[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YbDR/JStiIco3HQS@kroah.com>
Date: Wed, 8 Dec 2021 16:40:44 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: George Kennedy <george.kennedy@...cle.com>
Cc: davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tun: avoid double free in tun_free_netdev
On Wed, Dec 08, 2021 at 09:43:25AM -0500, George Kennedy wrote:
> Avoid double free in tun_free_netdev() by clearing tun->security
> after free and using it to indicate that free has already been done.
>
> BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
>
> CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1
> Hardware name: Red Hat KVM, BIOS
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
> print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247
> kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372
> ____kasan_slab_free mm/kasan/common.c:346 [inline]
> __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374
> kasan_slab_free include/linux/kasan.h:235 [inline]
> slab_free_hook mm/slub.c:1723 [inline]
> slab_free_freelist_hook mm/slub.c:1749 [inline]
> slab_free mm/slub.c:3513 [inline]
> kfree+0xac/0x2d0 mm/slub.c:4561
> selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
> security_tun_dev_free_security+0x4f/0x90 security/security.c:2342
> tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215
> netdev_run_todo+0x4df/0x840 net/core/dev.c:10627
> rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112
> __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302
> tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:874 [inline]
> __se_sys_ioctl fs/ioctl.c:860 [inline]
> __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Reported-by: syzkaller <syzkaller@...glegroups.com>
> Signed-off-by: George Kennedy <george.kennedy@...cle.com>
> ---
> drivers/net/tun.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 1572878..617c71f 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2212,7 +2212,10 @@ static void tun_free_netdev(struct net_device *dev)
> dev->tstats = NULL;
>
> tun_flow_uninit(tun);
> - security_tun_dev_free_security(tun->security);
> + if (tun->security) {
> + security_tun_dev_free_security(tun->security);
> + tun->security = NULL;
> + }
> __tun_set_ebpf(tun, &tun->steering_prog, NULL);
> __tun_set_ebpf(tun, &tun->filter_prog, NULL);
> }
> @@ -2779,7 +2782,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
>
> err_free_flow:
> tun_flow_uninit(tun);
> - security_tun_dev_free_security(tun->security);
> + if (tun->security) {
> + security_tun_dev_free_security(tun->security);
> + /* Let tun_free_netdev() know the free has already been done. */
> + tun->security = NULL;
What protects this from racing with tun_free_netdev()?
And why can't security_tun_dev_free_security() handle a NULL value?
thanks,
greg k-h
Powered by blists - more mailing lists