lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YbDR/JStiIco3HQS@kroah.com>
Date:   Wed, 8 Dec 2021 16:40:44 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     George Kennedy <george.kennedy@...cle.com>
Cc:     davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tun: avoid double free in tun_free_netdev

On Wed, Dec 08, 2021 at 09:43:25AM -0500, George Kennedy wrote:
> Avoid double free in tun_free_netdev() by clearing tun->security
> after free and using it to indicate that free has already been done.
> 
> BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
> 
> CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1
> Hardware name: Red Hat KVM, BIOS
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
>  print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247
>  kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372
>  ____kasan_slab_free mm/kasan/common.c:346 [inline]
>  __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374
>  kasan_slab_free include/linux/kasan.h:235 [inline]
>  slab_free_hook mm/slub.c:1723 [inline]
>  slab_free_freelist_hook mm/slub.c:1749 [inline]
>  slab_free mm/slub.c:3513 [inline]
>  kfree+0xac/0x2d0 mm/slub.c:4561
>  selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
>  security_tun_dev_free_security+0x4f/0x90 security/security.c:2342
>  tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215
>  netdev_run_todo+0x4df/0x840 net/core/dev.c:10627
>  rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112
>  __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302
>  tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:874 [inline]
>  __se_sys_ioctl fs/ioctl.c:860 [inline]
>  __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Reported-by: syzkaller <syzkaller@...glegroups.com>
> Signed-off-by: George Kennedy <george.kennedy@...cle.com>
> ---
>  drivers/net/tun.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 1572878..617c71f 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2212,7 +2212,10 @@ static void tun_free_netdev(struct net_device *dev)
>  	dev->tstats = NULL;
>  
>  	tun_flow_uninit(tun);
> -	security_tun_dev_free_security(tun->security);
> +	if (tun->security) {
> +		security_tun_dev_free_security(tun->security);
> +		tun->security = NULL;
> +	}
>  	__tun_set_ebpf(tun, &tun->steering_prog, NULL);
>  	__tun_set_ebpf(tun, &tun->filter_prog, NULL);
>  }
> @@ -2779,7 +2782,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
>  
>  err_free_flow:
>  	tun_flow_uninit(tun);
> -	security_tun_dev_free_security(tun->security);
> +	if (tun->security) {
> +		security_tun_dev_free_security(tun->security);
> +		/* Let tun_free_netdev() know the free has already been done. */
> +		tun->security = NULL;

What protects this from racing with tun_free_netdev()?

And why can't security_tun_dev_free_security() handle a NULL value?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ