came from supervisor mode, interrupts disabled */
Show All 10 Lines	if ((frame->tf_scause & SCAUSE_INTR) != 0) {
return;		return;
}		}

#ifdef KDTRACE_HOOKS		#ifdef KDTRACE_HOOKS
if (dtrace_trap_func != NULL && (*dtrace_trap_func)(frame, exception))		if (dtrace_trap_func != NULL && (*dtrace_trap_func)(frame, exception))
return;		return;
#endif		#endif

CTR4(KTR_TRAP, "%s: exception=%lu, sepc=%lx, stval=%lx", __func__,		CTR4(KTR_TRAP, "%s: exception=%lu, sepc=%#lx, stval=%#lx", __func__,
exception, frame->tf_sepc, frame->tf_stval);		exception, frame->tf_sepc, frame->tf_stval);

switch (exception) {		switch (exception) {
case SCAUSE_LOAD_ACCESS_FAULT:		case SCAUSE_LOAD_ACCESS_FAULT:
case SCAUSE_STORE_ACCESS_FAULT:		case SCAUSE_STORE_ACCESS_FAULT:
case SCAUSE_INST_ACCESS_FAULT:		case SCAUSE_INST_ACCESS_FAULT:
dump_regs(frame);		dump_regs(frame);
panic("Memory access exception at 0x%016lx\n", frame->tf_sepc);		panic("Memory access exception at %#lx: %#lx",
		frame->tf_sepc, frame->tf_stval);
		jrtc27Unsubmitted Not Done Inline Actions The 0x is included in the width, so these need to be %#018lx (yes, this is somewhat stupid for zero padding, but makes some sense for space padding) jrtc27: The 0x is included in the width, so these need to be %#018lx (yes, this is somewhat stupid for…
		jhbAuthorUnsubmitted Done Inline Actions Hmm, I wonder if it makes sense to use # at al here then. Normally the goal with that is to get a simple "0" for zero values, but this still ends up zero padded: > printf "%#04x" 0 0000 So probably these should instead all be `0x%016lx` instead. jhb: Hmm, I wonder if it makes sense to use # at al here then. Normally the goal with that is to…
		jhbAuthorUnsubmitted Done Inline Actions Or maybe just `%#lx` jhb: Or maybe just `%#lx`
break;		break;
case SCAUSE_LOAD_MISALIGNED:		case SCAUSE_LOAD_MISALIGNED:
case SCAUSE_STORE_MISALIGNED:		case SCAUSE_STORE_MISALIGNED:
case SCAUSE_INST_MISALIGNED:		case SCAUSE_INST_MISALIGNED:
dump_regs(frame);		dump_regs(frame);
panic("Misaligned address exception at %#016lx: %#016lx\n",		panic("Misaligned address exception at %#lx: %#lx",
frame->tf_sepc, frame->tf_stval);		frame->tf_sepc, frame->tf_stval);
break;		break;
case SCAUSE_STORE_PAGE_FAULT:		case SCAUSE_STORE_PAGE_FAULT:
case SCAUSE_LOAD_PAGE_FAULT:		case SCAUSE_LOAD_PAGE_FAULT:
case SCAUSE_INST_PAGE_FAULT:		case SCAUSE_INST_PAGE_FAULT:
page_fault_handler(frame, 0);		page_fault_handler(frame, 0);
break;		break;
case SCAUSE_BREAKPOINT:		case SCAUSE_BREAKPOINT:
#ifdef KDTRACE_HOOKS		#ifdef KDTRACE_HOOKS
if (dtrace_invop_jump_addr != NULL &&		if (dtrace_invop_jump_addr != NULL &&
dtrace_invop_jump_addr(frame) == 0)		dtrace_invop_jump_addr(frame) == 0)
break;		break;
#endif		#endif
#ifdef KDB		#ifdef KDB
kdb_trap(exception, 0, frame);		kdb_trap(exception, 0, frame);
#else		#else
dump_regs(frame);		dump_regs(frame);
panic("No debugger in kernel.\n");		panic("No debugger in kernel.");
#endif		#endif
break;		break;
case SCAUSE_ILLEGAL_INSTRUCTION:		case SCAUSE_ILLEGAL_INSTRUCTION:
dump_regs(frame);		dump_regs(frame);
panic("Illegal instruction at 0x%016lx\n", frame->tf_sepc);		panic("Illegal instruction %#lx at %#lx", frame->tf_stval,
		frame->tf_sepc);
		jrtc27Unsubmitted Not Done Inline Actions Can we make this %04lx if the low 2 bits are 11 and %02lx otherwise? (I imagine %0lx with `(stval & 3) == 3 ? 4 : 2` is the "nice" way to implement it) jrtc27:* Can we make this %04lx if the low 2 bits are 11 and %02lx otherwise? (I imagine %*0lx with `…
		jhbAuthorUnsubmitted Done Inline Actions I could do this, but it will be pretty close with %#lx. The spec says implementations can either set this to 0, or they will only set it to the first N valid bytes (one of the constraints is ILEN which I believe means that for a 16-bit instruction the value would only have the 16 bits and the upper bits would all be zero, similarly for 32-bit instructions which by definition would have 0xc0 set in the most significant byte). With %#lx it is only 16-bit instructions for which the first byte is zero that would be printed as a 0xXX instead of 0x00XX. I'm not sure it's worth adding a special case just for those? jhb: I could do this, but it will be pretty close with %#lx. The spec says implementations can…
		jrtc27Unsubmitted Not Done Inline Actions You seem confused about bytes vs halfwords, and the order of the bits? The length indicator is in the low 2 bits (high bits are often immediates for 32-bit instructions). jrtc27: You seem confused about bytes vs halfwords, and the order of the bits? The length indicator is…
		jhbAuthorUnsubmitted Done Inline Actions Oh, hmm, yes, they are in the low bits. jhb: Oh, hmm, yes, they are in the low bits.
break;		break;
default:		default:
		jrtc27Unsubmitted Not Done Inline Actions Dunno what aa is meant to be, but do we really need the variable here? This is just `frame->tf_stval & 3) == 3 ? 8 : 4`, it's simpler to just inline it when you're not handling all the crazy unratified lengths. jrtc27: Dunno what aa is meant to be, but do we really need the variable here? This is just `frame…
		markjUnsubmitted Not Done Inline Actions "aa" is some notation from the ISA spec ("Expanded Instruction-Length Encoding") but it looks a bit confusing here. markj: "aa" is some notation from the ISA spec ("Expanded Instruction-Length Encoding") but it looks a…
		jhbAuthorUnsubmitted Done Inline Actions I was kind of assuming at some point we might have to add the 48-bit stuff back in (and in that context the various annotated bit fields made a bit more sense) so keeping the structure makes that future diff simpler. I can reduce it down to a ternary though. jhb: I was kind of assuming at some point we might have to add the 48-bit stuff back in (and in that…
dump_regs(frame);		dump_regs(frame);
panic("Unknown kernel exception %lx trap value %lx\n",		panic("Unknown kernel exception %#lx trap value %#lx",
exception, frame->tf_stval);		exception, frame->tf_stval);
}		}
}		}

void		void
do_trap_user(struct trapframe *frame)		do_trap_user(struct trapframe *frame)
{		{
uint64_t exception;		uint64_t exception;
Show All 16 Lines	do_trap_user(struct trapframe *frame)
exception = frame->tf_scause & SCAUSE_CODE;		exception = frame->tf_scause & SCAUSE_CODE;
if ((frame->tf_scause & SCAUSE_INTR) != 0) {		if ((frame->tf_scause & SCAUSE_INTR) != 0) {
/* Interrupt */		/* Interrupt */
riscv_cpu_intr(frame);		riscv_cpu_intr(frame);
return;		return;
}		}
intr_enable();		intr_enable();

CTR4(KTR_TRAP, "%s: exception=%lu, sepc=%lx, stval=%lx", __func__,		CTR4(KTR_TRAP, "%s: exception=%lu, sepc=%#lx, stval=%#lx", __func__,
exception, frame->tf_sepc, frame->tf_stval);		exception, frame->tf_sepc, frame->tf_stval);

switch (exception) {		switch (exception) {
case SCAUSE_LOAD_ACCESS_FAULT:		case SCAUSE_LOAD_ACCESS_FAULT:
case SCAUSE_STORE_ACCESS_FAULT:		case SCAUSE_STORE_ACCESS_FAULT:
case SCAUSE_INST_ACCESS_FAULT:		case SCAUSE_INST_ACCESS_FAULT:
call_trapsignal(td, SIGBUS, BUS_ADRERR, (void *)frame->tf_sepc,		call_trapsignal(td, SIGBUS, BUS_ADRERR, (void *)frame->tf_sepc,
exception);		exception);
Show All 33 Lines	case SCAUSE_ILLEGAL_INSTRUCTION:
break;		break;
case SCAUSE_BREAKPOINT:		case SCAUSE_BREAKPOINT:
call_trapsignal(td, SIGTRAP, TRAP_BRKPT, (void *)frame->tf_sepc,		call_trapsignal(td, SIGTRAP, TRAP_BRKPT, (void *)frame->tf_sepc,
exception);		exception);
userret(td, frame);		userret(td, frame);
break;		break;
default:		default:
dump_regs(frame);		dump_regs(frame);
panic("Unknown userland exception %lx, trap value %lx\n",		panic("Unknown userland exception %#lx, trap value %#lx",
exception, frame->tf_stval);		exception, frame->tf_stval);
}		}
}		}

Avoid dereferencing a NULL pointer when TCP_REASS_LOGGING is enabledClosedPublicActions