lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADvbK_cwfzgM-bFW3fNX2Ckh4UWGeEpSvM4NQ-=08=BWHfTNdg@mail.gmail.com>
Date:   Sat, 17 Jul 2021 14:13:10 -0400
From:   Xin Long <lucien.xin@...il.com>
To:     Hillf Danton <hdanton@...a.com>
Cc:     syzbot <syzbot+b774577370208727d12b@...kaller.appspotmail.com>,
        LKML <linux-kernel@...r.kernel.org>,
        sctp <linux-sctp@...r.kernel.org>,
        Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
        network dev <netdev@...r.kernel.org>,
        Neil Horman <nhorman@...driver.com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Vlad Yasevich <vyasevich@...il.com>
Subject: Re: [syzbot] KASAN: use-after-free Write in sctp_auth_shkey_hold

On Sat, Jul 17, 2021 at 12:57 AM Hillf Danton <hdanton@...a.com> wrote:
>
> On Fri, 16 Jul 2021 16:01:01 -0400 Xin Long wrote:
> >On Mon, Jul 12, 2021 at 12:46 AM syzbot wrote:
> >>
> >> Hello,
> >>
> >> syzbot found the following issue on:
> >>
> >> HEAD commit:    5e437416 Merge branch 'dsa-mv88e6xxx-topaz-fixes'
> >> git tree:       net-next
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=14503bac300000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=4cb84363d46e9fc3
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=b774577370208727d12b
> >>
> >> Unfortunately, I don't have any reproducer for this issue yet.
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+b774577370208727d12b@...kaller.appspotmail.com
> >>
> >> ==================================================================
> >> BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> >> BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:111 [inline]
> >> BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
> >> BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
> >> BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
> >> BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
> >> Write of size 4 at addr ffff88802053ad58 by task syz-executor.1/31590
> >>
> >> CPU: 0 PID: 31590 Comm: syz-executor.1 Not tainted 5.13.0-syzkaller #0
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> >> Call Trace:
> >>  __dump_stack lib/dump_stack.c:79 [inline]
> >>  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:96
> >>  print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
> >>  __kasan_report mm/kasan/report.c:419 [inline]
> >>  kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
> >>  check_region_inline mm/kasan/generic.c:183 [inline]
> >>  kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
> >>  instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> >>  atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:111 [inline]
> >>  __refcount_add include/linux/refcount.h:193 [inline]
> >>  __refcount_inc include/linux/refcount.h:250 [inline]
> >>  refcount_inc include/linux/refcount.h:267 [inline]
> >>  sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
> >>  sctp_set_owner_w net/sctp/socket.c:131 [inline]
>
> 1)      datamsg = sctp_datamsg_from_user(asoc, sinfo, &msg->msg_iter);
>
> Chunks are built with sock lock held(lock_sock(sk);).
>
> >>  sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865
> >>  sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027
> >>  inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
> >>  sock_sendmsg_nosec net/socket.c:702 [inline]
> >>  sock_sendmsg+0xcf/0x120 net/socket.c:722
> >>  ____sys_sendmsg+0x331/0x810 net/socket.c:2385
> >>  ___sys_sendmsg+0xf3/0x170 net/socket.c:2439
> >>  __sys_sendmmsg+0x195/0x470 net/socket.c:2525
> >>  __do_sys_sendmmsg net/socket.c:2554 [inline]
> >>  __se_sys_sendmmsg net/socket.c:2551 [inline]
> >>  __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2551
> >>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >>  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> >> RIP: 0033:0x4665d9
> >> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> >> RSP: 002b:00007f679ad9b188 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
> >> RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
> >> RDX: 0000000000000002 RSI: 0000000020002340 RDI: 0000000000000003
> >> RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
> >> R13: 00007ffc95431f0f R14: 00007f679ad9b300 R15: 0000000000022000
> >>
> >> Allocated by task 31590:
> >>  kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
> >>  kasan_set_track mm/kasan/common.c:46 [inline]
> >>  set_alloc_info mm/kasan/common.c:434 [inline]
> >>  ____kasan_kmalloc mm/kasan/common.c:513 [inline]
> >>  ____kasan_kmalloc mm/kasan/common.c:472 [inline]
> >>  __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
> >>  kmalloc include/linux/slab.h:591 [inline]
> >>  kzalloc include/linux/slab.h:721 [inline]
> >>  sctp_auth_shkey_create+0x85/0x1f0 net/sctp/auth.c:84
> >>  sctp_auth_asoc_copy_shkeys+0x1e8/0x350 net/sctp/auth.c:363
> >>  sctp_association_init net/sctp/associola.c:257 [inline]
> >>  sctp_association_new+0x1829/0x2250 net/sctp/associola.c:298
> >>  sctp_connect_new_asoc+0x1ac/0x770 net/sctp/socket.c:1088
> >>  __sctp_connect+0x3d0/0xc30 net/sctp/socket.c:1194
> >>  sctp_connect net/sctp/socket.c:4804 [inline]
> >>  sctp_inet_connect+0x15e/0x200 net/sctp/socket.c:4819
> >>  __sys_connect_file+0x155/0x1a0 net/socket.c:1872
> >>  __sys_connect+0x161/0x190 net/socket.c:1889
> >>  __do_sys_connect net/socket.c:1899 [inline]
> >>  __se_sys_connect net/socket.c:1896 [inline]
> >>  __x64_sys_connect+0x6f/0xb0 net/socket.c:1896
> >>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >>  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> >>
> >> Freed by task 31590:
> >>  kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
> >>  kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
> >>  kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
> >>  ____kasan_slab_free mm/kasan/common.c:366 [inline]
> >>  ____kasan_slab_free mm/kasan/common.c:328 [inline]
> >>  __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
> >>  kasan_slab_free include/linux/kasan.h:229 [inline]
> >>  slab_free_hook mm/slub.c:1639 [inline]
> >>  slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1664
> >>  slab_free mm/slub.c:3224 [inline]
> >>  kfree+0xeb/0x670 mm/slub.c:4268
> >>  sctp_auth_shkey_destroy net/sctp/auth.c:101 [inline]
> >>  sctp_auth_shkey_release+0x100/0x160 net/sctp/auth.c:107
> >>  sctp_auth_set_key+0x508/0x6d0 net/sctp/auth.c:862
> >>
> >It seems caused by not updating asoc->shkey when the old key is being deleted:
>
> Nope, see 1) and 2).
It's not about lock protection.

asoc->shkey became invalid after 'shkey' (== asoc->shkey)  is released
in sctp_auth_set_key() and all chunks freed its shkey.
the crash is triggered by this invalid asoc->shkey used.

We should fix it by updating asoc->shkey when it's being released,
more accurately:

@@ -860,6 +860,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
        if (replace) {
                list_del_init(&shkey->key_list);
                sctp_auth_shkey_release(shkey);
+               if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
+                       sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
        }

>
> >
> >diff --git a/net/sctp/auth.c b/net/sctp/auth.c
> >index 6f8319b..d095247 100644
> >--- a/net/sctp/auth.c
> >+++ b/net/sctp/auth.c
> >@@ -858,6 +858,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
> >        cur_key->key = key;
> >
> >        if (replace) {
> >+               if (asoc && asoc->shkey == shkey)
> >+                       asoc->shkey = cur_key;
> >                list_del_init(&shkey->key_list);
> >                sctp_auth_shkey_release(shkey);
> >        }
> >
> >>  sctp_setsockopt_auth_key net/sctp/socket.c:3643 [inline]
>
> 2)  lock_sock(sk);
>
> >>  sctp_setsockopt+0x4919/0xa5e0 net/sctp/socket.c:4682
> >>  __sys_setsockopt+0x2db/0x610 net/socket.c:2152
> >>  __do_sys_setsockopt net/socket.c:2163 [inline]
> >>  __se_sys_setsockopt net/socket.c:2160 [inline]
> >>  __x64_sys_setsockopt+0xba/0x150 net/socket.c:2160
> >>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >>  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >>  entry_SYSCALL_64_after_hwframe+0x44/0xae

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ