lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 12 Feb 2017 17:53:42 +0100
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Patrick McHardy <kaber@...sh.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: net/ipv6: use-after-free in sock_wfree

On Mon, Jan 9, 2017 at 6:21 PM, Eric Dumazet <edumazet@...gle.com> wrote:
> On Mon, Jan 9, 2017 at 9:11 AM, Andrey Konovalov <andreyknvl@...gle.com> wrote:
>> On Mon, Jan 9, 2017 at 6:08 PM, Andrey Konovalov <andreyknvl@...gle.com> wrote:
>>> Hi!
>>>
>>> I've got the following error report while running the syzkaller fuzzer.
>>>
>>> On commit a121103c922847ba5010819a3f250f1f7fc84ab8 (4.10-rc3).
>>>
>>> A reproducer is attached.
>>>
>>> ==================================================================
>>> BUG: KASAN: use-after-free in sock_wfree+0x118/0x120
>>> Read of size 8 at addr ffff880062da0060 by task a.out/4140
>>>
>>> page:ffffea00018b6800 count:1 mapcount:0 mapping:          (null)
>>> index:0x0 compound_mapcount: 0
>>> flags: 0x100000000008100(slab|head)
>>> raw: 0100000000008100 0000000000000000 0000000000000000 0000000180130013
>>> raw: dead000000000100 dead000000000200 ffff88006741f140 0000000000000000
>>> page dumped because: kasan: bad access detected
>>>
>>> CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>> Call Trace:
>>>  __dump_stack lib/dump_stack.c:15
>>>  dump_stack+0x292/0x398 lib/dump_stack.c:51
>>>  describe_address mm/kasan/report.c:262
>>>  kasan_report_error+0x121/0x560 mm/kasan/report.c:370
>>>  kasan_report mm/kasan/report.c:392
>>>  __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413
>>>  sock_flag ./arch/x86/include/asm/bitops.h:324
>>>  sock_wfree+0x118/0x120 net/core/sock.c:1631
>>>  skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655
>>>  skb_release_all+0x15/0x60 net/core/skbuff.c:668
>>>  __kfree_skb+0x15/0x20 net/core/skbuff.c:684
>>>  kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705
>>>  inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
>>>  inet_frag_put ./include/net/inet_frag.h:133
>>>  nf_ct_frag6_gather+0x1125/0x38b0 net/ipv6/netfilter/nf_conntrack_reasm.c:617
>>>  ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
>>>  nf_hook_entry_hookfn ./include/linux/netfilter.h:102
>>>  nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
>>>  nf_hook ./include/linux/netfilter.h:212
>>>  __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160
>>>  ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
>>>  ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
>>>  ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
>>>  rawv6_push_pending_frames net/ipv6/raw.c:613
>>>  rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927
>>>  inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
>>>  sock_sendmsg_nosec net/socket.c:635
>>>  sock_sendmsg+0xca/0x110 net/socket.c:645
>>>  sock_write_iter+0x326/0x620 net/socket.c:848
>>>  new_sync_write fs/read_write.c:499
>>>  __vfs_write+0x483/0x760 fs/read_write.c:512
>>>  vfs_write+0x187/0x530 fs/read_write.c:560
>>>  SYSC_write fs/read_write.c:607
>>>  SyS_write+0xfb/0x230 fs/read_write.c:599
>>>  entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
>>> RIP: 0033:0x7ff26e6f5b79
>>> RSP: 002b:00007ff268e0ed98 EFLAGS: 00000206 ORIG_RAX: 0000000000000001
>>> RAX: ffffffffffffffda RBX: 00007ff268e0f9c0 RCX: 00007ff26e6f5b79
>>> RDX: 0000000000000010 RSI: 0000000020f50fe1 RDI: 0000000000000003
>>> RBP: 00007ff26ebc1220 R08: 0000000000000000 R09: 0000000000000000
>>> R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
>>> R13: 00007ff268e0f9c0 R14: 00007ff26efec040 R15: 0000000000000003
>>>
>>> The buggy address belongs to the object at ffff880062da0000
>>>  which belongs to the cache RAWv6 of size 1504
>>> The buggy address ffff880062da0060 is located 96 bytes inside
>>>  of 1504-byte region [ffff880062da0000, ffff880062da05e0)
>>>
>>> Freed by task 4113:
>>>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
>>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:502
>>>  set_track mm/kasan/kasan.c:514
>>>  kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
>>>  slab_free_hook mm/slub.c:1352
>>>  slab_free_freelist_hook mm/slub.c:1374
>>>  slab_free mm/slub.c:2951
>>>  kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973
>>>  sk_prot_free net/core/sock.c:1377
>>>  __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452
>>>  sk_destruct+0x47/0x80 net/core/sock.c:1460
>>>  __sk_free+0x57/0x230 net/core/sock.c:1468
>>>  sk_free+0x23/0x30 net/core/sock.c:1479
>>>  sock_put ./include/net/sock.h:1638
>>>  sk_common_release+0x31e/0x4e0 net/core/sock.c:2782
>>>  rawv6_close+0x54/0x80 net/ipv6/raw.c:1214
>>>  inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
>>>  inet6_release+0x50/0x70 net/ipv6/af_inet6.c:431
>>>  sock_release+0x8d/0x1e0 net/socket.c:599
>>>  sock_close+0x16/0x20 net/socket.c:1063
>>>  __fput+0x332/0x7f0 fs/file_table.c:208
>>>  ____fput+0x15/0x20 fs/file_table.c:244
>>>  task_work_run+0x19b/0x270 kernel/task_work.c:116
>>>  exit_task_work ./include/linux/task_work.h:21
>>>  do_exit+0x186b/0x2800 kernel/exit.c:839
>>>  do_group_exit+0x149/0x420 kernel/exit.c:943
>>>  SYSC_exit_group kernel/exit.c:954
>>>  SyS_exit_group+0x1d/0x20 kernel/exit.c:952
>>>  entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
>>>
>>> Allocated by task 4115:
>>>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
>>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:502
>>>  set_track mm/kasan/kasan.c:514
>>>  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
>>>  kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:544
>>>  slab_post_alloc_hook mm/slab.h:432
>>>  slab_alloc_node mm/slub.c:2708
>>>  slab_alloc mm/slub.c:2716
>>>  kmem_cache_alloc+0x1af/0x250 mm/slub.c:2721
>>>  sk_prot_alloc+0x65/0x2a0 net/core/sock.c:1334
>>>  sk_alloc+0x105/0x1010 net/core/sock.c:1396
>>>  inet6_create+0x44d/0x1150 net/ipv6/af_inet6.c:183
>>>  __sock_create+0x4f6/0x880 net/socket.c:1199
>>>  sock_create net/socket.c:1239
>>>  SYSC_socket net/socket.c:1269
>>>  SyS_socket+0xf9/0x230 net/socket.c:1249
>>>  entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
>>>
>>> Memory state around the buggy address:
>>>  ffff880062d9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>  ffff880062d9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>>ffff880062da0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>>                                                        ^
>>>  ffff880062da0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>>  ffff880062da0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> ==================================================================
>>
>> Sometimes this reproducer leads to another report:
>
> Looks very similar to issue fixed in 8282f27449bf15548cb82c77b6e04ee0ab827bdc
>
> Could you try :
>
> diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c
> b/net/ipv6/netfilter/nf_conntrack_reasm.c
> index 9948b5ce52dad3a823edede517f17069bd7226dc..986d4ca38832b17703b09e50209ec133885c7276
> 100644
> --- a/net/ipv6/netfilter/nf_conntrack_reasm.c
> +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
> @@ -589,6 +589,7 @@ int nf_ct_frag6_gather(struct net *net, struct
> sk_buff *skb, u32 user)
>         hdr = ipv6_hdr(skb);
>         fhdr = (struct frag_hdr *)skb_transport_header(skb);
>
> +       skb_orphan(skb);
>         fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr,
>                      skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
>         if (fq == NULL) {
> diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
> index 6b78bab27755b2758f3c8ecd5b9c6d61615af4b6..fdec2a4cc559ab956c58d26535bdf010c0a8964a
> 100644
> --- a/net/openvswitch/conntrack.c
> +++ b/net/openvswitch/conntrack.c
> @@ -367,7 +367,6 @@ static int handle_fragments(struct net *net,
> struct sw_flow_key *key,
>         } else if (key->eth.type == htons(ETH_P_IPV6)) {
>                 enum ip6_defrag_users user = IP6_DEFRAG_CONNTRACK_IN + zone;
>
> -               skb_orphan(skb);
>                 memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
>                 err = nf_ct_frag6_gather(net, skb, user);
>                 if (err) {

Hi Eric,

I'm still seeing these reports on 926af6273fc683cd98cd0ce7bf0d04a02eed6742.

Did you mail the patch?

Thanks!

Powered by blists - more mailing lists