lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2236FBA76BA1254E88B949DDB74E612B6FF226C3@IRSMSX102.ger.corp.intel.com>
Date:   Mon, 10 Jul 2017 07:13:33 +0000
From:   "Reshetova, Elena" <elena.reshetova@...el.com>
To:     "Levin, Alexander (Sasha Levin)" <alexander.levin@...izon.com>,
        "Eric Dumazet" <eric.dumazet@...il.com>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "bridge@...ts.linux-foundation.org" 
        <bridge@...ts.linux-foundation.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "kuznet@....inr.ac.ru" <kuznet@....inr.ac.ru>,
        "jmorris@...ei.org" <jmorris@...ei.org>,
        "kaber@...sh.net" <kaber@...sh.net>,
        "stephen@...workplumber.org" <stephen@...workplumber.org>,
        "peterz@...radead.org" <peterz@...radead.org>,
        "keescook@...omium.org" <keescook@...omium.org>
Subject: RE: [PATCH 00/17] v3 net generic subsystem refcount conversions

> On Mon, Jul 03, 2017 at 02:28:56AM -0700, Eric Dumazet wrote:
> >On Fri, 2017-06-30 at 13:07 +0300, Elena Reshetova wrote:
> >> Changes in v3:
> >> Rebased on top of the net-next tree.
> >>
> >> Changes in v2:
> >> No changes in patches apart from rebases, but now by
> >> default refcount_t = atomic_t (*) and uses all atomic standard operations
> >> unless CONFIG_REFCOUNT_FULL is enabled. This is a compromise for the
> >> systems that are critical on performance (such as net) and cannot accept even
> >> slight delay on the refcounter operations.
> >>
> >> This series, for core network subsystem components, replaces atomic_t
> reference
> >> counters with the new refcount_t type and API (see
> include/linux/refcount.h).
> >> By doing this we prevent intentional or accidental
> >> underflows or overflows that can led to use-after-free vulnerabilities.
> >> These patches contain only generic net pieces. Other changes will be sent
> separately.
> >>
> >> The patches are fully independent and can be cherry-picked separately.
> >> The big patches, such as conversions for sock structure, need a very detailed
> >> look from maintainers: refcount managing is quite complex in them and while
> >> it seems that they would benefit from the change, extra checking is needed.
> >> The biggest corner issue is the fact that refcount_inc() does not increment
> >> from zero.
> >>
> >> If there are no objections to the patches, please merge them via respective
> trees.
> >>
> >> * The respective change is currently merged into -next as
> >>   "locking/refcount: Create unchecked atomic_t implementation".
> >>
> >> Elena Reshetova (17):
> >>   net: convert inet_peer.refcnt from atomic_t to refcount_t
> >>   net: convert neighbour.refcnt from atomic_t to refcount_t
> >>   net: convert neigh_params.refcnt from atomic_t to refcount_t
> >>   net: convert nf_bridge_info.use from atomic_t to refcount_t
> >>   net: convert sk_buff.users from atomic_t to refcount_t
> >>   net: convert sk_buff_fclones.fclone_ref from atomic_t to refcount_t
> >>   net: convert sock.sk_wmem_alloc from atomic_t to refcount_t
> >>   net: convert sock.sk_refcnt from atomic_t to refcount_t
> >>   net: convert ip_mc_list.refcnt from atomic_t to refcount_t
> >>   net: convert in_device.refcnt from atomic_t to refcount_t
> >>   net: convert netpoll_info.refcnt from atomic_t to refcount_t
> >>   net: convert unix_address.refcnt from atomic_t to refcount_t
> >>   net: convert fib_rule.refcnt from atomic_t to refcount_t
> >>   net: convert inet_frag_queue.refcnt from atomic_t to refcount_t
> >>   net: convert net.passive from atomic_t to refcount_t
> >>   net: convert netlbl_lsm_cache.refcount from atomic_t to refcount_t
> >>   net: convert packet_fanout.sk_ref from atomic_t to refcount_t
> >
> >
> >Can you take a look at this please ?
> >
> >[   64.601749] ------------[ cut here ]------------
> >[   64.601757] WARNING: CPU: 0 PID: 6476 at lib/refcount.c:184
> refcount_sub_and_test+0x75/0xa0
> >[   64.601758] Modules linked in: w1_therm wire cdc_acm ehci_pci ehci_hcd
> mlx4_en ib_uverbs mlx4_ib ib_core mlx4_core
> >[   64.601769] CPU: 0 PID: 6476 Comm: ip Tainted: G        W       4.12.0-smp-DEV
> #274
> >[   64.601770] Hardware name: Intel RML,PCH/Iota_QC_19, BIOS 2.40.0
> 06/22/2016
> >[   64.601771] task: ffff8837bf482040 task.stack: ffff8837bdc08000
> >[   64.601773] RIP: 0010:refcount_sub_and_test+0x75/0xa0
> >[   64.601774] RSP: 0018:ffff8837bdc0f5c0 EFLAGS: 00010286
> >[   64.601776] RAX: 0000000000000026 RBX: 0000000000000001 RCX:
> 0000000000000000
> >[   64.601777] RDX: 0000000000000026 RSI: 0000000000000096 RDI:
> ffffed06f7b81eae
> >[   64.601778] RBP: ffff8837bdc0f5d0 R08: 0000000000000004 R09:
> fffffbfff4a54c25
> >[   64.601779] R10: 00000000cbc500e5 R11: ffffffffa52a6128 R12: ffff881febcf6f24
> >[   64.601779] R13: ffff881fbf4eaf00 R14: ffff881febcf6f80 R15: ffff8837d7a4ed00
> >[   64.601781] FS:  00007ff5a2f6b700(0000) GS:ffff881fff800000(0000)
> knlGS:0000000000000000
> >[   64.601782] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >[   64.601783] CR2: 00007ffcdc70d000 CR3: 0000001f9c91e000 CR4:
> 00000000001406f0
> >[   64.601783] Call Trace:
> >[   64.601786]  refcount_dec_and_test+0x11/0x20
> >[   64.601790]  fib_nl_delrule+0xc39/0x1630
> [snip]
> 
> I'm seeing a similar one coming from sctp:
> 
> refcount_t: underflow; use-after-free.
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 15570 at lib/refcount.c:186
> refcount_sub_and_test.cold.13+0x18/0x21 lib/refcount.c:186
> Kernel panic - not syncing: panic_on_warn set ...
> 
> CPU: 3 PID: 15570 Comm: syz-executor0 Not tainted 4.12.0-next-20170706+ #186
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1
> 04/01/2014
> Call Trace:
>  __dump_stack lib/dump_stack.c:16 [inline]
>  dump_stack+0x11d/0x1ef lib/dump_stack.c:52
>  panic+0x1bc/0x3ad kernel/panic.c:180
>  __warn.cold.6+0x2f/0x2f kernel/panic.c:541
>  report_bug+0x20d/0x2d0 lib/bug.c:183
>  fixup_bug+0x3f/0x90 arch/x86/kernel/traps.c:190
>  do_trap_no_signal arch/x86/kernel/traps.c:224 [inline]
>  do_trap+0x132/0x390 arch/x86/kernel/traps.c:273
>  do_error_trap+0x133/0x380 arch/x86/kernel/traps.c:310
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323
>  invalid_op+0x1e/0x30 arch/x86/entry/entry_64.S:845
> RIP: 0010:refcount_sub_and_test.cold.13+0x18/0x21 lib/refcount.c:186
> RSP: 0018:ffff880062f7e270 EFLAGS: 00010282
> RAX: 0000000000000026 RBX: ffff88006086a8cc RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 1ffff1000c5efc0a RDI: ffffffffac15c400
> RBP: ffff880062f7e2f8 R08: 0000000000000006 R09: 0000000000000000
> R10: ffff880069914040 R11: 0000000000000000 R12: 00000000ffffff01
> R13: 0000000000000100 R14: 1ffff1000c5efc4e R15: 0000000000000001
>  sctp_wfree+0x183/0x620 net/sctp/socket.c:7745
>  skb_release_head_state+0x124/0x250 net/core/skbuff.c:652
>  skb_release_all+0x15/0x60 net/core/skbuff.c:665
>  __kfree_skb net/core/skbuff.c:681 [inline]
>  consume_skb+0x16c/0x500 net/core/skbuff.c:748
>  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1441 [inline]
>  sctp_chunk_put+0x206/0x430 net/sctp/sm_make_chunk.c:1468
>  sctp_chunk_free+0x53/0x60 net/sctp/sm_make_chunk.c:1455
>  __sctp_outq_teardown+0x274/0x15b0 net/sctp/outqueue.c:228
>  sctp_outq_free+0x15/0x20 net/sctp/outqueue.c:284
>  sctp_association_free+0x2d4/0x934 net/sctp/associola.c:358
>  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:917 [inline]
>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1333 [inline]
>  sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
>  sctp_do_sm+0x4024/0x6d60 net/sctp/sm_sideeffect.c:1170
>  sctp_primitive_ABORT+0xa0/0xd0 net/sctp/primitive.c:119
>  sctp_close+0x293/0x9b0 net/sctp/socket.c:1529
>  inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
>  inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
>  sock_release+0x8d/0x1b0 net/socket.c:597
>  sock_close+0x16/0x20 net/socket.c:1112
>  __fput+0x327/0x920 fs/file_table.c:210
>  ____fput+0x15/0x20 fs/file_table.c:246
> llcp: llcp_sock_recvmsg: Recv datagram failed state 5 -11 0
>  task_work_run+0x192/0x270 kernel/task_work.c:116
>  exit_task_work include/linux/task_work.h:21 [inline]
>  do_exit+0xa42/0x1ba0 kernel/exit.c:864
>  do_group_exit+0x151/0x410 kernel/exit.c:966
>  get_signal+0x84e/0x18a0 kernel/signal.c:2330
>  do_signal+0x9c/0x2210 arch/x86/kernel/signal.c:808
>  exit_to_usermode_loop+0x187/0x220 arch/x86/entry/common.c:157
>  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
>  syscall_return_slowpath arch/x86/entry/common.c:263 [inline]
>  do_syscall_64+0x50b/0x740 arch/x86/entry/common.c:289
> llcp: llcp_sock_recvmsg: Recv datagram failed state 5 -11 0
>  entry_SYSCALL64_slow_path+0x25/0x25
> RIP: 0033:0x452309
> RSP: 002b:00007f6aed443cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffe00 RBX: 0000000000718218 RCX: 0000000000452309
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718218
> RBP: 00000000007181f8 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffb90a5aae
> R13: 00007fffb90a5aaf R14: 00007f6aed4449c0 R15: 00007f6aed444700
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: 0x24000000 from 0xffffffff81000000 (relocation range:
> 0xffffffff80000000-0xffffffffbfffffff)
> Rebooting in 86400 seconds..
> 

Thank you for reporting this! However, I might need some help checking
what is going on there. Your kernel is enabled to panic on warn, which is great
since it gives us understanding that this is a different issue than previous one
(otherwise we would see a panic earlier when failing to increment from zero somewhere).
The code that causes the warning here is this:

@@ -7684,7 +7684,7 @@ static void sctp_wfree(struct sk_buff *skb)
 				sizeof(struct sk_buff) +
 				sizeof(struct sctp_chunk);
 
-	atomic_sub(sizeof(struct sctp_chunk), &sk->sk_wmem_alloc);
+	WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk), &sk->sk_wmem_alloc));

As you can see previously it would just do a atomic_sub() and not care of
end result, but now it issues a warning if result underflows. 
Is it possible that it just uncovered the existing bug or was it supposed to underflow in
certain conditions?

Best Regards,
Elena.

> --
> 
> Thanks,
> Sasha

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ