lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Yow9Y3zicaFWoopbtZ9pwxb+_=6YjVfnRtEVwSaOYSug@mail.gmail.com>
Date:	Sun, 13 Dec 2015 14:24:26 +0100
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Dmitry Kozlov <xeb@...l.ru>, netdev <netdev@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Eric Dumazet <eric.dumazet@...il.com>,
	"David S. Miller" <davem@...emloft.net>
Cc:	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>
Subject: use-after-free in pptp_connect

Hello,

The following program causes use-after-free in pptp_connect and a leak
of pptp call id:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/if.h>
#include <linux/if_pppox.h>

int main()
{
        int fd = socket(PF_PPPOX, SOCK_STREAM, PX_PROTO_PPTP);
        struct sockaddr_pppox sa;
        sa.sa_family = AF_PPPOX;
        sa.sa_protocol = PX_PROTO_PPTP;
        sa.sa_addr.pptp.call_id = 0;
        sa.sa_addr.pptp.sin_addr.s_addr = 0;
        bind(fd, (struct sockaddr *)&sa, sizeof(sa));
        int len = sizeof(sa);
        getsockname(fd, (struct sockaddr *)&sa, &len);
        printf("addr %d/%d\n", sa.sa_addr.pptp.call_id,
sa.sa_addr.pptp.sin_addr.s_addr);
        int callid = sa.sa_addr.pptp.call_id;

        sa.sa_addr.pptp.call_id = 0;
        sa.sa_addr.pptp.sin_addr.s_addr = 0;
        bind(fd, (struct sockaddr *)&sa, sizeof(sa));
        getsockname(fd, (struct sockaddr *)&sa, &len);
        printf("addr %d/%d\n", sa.sa_addr.pptp.call_id,
sa.sa_addr.pptp.sin_addr.s_addr);
        close(fd);

        int cfd = socket(PF_PPPOX, SOCK_STREAM, PX_PROTO_PPTP);
        sa.sa_addr.pptp.call_id = callid;
        sa.sa_addr.pptp.sin_addr.s_addr = 0;
        connect(cfd, (struct sockaddr *)&sa, sizeof(sa));
}


==================================================================
BUG: KASAN: use-after-free in pptp_connect+0xbdc/0xc00 at addr ffff88006a46d800
Read of size 2 by task a.out/7038
=============================================================================
BUG kmalloc-2048 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in sk_prot_alloc+0x1a9/0x2c0 age=986682 cpu=2 pid=7009
[<      none      >] ___slab_alloc+0x489/0x4e0 mm/slub.c:2438
[<      none      >] __slab_alloc+0x4c/0x90 mm/slub.c:2467
[<     inline     >] slab_alloc_node mm/slub.c:2530
[<     inline     >] slab_alloc mm/slub.c:2572
[<      none      >] __kmalloc+0x299/0x330 mm/slub.c:3532
[<     inline     >] kmalloc include/linux/slab.h:463
[<      none      >] sk_prot_alloc+0x1a9/0x2c0 net/core/sock.c:1355
[<      none      >] sk_alloc+0x31/0x620 net/core/sock.c:1420
[<      none      >] pptp_create+0x23/0x2e0 drivers/net/ppp/pptp.c:570
[<      none      >] pppox_create+0xd3/0x1e0 drivers/net/ppp/pppox.c:121
[<      none      >] __sock_create+0x2f2/0x590 net/socket.c:1162
[<     inline     >] sock_create net/socket.c:1202
[<     inline     >] SYSC_socket net/socket.c:1232
[<      none      >] SyS_socket+0xd0/0x190 net/socket.c:1212
[<      none      >] tracesys_phase2+0x88/0x8d arch/x86/entry/entry_64.S:269

INFO: Freed in sk_destruct+0x317/0x420 age=986672 cpu=2 pid=7009
[<      none      >] __slab_free+0x1fc/0x320 mm/slub.c:2648
[<     inline     >] slab_free mm/slub.c:2803
[<      none      >] kfree+0x26a/0x290 mm/slub.c:3632
[<     inline     >] sk_prot_free net/core/sock.c:1392
[<      none      >] sk_destruct+0x317/0x420 net/core/sock.c:1468
[<      none      >] __sk_free+0x4f/0x1e0 net/core/sock.c:1476
[<      none      >] sk_free+0x13/0x20 net/core/sock.c:1487
[<     inline     >] sock_put include/net/sock.h:1624
[<      none      >] pptp_release+0x197/0x200 drivers/net/ppp/pptp.c:549
[<      none      >] sock_release+0x83/0x1a0 net/socket.c:571
[<      none      >] sock_close+0xd/0x20 net/socket.c:1022
[<      none      >] __fput+0x210/0x750 fs/file_table.c:208
[<      none      >] ____fput+0x9/0x10 fs/file_table.c:244
[<      none      >] task_work_run+0x132/0x200 kernel/task_work.c:115
[<     inline     >] exit_task_work include/linux/task_work.h:21
[<      none      >] do_exit+0x7fb/0x2be0 kernel/exit.c:748
[<      none      >] do_group_exit+0xf4/0x2f0 kernel/exit.c:878
[<     inline     >] SYSC_exit_group kernel/exit.c:889
[<      none      >] SyS_exit_group+0x18/0x20 kernel/exit.c:887
[<      none      >] tracesys_phase2+0x88/0x8d arch/x86/entry/entry_64.S:269

INFO: Slab 0xffffea0001a91a00 objects=13 used=6 fp=0xffff88006a46b7b0
flags=0x5fffc0000004080
INFO: Object 0xffff88006a46d388 @offset=21384 fp=0x          (null)
CPU: 0 PID: 7038 Comm: a.out Tainted: G    B           4.4.0-rc4+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006a468000 ffff88003284fba8 ffffffff82841227 ffff88003e804f00
 ffff88003284fbd8 ffffffff81697d04 ffff88003e804f00 ffffea0001a91a00
 ffff88006a46d388 ffff88006a46d388 ffff88003284fc00 ffffffff8169e3bf

Call Trace:
 [<ffffffff816a10be>] __asan_report_load2_noabort+0x3e/0x40
mm/kasan/report.c:278
 [<     inline     >] lookup_chan_dst drivers/net/ppp/pptp.c:123
 [<ffffffff83a125dc>] pptp_connect+0xbdc/0xc00 drivers/net/ppp/pptp.c:446
 [<ffffffff84aa82a2>] SYSC_connect+0x202/0x2a0 net/socket.c:1542
 [<ffffffff84aaa769>] SyS_connect+0x9/0x10 net/socket.c:1523
 [<ffffffff85b43ff8>] tracesys_phase2+0x88/0x8d arch/x86/entry/entry_64.S:269
==================================================================

On commit b9d85451ddd4e7f2d6280506f6fe7f1924356924 (Dec 11).
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ