lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4F88C5DDA1E80143B232E89585ACE27D018C968B@DGGEMA502-MBS.china.huawei.com>
Date:   Sun, 23 Jul 2017 08:21:31 +0000
From:   "liujian (CE)" <liujian56@...wei.com>
To:     Cong Wang <xiyou.wangcong@...il.com>,
        Dingtianhong <dingtianhong@...wei.com>
CC:     Willem de Bruijn <willemdebruijn.kernel@...il.com>,
        Dave Jones <davej@...emonkey.org.uk>,
        "alexander.levin@...izon.com" <alexander.levin@...izon.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com" <edumazet@...gle.com>,
        "willemb@...gle.com" <willemb@...gle.com>,
        "daniel@...earbox.net" <daniel@...earbox.net>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: af_packet: use after free in prb_retire_rx_blk_timer_expired

Hi Wang Cong,

With this patch , the system was crashed when setsockopt. 

The call trace as below:  

crash> bt
PID: 3069   TASK: ffff8800afcc0000  CPU: 0   COMMAND: "trinity-main"
 #0 [ffff8801bec03ce0] machine_kexec at ffffffff8105354b
 #1 [ffff8801bec03d40] crash_kexec at ffffffff810f7e82
 #2 [ffff8801bec03e10] panic at ffffffff81650058
 #3 [ffff8801bec03e90] watchdog_timer_fn at ffffffff81122533
 #4 [ffff8801bec03ec8] __hrtimer_run_queues at ffffffff810abeb2
 #5 [ffff8801bec03f20] hrtimer_interrupt at ffffffff810ac450
 #6 [ffff8801bec03f70] local_apic_timer_interrupt at ffffffff8104a457
 #7 [ffff8801bec03f88] smp_apic_timer_interrupt at ffffffff8166aed0
 #8 [ffff8801bec03fb0] apic_timer_interrupt at ffffffff8166931d
--- <IRQ stack> ---
 #9 [ffff8801b301fcb8] apic_timer_interrupt at ffffffff8166931d
    [exception RIP: lock_timer_base+77]
    RIP: ffffffff8108dced  RSP: ffff8801b301fd60  RFLAGS: 00000246
    RAX: 0000000000000000  RBX: ffff8800afcc0000  RCX: 0000000000000001
    RDX: ffff8800afcc0000  RSI: ffff8801b301fd90  RDI: ffff8800b0d853c8
    RBP: ffff8801b301fd80   R8: ffff8800afcc0000   R9: ffffea0002680000
    R10: 000000000000003c  R11: ffff8801b301fb2e  R12: ffff8800afcc0000
    R13: ffff8800afcc0000  R14: 0000000000000000  R15: ffffffff83d1a340
    ORIG_RAX: ffffffffffffff10  CS: 0010  SS: 0018
#10 [ffff8801b301fd88] try_to_del_timer_sync at ffffffff8108f19f
#11 [ffff8801b301fdb8] del_timer_sync at ffffffff8108f252
#12 [ffff8801b301fdd0] packet_set_ring at ffffffff81635e60
#13 [ffff8801b301fe98] packet_setsockopt at ffffffff81636760
#14 [ffff8801b301ff38] sys_setsockopt at ffffffff81531860
#15 [ffff8801b301ff80] tracesys at ffffffff816687ed (via system_call)
    RIP: 00007fcc78b03e3a  RSP: 00007fff16f246b8  RFLAGS: 00000202
    RAX: ffffffffffffffda  RBX: ffffffff816687ed  RCX: ffffffffffffffff
    RDX: 0000000000000005  RSI: 0000000000000107  RDI: 0000000000000180
    RBP: 0000000000000180   R8: 000000000000001c   R9: 00007fcc78dc7160
    R10: 0000000001fd6ba0  R11: 0000000000000202  R12: 0000000000000000
    R13: 0000000000000011  R14: 0000000001fd6b60  R15: 0000000001fd6b70
    ORIG_RAX: 0000000000000036  CS: 0033  SS: 002b


Best Regards,
liujian


> -----Original Message-----
> From: Cong Wang [mailto:xiyou.wangcong@...il.com]
> Sent: Sunday, July 23, 2017 1:59 PM
> To: Dingtianhong
> Cc: liujian (CE); Willem de Bruijn; Dave Jones; alexander.levin@...izon.com;
> davem@...emloft.net; edumazet@...gle.com; willemb@...gle.com;
> daniel@...earbox.net; netdev@...r.kernel.org; linux-kernel@...r.kernel.org
> Subject: Re: af_packet: use after free in prb_retire_rx_blk_timer_expired
> 
> On Sat, Jul 22, 2017 at 8:40 PM, Ding Tianhong <dingtianhong@...wei.com>
> wrote:
> > Hi, Cong:
> >
> > Thanks for your quirk solution, but I still has some doubts about it,
> > it looks like fix the problem in the
> > packet_setsockopt->packet_set_ring processing, but when in
> > packet_release processing, it may could not release the real pg_vec
> > for the TPACKET_V3 ring, and then cause the mem leak, maybe I miss
> > something here, nice to hear from your feedback. :)
> 
> Yes you miss that packet_release() has memset()'s so we won't hit that path. :)
> 
> However, I missed the swap() in this messy function, actually I believe the bug
> is that we modify tpacket_kbdq_core inside rx_ring in non-closing case without
> actually stopping its timer. I feel more confident with the following patch:
> 
> 
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index
> 008bb34ee324..267b181fef15 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
> @@ -4263,6 +4263,7 @@ static int packet_set_ring(struct sock *sk, union
> tpacket_req_u *req_u,
>                 case TPACKET_V3:
>                         /* Block transmit is not supported yet */
>                         if (!tx_ring) {
> +                               prb_shutdown_retire_blk_timer(po,
> + rb_queue);
>                                 init_prb_bdqc(po, rb, pg_vec, req_u);
>                         } else {
>                                 struct tpacket_req3 *req3 =
> &req_u->req3;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ