lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <bce7022aba1a48fa9fd2454bd56d66b7@huawei.com>
Date:   Tue, 15 Jun 2021 03:25:01 +0000
From:   "zhudi (J)" <zhudi21@...wei.com>
To:     Jesse Brandeburg <jesse.brandeburg@...el.com>,
        "anthony.l.nguyen@...el.com" <anthony.l.nguyen@...el.com>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
Subject: use-after-free in i40e_sync_vsi_filters

Jun 11 21:32:45 euleros-pxe kernel: [17883.745427] BUG: KASAN: use-after-free in i40e_sync_vsi_filters+0x4f0/0x1850 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.745826] Read of size 4 at addr ffff88897b8fd518 by task kworker/0:3/1078495

Jun 11 21:32:45 euleros-pxe kernel: [17883.746184]
Jun 11 21:32:45 euleros-pxe kernel: [17883.746410] CPU: 0 PID: 1078495 Comm: kworker/0:3 Kdump: loaded Tainted: G
Jun 11 21:32:45 euleros-pxe kernel: [17883.746414] Hardware name: Huawei 1288H V5/BC11SPSCC0, BIOS 0.59 02/24/2018
Jun 11 21:32:45 euleros-pxe kernel: [17883.746449] Workqueue: i40e i40e_service_task [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.746453] Call Trace:
Jun 11 21:32:45 euleros-pxe kernel: [17883.746466]  dump_stack+0xc2/0x12e
Jun 11 21:32:45 euleros-pxe kernel: [17883.746481]  print_address_description+0x70/0x360
Jun 11 21:32:45 euleros-pxe kernel: [17883.746491]  ? vprintk_func+0x5e/0xf0
Jun 11 21:32:45 euleros-pxe kernel: [17883.746502]  kasan_report+0x1b2/0x330
Jun 11 21:32:45 euleros-pxe kernel: [17883.746604]  i40e_sync_vsi_filters+0x4f0/0x1850 [i40e]

 2492                 /* Now move all of the filters from the temp add list back to
 2493                  * the VSI's list.
 2494                  */
 2495                 spin_lock_bh(&vsi->mac_filter_hash_lock);
 2496                 hlist_for_each_entry_safe(new, h, &tmp_add_list, hlist) {
 2497                         /* Only update the state if we're still NEW */
 2498                         if (new->f->state == I40E_FILTER_NEW)   <------------------------------------------------------------------------------------
 2499                                 new->f->state = new->state;
 2500                         hlist_del(&new->hlist);
 2501                         kfree(new);
 2502                 }
 2503                 spin_unlock_bh(&vsi->mac_filter_hash_lock);
 2504                 kfree(add_list);
 2505                 add_list = NULL;
 2506         }


Jun 11 21:32:45 euleros-pxe kernel: [17883.746756]  i40e_sync_filters_subtask+0xe3/0x130 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.746790]  i40e_service_task+0x195/0x24c0 [i40e]

Jun 11 21:32:45 euleros-pxe kernel: [17883.747296] Allocated by task 2279810:
Jun 11 21:32:45 euleros-pxe kernel: [17883.747539]  kasan_kmalloc+0xa0/0xd0
Jun 11 21:32:45 euleros-pxe kernel: [17883.747546]  kmem_cache_alloc_trace+0xf3/0x1e0
Jun 11 21:32:45 euleros-pxe kernel: [17883.747578]  i40e_add_filter+0x127/0x2b0 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.747617]  i40e_add_mac_filter+0x156/0x190 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.747653]  i40e_addr_sync+0x2d/0x40 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.747661]  __hw_addr_sync_dev+0x154/0x210
Jun 11 21:32:45 euleros-pxe kernel: [17883.747691]  i40e_set_rx_mode+0x6d/0xf0 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.747699]  __dev_set_rx_mode+0xfb/0x1f0
Jun 11 21:32:45 euleros-pxe kernel: [17883.747706]  __dev_mc_add+0x6c/0x90
Jun 11 21:32:45 euleros-pxe kernel: [17883.747720]  igmp6_group_added+0x214/0x230
Jun 11 21:32:45 euleros-pxe kernel: [17883.747727]  __ipv6_dev_mc_inc+0x338/0x4f0
Jun 11 21:32:45 euleros-pxe kernel: [17883.747736]  addrconf_join_solict.part.7+0xa2/0xd0
Jun 11 21:32:45 euleros-pxe kernel: [17883.747742]  addrconf_dad_work+0x500/0x980
Jun 11 21:32:45 euleros-pxe kernel: [17883.747749]  process_one_work+0x3f5/0x7d0
Jun 11 21:32:45 euleros-pxe kernel: [17883.747755]  worker_thread+0x61/0x6c0
Jun 11 21:32:45 euleros-pxe kernel: [17883.747766]  kthread+0x1c3/0x1f0
Jun 11 21:32:45 euleros-pxe kernel: [17883.747773]  ret_from_fork+0x35/0x40

Jun 11 21:32:45 euleros-pxe kernel: [17883.748016] Freed by task 2547073:
Jun 11 21:32:45 euleros-pxe kernel: [17883.748262]  __kasan_slab_free+0x130/0x180
Jun 11 21:32:45 euleros-pxe kernel: [17883.748268]  kfree+0x90/0x1b0
Jun 11 21:32:45 euleros-pxe kernel: [17883.748299]  __i40e_del_filter+0xa3/0xf0 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.748330]  i40e_del_mac_filter+0xf3/0x130 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.748366]  i40e_addr_unsync+0x85/0xa0 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.748373]  __hw_addr_sync_dev+0x9d/0x210
Jun 11 21:32:45 euleros-pxe kernel: [17883.748403]  i40e_set_rx_mode+0x6d/0xf0 [i40e]
Jun 11 21:32:45 euleros-pxe kernel: [17883.748414]  __dev_set_rx_mode+0xfb/0x1f0
Jun 11 21:32:45 euleros-pxe kernel: [17883.748421]  __dev_mc_del+0x69/0x80
Jun 11 21:32:45 euleros-pxe kernel: [17883.748433]  igmp6_group_dropped+0x279/0x510
Jun 11 21:32:45 euleros-pxe kernel: [17883.748440]  __ipv6_dev_mc_dec+0x174/0x220
Jun 11 21:32:45 euleros-pxe kernel: [17883.748449]  addrconf_leave_solict.part.8+0xa2/0xd0
Jun 11 21:32:45 euleros-pxe kernel: [17883.748457]  __ipv6_ifa_notify+0x4cd/0x570
Jun 11 21:32:45 euleros-pxe kernel: [17883.748465]  ipv6_ifa_notify+0x58/0x80
Jun 11 21:32:45 euleros-pxe kernel: [17883.748474]  ipv6_del_addr+0x259/0x4a0
Jun 11 21:32:45 euleros-pxe kernel: [17883.748480]  inet6_addr_del+0x188/0x260
Jun 11 21:32:45 euleros-pxe kernel: [17883.748486]  addrconf_del_ifaddr+0xcc/0x130
Jun 11 21:32:45 euleros-pxe kernel: [17883.748493]  inet6_ioctl+0x152/0x190
Jun 11 21:32:45 euleros-pxe kernel: [17883.748501]  sock_do_ioctl+0xd8/0x2b0
Jun 11 21:32:45 euleros-pxe kernel: [17883.748509]  sock_ioctl+0x2e5/0x4c0
Jun 11 21:32:45 euleros-pxe kernel: [17883.748516]  do_vfs_ioctl+0x14e/0xa80
Jun 11 21:32:45 euleros-pxe kernel: [17883.748528]  ksys_ioctl+0x7c/0xa0
Jun 11 21:32:45 euleros-pxe kernel: [17883.748535]  __x64_sys_ioctl+0x42/0x50
Jun 11 21:32:45 euleros-pxe kernel: [17883.748543]  do_syscall_64+0x98/0x2c0
Jun 11 21:32:45 euleros-pxe kernel: [17883.748552]  entry_SYSCALL_64_after_hwframe+0x65/0xca

The problem is obvious:
CPU0:									CPU1
i40e_sync_vsi_filters()
	spin_lock_bh(&vsi->mac_filter_hash_lock);
		new->f = f;
		new->state = f->state;
	spin_unlock_bh(&vsi->mac_filter_hash_lock);

									 __i40e_del_filter()
										kfree(f)

	spin_lock_bh(&vsi->mac_filter_hash_lock);
		hlist_for_each_entry_safe(new, h, &tmp_add_list, hlist) {
		
			if (new->f->state == I40E_FILTER_NEW)
				new->f->state = new->state;
	}
	spin_unlock_bh(&vsi->mac_filter_hash_lock);


Do you have a way to fix it? 

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ