| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Feb 2021 18:12:29 +0200
From: Vlad Buslov <vladbu@...dia.com>
To: Cong Wang <xiyou.wangcong@...il.com>
CC: syzbot <syzbot+151e3e714d34ae4ce7e8@...kaller.appspotmail.com>,
"David Miller" <davem@...emloft.net>,
Jamal Hadi Salim <jhs@...atatu.com>,
"Jiri Pirko" <jiri@...nulli.us>, Jakub Kicinski <kuba@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
Linux Kernel Network Developers <netdev@...r.kernel.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
On Tue 16 Feb 2021 at 01:22, Cong Wang <xiyou.wangcong@...il.com> wrote:
> On Wed, Feb 10, 2021 at 9:53 PM syzbot
> <syzbot+151e3e714d34ae4ce7e8@...kaller.appspotmail.com> wrote:
>>
>> syzbot has found a reproducer for the following issue on:
>>
>> HEAD commit: 291009f6 Merge tag 'pm-5.11-rc8' of git://git.kernel.org/p..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=14470d18d00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=a53fd47f16f22f8c
>> dashboard link: https://syzkaller.appspot.com/bug?extid=151e3e714d34ae4ce7e8
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f45814d00000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f4aff8d00000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+151e3e714d34ae4ce7e8@...kaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
>> BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
>> BUG: KASAN: null-ptr-deref in __tcf_idr_release net/sched/act_api.c:178 [inline]
>> BUG: KASAN: null-ptr-deref in tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598
>> Read of size 4 at addr 0000000000000010 by task kworker/u4:5/204
>>
>> CPU: 0 PID: 204 Comm: kworker/u4:5 Not tainted 5.11.0-rc7-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Workqueue: netns cleanup_net
>> Call Trace:
>> __dump_stack lib/dump_stack.c:79 [inline]
>> dump_stack+0x107/0x163 lib/dump_stack.c:120
>> __kasan_report mm/kasan/report.c:400 [inline]
>> kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413
>> check_memory_region_inline mm/kasan/generic.c:179 [inline]
>> check_memory_region+0x13d/0x180 mm/kasan/generic.c:185
>> instrument_atomic_read include/linux/instrumented.h:71 [inline]
>> atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
>> __tcf_idr_release net/sched/act_api.c:178 [inline]
>> tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598
>> tc_action_net_exit include/net/act_api.h:151 [inline]
>> police_exit_net+0x168/0x360 net/sched/act_police.c:390
>
> This is really strange. It seems we still left some -EBUSY placeholders
> in the idr, however, we actually call tcf_action_destroy() to clean up
> everything including -EBUSY ones on error path.
>
> What do you think, Vlad?
>
> Thanks.
Hi Cong,
I couldn't reproduce the issue with syzbot repro.c, but it looks like we
are missing tcf_idr_insert_many() in exts->police handling code inside
tcf_exts_validate() which calls tcf_action_init_1(). After recent
changes action is no longer inserted in idr by init_1 and requires
manual call to tcf_idr_insert_many(). I'll send a fix.
Regards,
Vlad
Powered by blists - more mailing lists