lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Mon, 20 Feb 2017 13:59:07 +0100
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     "David S. Miller" <davem@...emloft.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>, Dmitry Kozlov <xeb@...l.ru>
Cc:     Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: net/pptp: use-after-free in dst_release

Hi,

I've got the following error report while fuzzing the kernel with syzkaller.

On commit c470abd4fde40ea6a0846a2beab642a578c0b8cd (4.10).

A reproducer and .config are attached.

==================================================================
BUG: KASAN: use-after-free in dst_release+0xbb/0xc0 net/core/dst.c:304
at addr ffff8800390e14a0
Read of size 2 by task syz-executor5/12953
CPU: 0 PID: 12953 Comm: syz-executor5 Not tainted 4.10.0-rc8+ #201
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:15 [inline]
 dump_stack+0x292/0x398 lib/dump_stack.c:51
 kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
 print_address_description mm/kasan/report.c:200 [inline]
 kasan_report_error mm/kasan/report.c:289 [inline]
 kasan_report.part.1+0x20e/0x4e0 mm/kasan/report.c:311
 kasan_report mm/kasan/report.c:330 [inline]
 __asan_report_load2_noabort+0x29/0x30 mm/kasan/report.c:330
 dst_release+0xbb/0xc0 net/core/dst.c:304
 sk_dst_reset include/net/sock.h:1790 [inline]
 sock_setbindtodevice net/core/sock.c:575 [inline]
 sock_setsockopt+0x4e1/0x1db0 net/core/sock.c:672
 SYSC_setsockopt net/socket.c:1784 [inline]
 SyS_setsockopt+0x2fb/0x3a0 net/socket.c:1767
 entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4458b9
RSP: 002b:00007f69bab40b58 EFLAGS: 00000292 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004458b9
RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000005
RBP: 00000000006e22c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000020007000 R11: 0000000000000292 R12: 0000000000708000
R13: 0000000000000000 R14: 00007f69bab419c0 R15: 00007f69bab41700
Object at ffff8800390e1440, in cache ip_dst_cache size: 216
Allocated:
PID = 12953
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:502
 set_track mm/kasan/kasan.c:514 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:544
 slab_post_alloc_hook mm/slab.h:432 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0x1af/0x250 mm/slub.c:2728
 dst_alloc+0x11b/0x1a0 net/core/dst.c:210
 rt_dst_alloc+0xf0/0x5a0 net/ipv4/route.c:1463
 __mkroute_output net/ipv4/route.c:2145 [inline]
 __ip_route_output_key_hash+0xc53/0x2eb0 net/ipv4/route.c:2355
 __ip_route_output_key include/net/route.h:122 [inline]
 ip_route_output_flow+0x29/0xa0 net/ipv4/route.c:2441
 ip_route_output_ports include/net/route.h:159 [inline]
 pptp_connect+0xc80/0x1220 drivers/net/ppp/pptp.c:454
 SYSC_connect+0x251/0x590 net/socket.c:1579
 SyS_connect+0x24/0x30 net/socket.c:1560
 entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 0
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:502
 set_track mm/kasan/kasan.c:514 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xb2/0x2c0 mm/slub.c:2980
 dst_destroy+0x24c/0x3b0 net/core/dst.c:270
 dst_destroy_rcu+0x15/0x40 net/core/dst.c:295
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch.isra.67+0x900/0xc50 kernel/rcu/tree.c:2780
 invoke_rcu_callbacks kernel/rcu/tree.c:3043 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3010 [inline]
 rcu_process_callbacks+0x2b7/0xba0 kernel/rcu/tree.c:3027
 __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
Memory state around the buggy address:
 ffff8800390e1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800390e1400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8800390e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8800390e1500: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800390e1580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Download attachment ".config" of type "application/octet-stream" (124975 bytes)

View attachment "pptp-oob-poc.c" of type "text/x-csrc" (36057 bytes)

Powered by blists - more mailing lists