lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAM_iQpWwMvfCdMt0StWWFit0LeEUVyTbUXSphXaf6uoTPXtvLQ@mail.gmail.com>
Date:   Fri, 11 May 2018 10:47:49 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Roman Mashak <mrv@...atatu.com>
Cc:     David Miller <davem@...emloft.net>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>,
        kernel@...atatu.com, Jamal Hadi Salim <jhs@...atatu.com>,
        Jiri Pirko <jiri@...nulli.us>,
        Alexander Duyck <alexander.duyck@...il.com>
Subject: Re: [PATCH v2 net 1/1] net sched actions: fix invalid pointer
 dereferencing if skbedit flags missing

On Fri, May 11, 2018 at 7:55 AM, Roman Mashak <mrv@...atatu.com> wrote:
> When application fails to pass flags in netlink TLV for a new skbedit action,
> the kernel results in the following oops:
>
> [    8.307732] BUG: unable to handle kernel paging request at 0000000000021130
> [    8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0
> [    8.310595] Oops: 0000 [#1] SMP PTI
> [    8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw
> [    8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357
> [    8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140
> [    8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246
> [    8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000
> [    8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100
> [    8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122
> [    8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000
> [    8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000
> [    8.325590] FS:  00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000
> [    8.327001] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [    8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0
> [    8.329289] Call Trace:
> [    8.329735]  tcf_skbedit_init+0xa7/0xb0
> [    8.330423]  tcf_action_init_1+0x362/0x410
> [    8.331139]  ? try_to_wake_up+0x44/0x430
> [    8.331817]  tcf_action_init+0x103/0x190
> [    8.332511]  tc_ctl_action+0x11a/0x220
> [    8.333174]  rtnetlink_rcv_msg+0x23d/0x2e0
> [    8.333902]  ? _cond_resched+0x16/0x40
> [    8.334569]  ? __kmalloc_node_track_caller+0x5b/0x2c0
> [    8.335440]  ? rtnl_calcit.isra.31+0xf0/0xf0
> [    8.336178]  netlink_rcv_skb+0xdb/0x110
> [    8.336855]  netlink_unicast+0x167/0x220
> [    8.337550]  netlink_sendmsg+0x2a7/0x390
> [    8.338258]  sock_sendmsg+0x30/0x40
> [    8.338865]  ___sys_sendmsg+0x2c5/0x2e0
> [    8.339531]  ? pagecache_get_page+0x27/0x210
> [    8.340271]  ? filemap_fault+0xa2/0x630
> [    8.340943]  ? page_add_file_rmap+0x108/0x200
> [    8.341732]  ? alloc_set_pte+0x2aa/0x530
> [    8.342573]  ? finish_fault+0x4e/0x70
> [    8.343332]  ? __handle_mm_fault+0xbc1/0x10d0
> [    8.344337]  ? __sys_sendmsg+0x53/0x80
> [    8.345040]  __sys_sendmsg+0x53/0x80
> [    8.345678]  do_syscall_64+0x4f/0x100
> [    8.346339]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [    8.347206] RIP: 0033:0x7f591191da67
> [    8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> [    8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67
> [    8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003
> [    8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000
> [    8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000
> [    8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0
> [    8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00
> 00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30
> 74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c
> [    8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840
> [    8.359770] CR2: 0000000000021130
> [    8.360438] ---[ end trace 60c66be45dfc14f0 ]---
>
> The caller calls action's ->init() and passes pointer to "struct tc_action *a",
> which later may be initialized to point at the existing action, otherwise
> "struct tc_action *a" is still invalid, and therefore dereferencing it is an
> error as happens in tcf_idr_release, where refcnt is decremented.
>
> So in case of missing flags tcf_idr_release must be called only for
> existing actions.
>
> v2:
>     - prepare patch for net tree
>
> Signed-off-by: Roman Mashak <mrv@...atatu.com>

Fixes: 5e1567aeb7fe ("net sched: skbedit action fix late binding")

Acked-by: Cong Wang <xiyou.wangcong@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ