lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAM_iQpUxmME-9Gi9=dtAgeGeK4v3R0NV-REFRtMAU26yBXwrPQ@mail.gmail.com>
Date:   Wed, 31 May 2017 09:45:40 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Andrey Konovalov <andreyknvl@...gle.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        James Morris <jmorris@...ei.org>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Patrick McHardy <kaber@...sh.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        David Ahern <dsa@...ulusnetworks.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: net/ipv6: use-after-free in ip6_dst_ifdown

On Wed, May 31, 2017 at 2:42 AM, Andrey Konovalov <andreyknvl@...gle.com> wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit 5ed02dbb497422bf225783f46e6eadd237d23d6b (4.12-rc3).
>
> Unfortunately it's not reproducible.
>
> ==================================================================
> BUG: KASAN: use-after-free in ip6_dst_ifdown+0x3cc/0x400 net/ipv6/route.c:422
> Read of size 8 at addr ffff88006afa4ad8 by task syz-executor6/23554


This one is very interesting.

Here we are at:

        if (dev != loopback_dev) {
                if (idev && idev->dev == dev) {
                        struct inet6_dev *loopback_idev =
                                in6_dev_get(loopback_dev);
                        if (loopback_idev) {
                                rt->rt6i_idev = loopback_idev;
                                in6_dev_put(idev);
                        }
                }
        }

clearly no skb involved, it looks like idev is the one used-after-free.

But below it is actually skb which is allocated and freed...


>
> CPU: 3 PID: 23554 Comm: syz-executor6 Not tainted 4.12.0-rc3+ #370
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:16 [inline]
>  dump_stack+0x292/0x395 lib/dump_stack.c:52
>  print_address_description+0x73/0x280 mm/kasan/report.c:252
>  kasan_report_error mm/kasan/report.c:351 [inline]
>  kasan_report+0x22b/0x340 mm/kasan/report.c:408
>  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
>  ip6_dst_ifdown+0x3cc/0x400 net/ipv6/route.c:422
>  dst_ifdown+0x75/0x230 net/core/dst.c:439
>  dst_dev_event+0xb1/0x230 net/core/dst.c:466
>  notifier_call_chain+0x145/0x2e0 kernel/notifier.c:93
>  __raw_notifier_call_chain kernel/notifier.c:394 [inline]
>  raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
>  call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1649
>  call_netdevice_notifiers net/core/dev.c:1665 [inline]
>  __dev_notify_flags+0x1fd/0x320 net/core/dev.c:6640
>  dev_change_flags+0xf5/0x140 net/core/dev.c:6671
>  dev_ifsioc+0x62a/0x9f0 net/core/dev_ioctl.c:254
>  dev_ioctl+0x249/0x1160 net/core/dev_ioctl.c:532
>  sock_do_ioctl+0x94/0xb0 net/socket.c:913
>  sock_ioctl+0x28f/0x440 net/socket.c:1004
>  vfs_ioctl fs/ioctl.c:45 [inline]
>  do_vfs_ioctl+0x1bf/0x1660 fs/ioctl.c:685
>  SYSC_ioctl fs/ioctl.c:700 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
>  entry_SYSCALL_64_fastpath+0x1f/0xbe
> RIP: 0033:0x446179
> RSP: 002b:00007fd1da4bdc08 EFLAGS: 00000282 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000003220 RCX: 0000000000446179
> RDX: 0000000020d34000 RSI: 0000000000008914 RDI: 0000000000000005
> RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000005
> R13: 0000000000000390 R14: 00000000006e1450 R15: 0000000000000000
>
> Allocated by task 23235:
>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>  set_track mm/kasan/kasan.c:525 [inline]
>  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:617
>  kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:555
>  slab_post_alloc_hook mm/slab.h:456 [inline]
>  slab_alloc_node mm/slub.c:2718 [inline]
>  __kmalloc_node_track_caller+0x20d/0x350 mm/slub.c:4303
>  __kmalloc_reserve.isra.32+0x41/0xd0 net/core/skbuff.c:138
>  __alloc_skb+0x157/0x770 net/core/skbuff.c:231
>  alloc_skb include/linux/skbuff.h:936 [inline]
>  alloc_skb_with_frags+0x12e/0x780 net/core/skbuff.c:4690
>  sock_alloc_send_pskb+0x804/0xa30 net/core/sock.c:2000
>  tun_alloc_skb drivers/net/tun.c:1144 [inline]
>  tun_get_user+0x91a/0x2e10 drivers/net/tun.c:1274
>  tun_chr_write_iter+0xd8/0x190 drivers/net/tun.c:1365
>  call_write_iter include/linux/fs.h:1734 [inline]
>  new_sync_write fs/read_write.c:497 [inline]
>  __vfs_write+0x483/0x760 fs/read_write.c:510
>  vfs_write+0x187/0x500 fs/read_write.c:558
>  SYSC_write fs/read_write.c:605 [inline]
>  SyS_write+0xfb/0x230 fs/read_write.c:597
>  entry_SYSCALL_64_fastpath+0x1f/0xbe
>
> Freed by task 23235:
>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>  set_track mm/kasan/kasan.c:525 [inline]
>  kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:590
>  slab_free_hook mm/slub.c:1357 [inline]
>  slab_free_freelist_hook mm/slub.c:1379 [inline]
>  slab_free mm/slub.c:2961 [inline]
>  kfree+0xe8/0x2b0 mm/slub.c:3882
>  skb_free_head+0x74/0xb0 net/core/skbuff.c:579
>  skb_release_data+0x3ce/0x4a0 net/core/skbuff.c:610
>  skb_release_all+0x4a/0x60 net/core/skbuff.c:669
>  __kfree_skb+0x15/0x20 net/core/skbuff.c:683
>  kfree_skb+0x16e/0x4e0 net/core/skbuff.c:704
>  llc_rcv+0x5c7/0xed0 net/llc/llc_input.c:214
>  __netif_receive_skb_core+0x1ad1/0x3400 net/core/dev.c:4216
>  __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4254
>  netif_receive_skb_internal+0x240/0x1b20 net/core/dev.c:4416
>  netif_receive_skb+0xae/0x3b0 net/core/dev.c:4440
>  tun_rx_batched.isra.40+0x5e5/0x8c0 drivers/net/tun.c:1167
>  tun_get_user+0x100d/0x2e10 drivers/net/tun.c:1339
>  tun_chr_write_iter+0xd8/0x190 drivers/net/tun.c:1365
>  call_write_iter include/linux/fs.h:1734 [inline]
>  new_sync_write fs/read_write.c:497 [inline]
>  __vfs_write+0x483/0x760 fs/read_write.c:510
>  vfs_write+0x187/0x500 fs/read_write.c:558
>  SYSC_write fs/read_write.c:605 [inline]
>  SyS_write+0xfb/0x230 fs/read_write.c:597
>  entry_SYSCALL_64_fastpath+0x1f/0xbe
>
> The buggy address belongs to the object at ffff88006afa4ad8
>  which belongs to the cache kmalloc-1024 of size 1024
> The buggy address is located 0 bytes inside of
>  1024-byte region [ffff88006afa4ad8, ffff88006afa4ed8)
> The buggy address belongs to the page:
> page:ffffea0001abe800 count:1 mapcount:0 mapping:          (null)
> index:0x0 compound_mapcount: 0
> flags: 0x500000000008100(slab|head)
> raw: 0500000000008100 0000000000000000 0000000000000000 0000000100170017
> raw: ffffea00017ef420 ffffea0001aaa420 ffff88003e80efc0 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  ffff88006afa4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff88006afa4a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>ffff88006afa4a80: fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb
>                                                     ^
>  ffff88006afa4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff88006afa4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ