[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Yow9Y3zicaFWoopbtZ9pwxb+_=6YjVfnRtEVwSaOYSug@mail.gmail.com>
Date: Sun, 13 Dec 2015 14:24:26 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Dmitry Kozlov <xeb@...l.ru>, netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Eric Dumazet <eric.dumazet@...il.com>,
"David S. Miller" <davem@...emloft.net>
Cc: syzkaller <syzkaller@...glegroups.com>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Sasha Levin <sasha.levin@...cle.com>
Subject: use-after-free in pptp_connect
Hello,
The following program causes use-after-free in pptp_connect and a leak
of pptp call id:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
int main()
{
int fd = socket(PF_PPPOX, SOCK_STREAM, PX_PROTO_PPTP);
struct sockaddr_pppox sa;
sa.sa_family = AF_PPPOX;
sa.sa_protocol = PX_PROTO_PPTP;
sa.sa_addr.pptp.call_id = 0;
sa.sa_addr.pptp.sin_addr.s_addr = 0;
bind(fd, (struct sockaddr *)&sa, sizeof(sa));
int len = sizeof(sa);
getsockname(fd, (struct sockaddr *)&sa, &len);
printf("addr %d/%d\n", sa.sa_addr.pptp.call_id,
sa.sa_addr.pptp.sin_addr.s_addr);
int callid = sa.sa_addr.pptp.call_id;
sa.sa_addr.pptp.call_id = 0;
sa.sa_addr.pptp.sin_addr.s_addr = 0;
bind(fd, (struct sockaddr *)&sa, sizeof(sa));
getsockname(fd, (struct sockaddr *)&sa, &len);
printf("addr %d/%d\n", sa.sa_addr.pptp.call_id,
sa.sa_addr.pptp.sin_addr.s_addr);
close(fd);
int cfd = socket(PF_PPPOX, SOCK_STREAM, PX_PROTO_PPTP);
sa.sa_addr.pptp.call_id = callid;
sa.sa_addr.pptp.sin_addr.s_addr = 0;
connect(cfd, (struct sockaddr *)&sa, sizeof(sa));
}
==================================================================
BUG: KASAN: use-after-free in pptp_connect+0xbdc/0xc00 at addr ffff88006a46d800
Read of size 2 by task a.out/7038
=============================================================================
BUG kmalloc-2048 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in sk_prot_alloc+0x1a9/0x2c0 age=986682 cpu=2 pid=7009
[< none >] ___slab_alloc+0x489/0x4e0 mm/slub.c:2438
[< none >] __slab_alloc+0x4c/0x90 mm/slub.c:2467
[< inline >] slab_alloc_node mm/slub.c:2530
[< inline >] slab_alloc mm/slub.c:2572
[< none >] __kmalloc+0x299/0x330 mm/slub.c:3532
[< inline >] kmalloc include/linux/slab.h:463
[< none >] sk_prot_alloc+0x1a9/0x2c0 net/core/sock.c:1355
[< none >] sk_alloc+0x31/0x620 net/core/sock.c:1420
[< none >] pptp_create+0x23/0x2e0 drivers/net/ppp/pptp.c:570
[< none >] pppox_create+0xd3/0x1e0 drivers/net/ppp/pppox.c:121
[< none >] __sock_create+0x2f2/0x590 net/socket.c:1162
[< inline >] sock_create net/socket.c:1202
[< inline >] SYSC_socket net/socket.c:1232
[< none >] SyS_socket+0xd0/0x190 net/socket.c:1212
[< none >] tracesys_phase2+0x88/0x8d arch/x86/entry/entry_64.S:269
INFO: Freed in sk_destruct+0x317/0x420 age=986672 cpu=2 pid=7009
[< none >] __slab_free+0x1fc/0x320 mm/slub.c:2648
[< inline >] slab_free mm/slub.c:2803
[< none >] kfree+0x26a/0x290 mm/slub.c:3632
[< inline >] sk_prot_free net/core/sock.c:1392
[< none >] sk_destruct+0x317/0x420 net/core/sock.c:1468
[< none >] __sk_free+0x4f/0x1e0 net/core/sock.c:1476
[< none >] sk_free+0x13/0x20 net/core/sock.c:1487
[< inline >] sock_put include/net/sock.h:1624
[< none >] pptp_release+0x197/0x200 drivers/net/ppp/pptp.c:549
[< none >] sock_release+0x83/0x1a0 net/socket.c:571
[< none >] sock_close+0xd/0x20 net/socket.c:1022
[< none >] __fput+0x210/0x750 fs/file_table.c:208
[< none >] ____fput+0x9/0x10 fs/file_table.c:244
[< none >] task_work_run+0x132/0x200 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[< none >] do_exit+0x7fb/0x2be0 kernel/exit.c:748
[< none >] do_group_exit+0xf4/0x2f0 kernel/exit.c:878
[< inline >] SYSC_exit_group kernel/exit.c:889
[< none >] SyS_exit_group+0x18/0x20 kernel/exit.c:887
[< none >] tracesys_phase2+0x88/0x8d arch/x86/entry/entry_64.S:269
INFO: Slab 0xffffea0001a91a00 objects=13 used=6 fp=0xffff88006a46b7b0
flags=0x5fffc0000004080
INFO: Object 0xffff88006a46d388 @offset=21384 fp=0x (null)
CPU: 0 PID: 7038 Comm: a.out Tainted: G B 4.4.0-rc4+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006a468000 ffff88003284fba8 ffffffff82841227 ffff88003e804f00
ffff88003284fbd8 ffffffff81697d04 ffff88003e804f00 ffffea0001a91a00
ffff88006a46d388 ffff88006a46d388 ffff88003284fc00 ffffffff8169e3bf
Call Trace:
[<ffffffff816a10be>] __asan_report_load2_noabort+0x3e/0x40
mm/kasan/report.c:278
[< inline >] lookup_chan_dst drivers/net/ppp/pptp.c:123
[<ffffffff83a125dc>] pptp_connect+0xbdc/0xc00 drivers/net/ppp/pptp.c:446
[<ffffffff84aa82a2>] SYSC_connect+0x202/0x2a0 net/socket.c:1542
[<ffffffff84aaa769>] SyS_connect+0x9/0x10 net/socket.c:1523
[<ffffffff85b43ff8>] tracesys_phase2+0x88/0x8d arch/x86/entry/entry_64.S:269
==================================================================
On commit b9d85451ddd4e7f2d6280506f6fe7f1924356924 (Dec 11).
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists