lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180109185351.GE13338@ZenIV.linux.org.uk>
Date:   Tue, 9 Jan 2018 18:53:51 +0000
From:   Al Viro <viro@...IV.linux.org.uk>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     David Miller <davem@...emloft.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Willem de Bruijn <willemb@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: net: memory leak in socket

On Tue, Jan 09, 2018 at 07:39:50PM +0100, Dmitry Vyukov wrote:
> Hello,
> 
> syzkaller has hit the following memory leak on 4.15-rc7:
> 
> unreferenced object 0xffff88002713fb20 (size 16):
>   comm "syz-executor3", pid 6576, jiffies 4295029354 (age 10.166s)
>   hex dump (first 16 bytes):
>     69 6e 73 6d 6f 64 5f 74 00 00 d9 1c 00 88 ff ff  insmod_t........
>   backtrace:
>     [<00000000da8d6b27>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
>     [<00000000da8d6b27>] slab_post_alloc_hook mm/slab.h:440 [inline]
>     [<00000000da8d6b27>] slab_alloc_node mm/slub.c:2725 [inline]
>     [<00000000da8d6b27>] slab_alloc mm/slub.c:2733 [inline]
>     [<00000000da8d6b27>] __kmalloc_track_caller+0x183/0x310 mm/slub.c:4290
>     [<000000001aa62b7a>] kstrdup+0x39/0x70 mm/util.c:56
>     [<00000000fa6a957e>] security_netlbl_sid_to_secattr+0xbc/0x1a0
> security/selinux/ss/services.c:3522
>     [<0000000054674134>] selinux_netlbl_sock_genattr+0xef/0x410
> security/selinux/netlabel.c:94
>     [<000000002338a05c>] selinux_netlbl_socket_post_create+0x79/0x160
> security/selinux/netlabel.c:341
>     [<0000000059825908>] selinux_socket_post_create+0x37f/0xa60
> security/selinux/hooks.c:4399
>     [<00000000fff6c966>] security_socket_post_create+0x8b/0xd0
> security/security.c:1344
>     [<000000005786c830>] __sock_create+0x758/0x920 net/socket.c:1281
>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>     [<00000000921bbbd9>] 0xffffffffffffffff
> 
> unreferenced object 0xffff88007c3bba80 (size 992):
>   comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
>   hex dump (first 32 bytes):
>     01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
>     40 2e 5a 2c 00 88 ff ff 00 00 00 00 00 00 00 00  @.Z,............
>   backtrace:
>     [<00000000ff3d837a>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
>     [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
>     [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
>     [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
>     [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
>     [<00000000d243ce94>] sock_alloc_inode+0x70/0x300 net/socket.c:250
>     [<000000005a0b3852>] alloc_inode+0x65/0x190 fs/inode.c:208
>     [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
>     [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
>     [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>     [<00000000921bbbd9>] 0xffffffffffffffff
> 
> unreferenced object 0xffff88002c5a2e40 (size 128):
>   comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
>   hex dump (first 32 bytes):
>     00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
>     ff ff ff ff ff ff ff ff c0 da db 88 ff ff ff ff  ................
>   backtrace:
>     [<00000000696a590c>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
>     [<00000000696a590c>] slab_post_alloc_hook mm/slab.h:440 [inline]
>     [<00000000696a590c>] slab_alloc_node mm/slub.c:2725 [inline]
>     [<00000000696a590c>] slab_alloc mm/slub.c:2733 [inline]
>     [<00000000696a590c>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
>     [<00000000551c8f10>] kmalloc include/linux/slab.h:499 [inline]
>     [<00000000551c8f10>] sock_alloc_inode+0xb4/0x300 net/socket.c:253
>     [<000000005a0b3852>] alloc_inode+0x65/0x190 fs/inode.c:208
>     [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
>     [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
>     [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>     [<00000000921bbbd9>] 0xffffffffffffffff
> 
> unreferenced object 0xffff88007310f680 (size 96):
>   comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
>   hex dump (first 32 bytes):
>     b0 ba 3b 7c 00 88 ff ff 88 f6 10 73 00 88 ff ff  ..;|.......s....
>     88 f6 10 73 00 88 ff ff dd 00 00 00 dd 00 00 00  ...s............
>   backtrace:
>     [<00000000ff3d837a>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
>     [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
>     [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
>     [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
>     [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
>     [<00000000094ffa79>] kmem_cache_zalloc include/linux/slab.h:678 [inline]
>     [<00000000094ffa79>] inode_alloc_security
> security/selinux/hooks.c:234 [inline]
>     [<00000000094ffa79>] selinux_inode_alloc_security+0xf9/0x390
> security/selinux/hooks.c:2885
>     [<0000000082b97b6d>] security_inode_alloc+0x92/0xe0 security/security.c:437
>     [<000000009683bb60>] inode_init_always+0x64f/0xca0 fs/inode.c:167
>     [<00000000a71f5b21>] alloc_inode+0x82/0x190 fs/inode.c:215
>     [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
>     [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
>     [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>     [<00000000921bbbd9>] 0xffffffffffffffff
> 
> unreferenced object 0xffff88007127bf00 (size 2528):
>   comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
>   backtrace:
>     [<00000000ff3d837a>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
>     [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
>     [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
>     [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
>     [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
>     [<0000000021d2cae7>] sk_prot_alloc+0x69/0x2f0 net/core/sock.c:1463
>     [<0000000088be91b8>] sk_alloc+0x109/0x1740 net/core/sock.c:1523
>     [<00000000bbd7f0e5>] inet_create+0x4f8/0x10a0 net/ipv4/af_inet.c:319
>     [<00000000c0aa842f>] __sock_create+0x521/0x920 net/socket.c:1265
>     [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
>     [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
>     [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
>     [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
>     [<00000000921bbbd9>] 0xffffffffffffffff
> 
> 
> 
> Reproducer:
> 
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <sys/time.h>
> #include <sys/resource.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> 
> int main()
> {
>   struct rlimit rlim;
>   rlim.rlim_cur = 0;
>   rlim.rlim_max = 0;
>   setrlimit(RLIMIT_NOFILE, &rlim);
>   socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
>   return 0;
> }

Argh...  Got broken by "make sock_alloc_file() do sock_release() on failures" -
cleanup after sock_map_fd() failure got pulled all the way into sock_alloc_file(),
but it used to serve the case when sock_map_fd() failed *before* getting to
sock_alloc_file().

Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
---
diff --git a/net/socket.c b/net/socket.c
index bbd2e9ceb692..1536515b6437 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -430,8 +430,10 @@ static int sock_map_fd(struct socket *sock, int flags)
 {
 	struct file *newfile;
 	int fd = get_unused_fd_flags(flags);
-	if (unlikely(fd < 0))
+	if (unlikely(fd < 0)) {
+		sock_release(sock);
 		return fd;
+	}
 
 	newfile = sock_alloc_file(sock, flags, NULL);
 	if (likely(!IS_ERR(newfile))) {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ