lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89i+V-GeD3zCzGPAo4jY8Z6iTjFN3U1ixG44WyKKLOZ9Txw@mail.gmail.com>
Date:	Wed, 9 Dec 2015 06:43:28 -0800
From:	Eric Dumazet <edumazet@...gle.com>
To:	Dmitry Vyukov <dvyukov@...gle.com>
Cc:	"David S. Miller" <davem@...emloft.net>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	James Morris <jmorris@...ei.org>,
	Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
	Patrick McHardy <kaber@...sh.net>,
	netdev <netdev@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Vlad Yasevich <vyasevich@...il.com>,
	Neil Horman <nhorman@...driver.com>,
	linux-sctp@...r.kernel.org, syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>
Subject: Re: use-after-free in inet6_destroy_sock

On Wed, Dec 9, 2015 at 6:15 AM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
> Hello,
>
> The following program causes use-after-free in inet6_destroy_sock:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <syscall.h>
> #include <string.h>
> #include <stdint.h>
> #include <pthread.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <linux/in.h>
> #include <linux/in6.h>
>
> int cfd = -1;
>
> void *thr(void *arg)
> {
>         cfd = syscall(SYS_socket, PF_INET6, SOCK_STREAM, IPPROTO_SCTP);
>         struct sockaddr_in6 sa = {};
>         sa.sin6_family = AF_INET6;
>         sa.sin6_port = getpid();
>         sa.sin6_addr.s6_addr[15] = 1;
>         syscall(SYS_connect, cfd, &sa, sizeof(sa), 0, 0, 0);
>         return 0;
> }
>
> int main()
> {
>         syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul, 0x32ul,
> 0xfffffffffffffffful, 0x0ul);
>         int fd = syscall(SYS_socket, PF_INET6, SOCK_STREAM, IPPROTO_SCTP);
>         struct sockaddr_in6 sa = {};
>         sa.sin6_family = AF_INET6;
>         sa.sin6_port = getpid();
>         sa.sin6_addr.s6_addr[15] = 1;
>         syscall(SYS_bind, fd, &sa, sizeof(sa), 0, 0, 0);
>         syscall(SYS_listen, fd, 0x3ul, 0, 0, 0, 0);
>         memcpy((void*)0x20002ff6,
> "\x10\x48\xe0\xad\x68\xc0\xce\x4c\xd0\xb5", 10);
>         syscall(SYS_setsockopt, fd, 0x29ul, 0x6ul, 0x20002ff6ul, 0xaul, 0);
>         pthread_t th;
>         pthread_create(&th, 0, thr, 0);
>         pthread_join(th, 0);
>         int sfd = syscall(SYS_accept4, fd, 0x20003f80ul, 0x20003ab4ul,
> 0x80800ul, 0, 0);
>         dup3(fd, -1, 0x80000);
>         return 0;
> }
>
>
> ==================================================================
> BUG: KASAN: use-after-free in inet6_destroy_sock+0x177/0x1c0 at addr
> ffff8800349179b4
> Read of size 4 by task executor/7001
> =============================================================================
> BUG kmalloc-96 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------
>
> Disabling lock debugging due to kernel taint
> INFO: Allocated in sock_kmalloc+0x93/0x100 age=20 cpu=0 pid=7064
> [<      none      >] ___slab_alloc+0x648/0x8c0 mm/slub.c:2468
> [<      none      >] __slab_alloc+0x4c/0x90 mm/slub.c:2497
> [<     inline     >] slab_alloc_node mm/slub.c:2560
> [<     inline     >] slab_alloc mm/slub.c:2602
> [<      none      >] __kmalloc+0x2d9/0x480 mm/slub.c:3562
> [<     inline     >] kmalloc include/linux/slab.h:463
> [<      none      >] sock_kmalloc+0x93/0x100 net/core/sock.c:1771
> [<      none      >] do_ipv6_setsockopt.isra.5+0x1f43/0x2e50
> net/ipv6/ipv6_sockglue.c:490
> [<      none      >] ipv6_setsockopt+0x4f/0x150 net/ipv6/ipv6_sockglue.c:895
> [<      none      >] sctp_setsockopt+0x194/0x4020 net/sctp/socket.c:3702
> [<      none      >] sock_common_setsockopt+0xb4/0x140 net/core/sock.c:2641
> [<     inline     >] SYSC_setsockopt net/socket.c:1750
> [<      none      >] SyS_setsockopt+0x161/0x290 net/socket.c:1729
> [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>
> INFO: Freed in rcu_process_callbacks+0x52c/0x19e0 age=16 cpu=0 pid=0
> [<      none      >] __slab_free+0x21e/0x3e0 mm/slub.c:2678
> [<     inline     >] slab_free mm/slub.c:2833
> [<      none      >] kfree+0x26f/0x3e0 mm/slub.c:3662
> [<     inline     >] __rcu_reclaim kernel/rcu/rcu.h:113
> [<     inline     >] rcu_do_batch kernel/rcu/tree.c:2693
> [<     inline     >] invoke_rcu_callbacks kernel/rcu/tree.c:2961
> [<     inline     >] __rcu_process_callbacks kernel/rcu/tree.c:2928
> [<      none      >] rcu_process_callbacks+0x52c/0x19e0 kernel/rcu/tree.c:2945
> [<      none      >] __do_softirq+0x2e5/0xb40 kernel/softirq.c:273
> [<     inline     >] invoke_softirq kernel/softirq.c:350
> [<      none      >] irq_exit+0x165/0x1e0 kernel/softirq.c:391
> [<     inline     >] exiting_irq ./arch/x86/include/asm/apic.h:653
> [<      none      >] smp_apic_timer_interrupt+0x88/0xc0
> arch/x86/kernel/apic/apic.c:926
> [<      none      >] apic_timer_interrupt+0x8c/0xa0
> arch/x86/entry/entry_64.S:520
> [<     inline     >] arch_safe_halt ./arch/x86/include/asm/paravirt.h:111
> [<      none      >] default_idle+0x22/0x300 arch/x86/kernel/process.c:304
> [<      none      >] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:295
> [<      none      >] default_idle_call+0x4f/0x80 kernel/sched/idle.c:92
> [<     inline     >] cpuidle_idle_call kernel/sched/idle.c:156
> [<     inline     >] cpu_idle_loop kernel/sched/idle.c:251
> [<      none      >] cpu_startup_entry+0x481/0x690 kernel/sched/idle.c:299
> [<      none      >] rest_init+0x1c7/0x1d0 init/main.c:412
> [<      none      >] start_kernel+0x6cd/0x6f3 init/main.c:683
> [<      none      >] x86_64_start_reservations+0x2a/0x2c
> arch/x86/kernel/head64.c:195
> [<      none      >] x86_64_start_kernel+0x176/0x185
> arch/x86/kernel/head64.c:184
>
> INFO: Slab 0xffffea0000d24500 objects=28 used=26 fp=0xffff8800349179b0
> flags=0x1fffc0000004080
> INFO: Object 0xffff8800349179b0 @offset=14768 fp=0xffff880034914000
> CPU: 1 PID: 7001 Comm: executor Tainted: G    B           4.4.0-rc4+ #158
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>  0000000000000001 ffff880062eef940 ffffffff82e0f6d8 0000000041b58ab3
>  ffffffff87aa2c7d ffffffff82e0f626 ffff88006c051740 ffffffff87ac3e19
>  ffff88003e804900 0000000000000008 ffff8800349179b0 ffff880062eef940
>
> Call Trace:
>  [<ffffffff818450f4>] __asan_report_load4_noabort+0x54/0x70
> mm/kasan/report.c:294
>  [<ffffffff85d61f17>] inet6_destroy_sock+0x177/0x1c0 net/ipv6/af_inet6.c:433
>  [<ffffffff864df89d>] sctp_v6_destroy_sock+0x1d/0x20 net/sctp/socket.c:7389
>  [<ffffffff856cf00d>] sk_common_release+0x7d/0x3e0 net/core/sock.c:2662
>  [<ffffffff864e58fe>] sctp_close+0x5fe/0x9b0 net/sctp/socket.c:1541
>  [<ffffffff85bfe691>] inet_release+0x111/0x270 net/ipv4/af_inet.c:413
>  [<ffffffff85d60ce5>] inet6_release+0x55/0x90 net/ipv6/af_inet6.c:406
>  [<ffffffff856b3b96>] sock_release+0x96/0x260 net/socket.c:571
>  [<ffffffff856b3d76>] sock_close+0x16/0x20 net/socket.c:1022
>  [<ffffffff8189d304>] __fput+0x244/0x860 fs/file_table.c:208
>  [<ffffffff8189d9b5>] ____fput+0x15/0x20 fs/file_table.c:244
>  [<ffffffff813e2dc0>] task_work_run+0x130/0x240 kernel/task_work.c:115
>  [<     inline     >] exit_task_work include/linux/task_work.h:21
>  [<ffffffff8137d1e5>] do_exit+0x885/0x3050 kernel/exit.c:750
>  [<ffffffff8137fb0c>] do_group_exit+0xec/0x390 kernel/exit.c:880
>  [<     inline     >] SYSC_exit_group kernel/exit.c:891
>  [<ffffffff8137fdcd>] SyS_exit_group+0x1d/0x20 kernel/exit.c:889
>  [<ffffffff86a924f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
> ==================================================================
>
> On commit aa53685549a2cfb5f175b0c4a20bc9aa1e5a1b85 (Nov 8).
> Eric, this now includes your patches that you previously pointed me
> to, and also https://patchwork.ozlabs.org/patch/553068/ on top of it.

Sure, I believe SCTP crowd already know they are missing ipv6_dup_options()

$ git grep -n ipv6_dup_options
include/net/ipv6.h:300:struct ipv6_txoptions *ipv6_dup_options(struct sock *sk,
net/dccp/ipv6.c:499:            opt = ipv6_dup_options(newsk, opt);
net/ipv6/exthdrs.c:714:ipv6_dup_options(struct sock *sk, struct
ipv6_txoptions *opt)
net/ipv6/exthdrs.c:734:EXPORT_SYMBOL_GPL(ipv6_dup_options);
net/ipv6/tcp_ipv6.c:1107:               opt = ipv6_dup_options(newsk, opt);

I can certainly send a patch, but maybe someone already cooked it and
is testing it ?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ