| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALAgD-75bQU3K2HPSJJo7ra9n2Y=S=WxYoUp8ikjB9TFo1Zh9A@mail.gmail.com> Date: Sat, 24 Aug 2024 22:33:07 -0700 From: Xingyu Li <xli399@....edu> To: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: WARNING: refcount bug in nsim_fib6_rt_nh_del Hi, We found a bug in Linux 6.10. It is probably a use-after-free bug. When fib6_info_release(line 341 of include/net/ip6_fib.h) executes "refcount_dec_and_test(&f6i->fib6_ref)", it is possible that f6i is already free previously. The bug report is as follows, but unfortunately there is no generated syzkaller reproducer. Bug report: netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 8850 at lib/refcount.c:28 refcount_warn_saturate+0x13f/0x1a0 lib/refcount.c:28 Modules linked in: CPU: 0 PID: 8850 Comm: kworker/u4:11 Not tainted 6.10.0 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:refcount_warn_saturate+0x13f/0x1a0 lib/refcount.c:28 Code: 0a 01 48 c7 c7 40 fb a8 8b e8 5d b2 fe fc 0f 0b eb a9 e8 a4 63 3a fd c6 05 d5 3e b8 0a 01 48 c7 c7 a0 fb a8 8b e8 41 b2 fe fc <0f> 0b eb 8d e8 88 63 3a fd c6 05 b6 3e b8 0a 01 48 c7 c7 e0 fa a8 RSP: 0018:ffffc90002bff668 EFLAGS: 00010246 RAX: de8053514f502200 RBX: ffff8880320bcc2c RCX: ffff8880231b0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000003 R08: ffffffff8155a25a R09: 1ffff1100c74519a R10: dffffc0000000000 R11: ffffed100c74519b R12: 0000000000000000 R13: dead000000000122 R14: ffff8880320bcc00 R15: ffff8880320bcc2c FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f13fe745f40 CR3: 00000000413e6000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __refcount_sub_and_test include/linux/refcount.h:275 [inline] __refcount_dec_and_test include/linux/refcount.h:307 [inline] refcount_dec_and_test include/linux/refcount.h:325 [inline] fib6_info_release include/net/ip6_fib.h:341 [inline] nsim_rt6_release drivers/net/netdevsim/fib.c:515 [inline] nsim_fib6_rt_nh_del+0x277/0x2a0 drivers/net/netdevsim/fib.c:534 nsim_fib6_rt_destroy drivers/net/netdevsim/fib.c:583 [inline] nsim_fib6_rt_free drivers/net/netdevsim/fib.c:1069 [inline] nsim_fib_rt_free+0x4a4/0x7a0 drivers/net/netdevsim/fib.c:1082 rhashtable_free_one lib/rhashtable.c:1113 [inline] rhashtable_free_and_destroy+0x5ab/0x910 lib/rhashtable.c:1164 nsim_fib_destroy+0xb0/0x180 drivers/net/netdevsim/fib.c:1659 nsim_dev_reload_destroy+0x2db/0x480 drivers/net/netdevsim/dev.c:1662 nsim_dev_reload_down+0x93/0xc0 drivers/net/netdevsim/dev.c:965 devlink_reload+0x188/0x840 net/devlink/dev.c:461 devlink_pernet_pre_exit+0x1ee/0x440 net/devlink/core.c:509 ops_pre_exit_list net/core/net_namespace.c:163 [inline] cleanup_net+0x61e/0xcd0 net/core/net_namespace.c:620 process_one_work kernel/workqueue.c:3248 [inline] process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329 worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409 kthread+0x2eb/0x380 kernel/kthread.c:389 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 </TASK> -- Yours sincerely, Xingyu
Powered by blists - more mailing lists