lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240118015018.GB89692@linux.alibaba.com>
Date: Thu, 18 Jan 2024 09:50:18 +0800
From: Dust Li <dust.li@...ux.alibaba.com>
To: Wen Gu <guwen@...ux.alibaba.com>, wenjia@...ux.ibm.com,
	jaka@...ux.ibm.com, davem@...emloft.net, edumazet@...gle.com,
	kuba@...nel.org, pabeni@...hat.com
Cc: alibuda@...ux.alibaba.com, tonylu@...ux.alibaba.com,
	yepeilin.cs@...il.com, ubraun@...ux.ibm.com,
	linux-s390@...r.kernel.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net/smc: fix illegal rmb_desc access in SMC-D
 connection dump

On Wed, Jan 17, 2024 at 08:27:49PM +0800, Wen Gu wrote:
>A crash was found when dumping SMC-D connections. It can be reproduced
>by following steps:
>
>- run nginx/wrk test:
>  smc_run nginx
>  smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>
>
>- continuously dump SMC-D connections in parallel:
>  watch -n 1 'smcss -D'
>
> BUG: kernel NULL pointer dereference, address: 0000000000000030
> CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G	E      6.7.0+ #55
> RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
> Call Trace:
>  <TASK>
>  ? __die+0x24/0x70
>  ? page_fault_oops+0x66/0x150
>  ? exc_page_fault+0x69/0x140
>  ? asm_exc_page_fault+0x26/0x30
>  ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
>  ? __kmalloc_node_track_caller+0x35d/0x430
>  ? __alloc_skb+0x77/0x170
>  smc_diag_dump_proto+0xd0/0xf0 [smc_diag]
>  smc_diag_dump+0x26/0x60 [smc_diag]
>  netlink_dump+0x19f/0x320
>  __netlink_dump_start+0x1dc/0x300
>  smc_diag_handler_dump+0x6a/0x80 [smc_diag]
>  ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]
>  sock_diag_rcv_msg+0x121/0x140
>  ? __pfx_sock_diag_rcv_msg+0x10/0x10
>  netlink_rcv_skb+0x5a/0x110
>  sock_diag_rcv+0x28/0x40
>  netlink_unicast+0x22a/0x330
>  netlink_sendmsg+0x1f8/0x420
>  __sock_sendmsg+0xb0/0xc0
>  ____sys_sendmsg+0x24e/0x300
>  ? copy_msghdr_from_user+0x62/0x80
>  ___sys_sendmsg+0x7c/0xd0
>  ? __do_fault+0x34/0x160
>  ? do_read_fault+0x5f/0x100
>  ? do_fault+0xb0/0x110
>  ? __handle_mm_fault+0x2b0/0x6c0
>  __sys_sendmsg+0x4d/0x80
>  do_syscall_64+0x69/0x180
>  entry_SYSCALL_64_after_hwframe+0x6e/0x76
>
>It is possible that the connection is in process of being established
>when we dump it. Assumed that the connection has been registered in a
>link group by smc_conn_create() but the rmb_desc has not yet been
>initialized by smc_buf_create(), thus causing the illegal access to
>conn->rmb_desc. So fix it by checking before dump.
>
>Fixes: ce51f63e63c5 ("net/smc: Prevent kernel-infoleak in __smc_diag_dump()")

ce51f63e63c5 ("net/smc: Prevent kernel-infoleak in __smc_diag_dump()")
only add a memset() of 'struct smcd_diag_dmbinfo dinfo', which I don't
think is not the real cause of the bug.

>Signed-off-by: Wen Gu <guwen@...ux.alibaba.com>
>---
> net/smc/smc_diag.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/net/smc/smc_diag.c b/net/smc/smc_diag.c
>index 52f7c4f1e767..5a33908015f3 100644
>--- a/net/smc/smc_diag.c
>+++ b/net/smc/smc_diag.c
>@@ -164,7 +164,7 @@ static int __smc_diag_dump(struct sock *sk, struct sk_buff *skb,
> 	}
> 	if (smc_conn_lgr_valid(&smc->conn) && smc->conn.lgr->is_smcd &&
> 	    (req->diag_ext & (1 << (SMC_DIAG_DMBINFO - 1))) &&
>-	    !list_empty(&smc->conn.lgr->list)) {
>+	    !list_empty(&smc->conn.lgr->list) && smc->conn.rmb_desc) {
> 		struct smc_connection *conn = &smc->conn;
> 		struct smcd_diag_dmbinfo dinfo;
> 		struct smcd_dev *smcd = conn->lgr->smcd;
>-- 
>2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ