netdev - Re: net: memory leak in socket

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 9 Jan 2018 19:58:08 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Al Viro <viro@...iv.linux.org.uk>
Cc:     David Miller <davem@...emloft.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Willem de Bruijn <willemb@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: net: memory leak in socket

On Tue, Jan 9, 2018 at 7:53 PM, Al Viro <viro@...iv.linux.org.uk> wrote:
> On Tue, Jan 09, 2018 at 07:39:50PM +0100, Dmitry Vyukov wrote:
>> Hello,
>>
>> syzkaller has hit the following memory leak on 4.15-rc7:
>>
>> unreferenced object 0xffff88002713fb20 (size 16):
>>   comm "syz-executor3", pid 6576, jiffies 4295029354 (age 10.166s)
>>   hex dump (first 16 bytes):
>>     69 6e 73 6d 6f 64 5f 74 00 00 d9 1c 00 88 ff ff  insmod_t........
>>   backtrace:
>>     [<00000000da8d6b27>] kmemleak_alloc_recursive
>> include/linux/kmemleak.h:55 [inline]
>>     [<00000000da8d6b27>] slab_post_alloc_hook mm/slab.h:440 [inline]
>>     [<00000000da8d6b27>] slab_alloc_node mm/slub.c:2725 [inline]
>>     [<00000000da8d6b27>] slab_alloc mm/slub.c:2733 [inline]
>>     [<00000000da8d6b27>] __kmalloc_track_caller+0x183/0x310 mm/slub.c:4290
>>     [<000000001aa62b7a>] kstrdup+0x39/0x70 mm/util.c:56
>>     [<00000000fa6a957e>] security_netlbl_sid_to_secattr+0xbc/0x1a0
>> security/selinux/ss/services.c:3522
>>     [<0000000054674134>] selinux_netlbl_sock_genattr+0xef/0x410
>> security/selinux/netlabel.c:94
>>     [<000000002338a05c>] selinux_netlbl_socket_post_create+0x79/0x160
>> security/selinux/netlabel.c:341
>>     [<0000000059825908>] selinux_socket_post_create+0x37f/0xa60
>> security/selinux/hooks.c:4399
>>     [<00000000fff6c966>] security_socket_post_create+0x8b/0xd0
>> security/security.c:1344
>>     [<000000005786c830>] __sock_create+0x758/0x920 net/socket.c:1281
>>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>>     [<00000000921bbbd9>] 0xffffffffffffffff
>>
>> unreferenced object 0xffff88007c3bba80 (size 992):
>>   comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
>>   hex dump (first 32 bytes):
>>     01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
>>     40 2e 5a 2c 00 88 ff ff 00 00 00 00 00 00 00 00  @.Z,............
>>   backtrace:
>>     [<00000000ff3d837a>] kmemleak_alloc_recursive
>> include/linux/kmemleak.h:55 [inline]
>>     [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
>>     [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
>>     [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
>>     [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
>>     [<00000000d243ce94>] sock_alloc_inode+0x70/0x300 net/socket.c:250
>>     [<000000005a0b3852>] alloc_inode+0x65/0x190 fs/inode.c:208
>>     [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
>>     [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
>>     [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
>>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>>     [<00000000921bbbd9>] 0xffffffffffffffff
>>
>> unreferenced object 0xffff88002c5a2e40 (size 128):
>>   comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
>>   hex dump (first 32 bytes):
>>     00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
>>     ff ff ff ff ff ff ff ff c0 da db 88 ff ff ff ff  ................
>>   backtrace:
>>     [<00000000696a590c>] kmemleak_alloc_recursive
>> include/linux/kmemleak.h:55 [inline]
>>     [<00000000696a590c>] slab_post_alloc_hook mm/slab.h:440 [inline]
>>     [<00000000696a590c>] slab_alloc_node mm/slub.c:2725 [inline]
>>     [<00000000696a590c>] slab_alloc mm/slub.c:2733 [inline]
>>     [<00000000696a590c>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
>>     [<00000000551c8f10>] kmalloc include/linux/slab.h:499 [inline]
>>     [<00000000551c8f10>] sock_alloc_inode+0xb4/0x300 net/socket.c:253
>>     [<000000005a0b3852>] alloc_inode+0x65/0x190 fs/inode.c:208
>>     [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
>>     [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
>>     [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
>>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>>     [<00000000921bbbd9>] 0xffffffffffffffff
>>
>> unreferenced object 0xffff88007310f680 (size 96):
>>   comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
>>   hex dump (first 32 bytes):
>>     b0 ba 3b 7c 00 88 ff ff 88 f6 10 73 00 88 ff ff  ..;|.......s....
>>     88 f6 10 73 00 88 ff ff dd 00 00 00 dd 00 00 00  ...s............
>>   backtrace:
>>     [<00000000ff3d837a>] kmemleak_alloc_recursive
>> include/linux/kmemleak.h:55 [inline]
>>     [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
>>     [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
>>     [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
>>     [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
>>     [<00000000094ffa79>] kmem_cache_zalloc include/linux/slab.h:678 [inline]
>>     [<00000000094ffa79>] inode_alloc_security
>> security/selinux/hooks.c:234 [inline]
>>     [<00000000094ffa79>] selinux_inode_alloc_security+0xf9/0x390
>> security/selinux/hooks.c:2885
>>     [<0000000082b97b6d>] security_inode_alloc+0x92/0xe0 security/security.c:437
>>     [<000000009683bb60>] inode_init_always+0x64f/0xca0 fs/inode.c:167
>>     [<00000000a71f5b21>] alloc_inode+0x82/0x190 fs/inode.c:215
>>     [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
>>     [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
>>     [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
>>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>>     [<00000000921bbbd9>] 0xffffffffffffffff
>>
>> unreferenced object 0xffff88007127bf00 (size 2528):
>>   comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
>>   hex dump (first 32 bytes):
>>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>     02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
>>   backtrace:
>>     [<00000000ff3d837a>] kmemleak_alloc_recursive
>> include/linux/kmemleak.h:55 [inline]
>>     [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
>>     [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
>>     [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
>>     [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
>>     [<0000000021d2cae7>] sk_prot_alloc+0x69/0x2f0 net/core/sock.c:1463
>>     [<0000000088be91b8>] sk_alloc+0x109/0x1740 net/core/sock.c:1523
>>     [<00000000bbd7f0e5>] inet_create+0x4f8/0x10a0 net/ipv4/af_inet.c:319
>>     [<00000000c0aa842f>] __sock_create+0x521/0x920 net/socket.c:1265
>>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>>     [<00000000921bbbd9>] 0xffffffffffffffff
>>
>>
>>
>> Reproducer:
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <sys/time.h>
>> #include <sys/resource.h>
>> #include <sys/types.h>
>> #include <sys/socket.h>
>> #include <sys/socket.h>
>> #include <netinet/in.h>
>> #include <arpa/inet.h>
>>
>> int main()
>> {
>>   struct rlimit rlim;
>>   rlim.rlim_cur = 0;
>>   rlim.rlim_max = 0;
>>   setrlimit(RLIMIT_NOFILE, &rlim);
>>   socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
>>   return 0;
>> }
>
> Argh...  Got broken by "make sock_alloc_file() do sock_release() on failures" -
> cleanup after sock_map_fd() failure got pulled all the way into sock_alloc_file(),
> but it used to serve the case when sock_map_fd() failed *before* getting to
> sock_alloc_file().
>
> Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
> Signed-off-by: Al Viro <viro@...iv.linux.org.uk>

Please add:

Reported-by: Dmitry Vyukov <dvyukov@...gle.com>

> ---
> diff --git a/net/socket.c b/net/socket.c
> index bbd2e9ceb692..1536515b6437 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -430,8 +430,10 @@ static int sock_map_fd(struct socket *sock, int flags)
>  {
>         struct file *newfile;
>         int fd = get_unused_fd_flags(flags);
> -       if (unlikely(fd < 0))
> +       if (unlikely(fd < 0)) {
> +               sock_release(sock);
>                 return fd;
> +       }
>
>         newfile = sock_alloc_file(sock, flags, NULL);
>         if (likely(!IS_ERR(newfile))) {