| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Mar 2022 10:07:59 +0800
From: Xin Long <lucien.xin@...il.com>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
netdev <netdev@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
syzbot <syzkaller@...glegroups.com>,
Vlad Yasevich <vyasevich@...il.com>,
Neil Horman <nhorman@...driver.com>,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Subject: Re: [PATCH net] sctp: fix kernel-infoleak for SCTP sockets
On Thu, Mar 10, 2022 at 8:11 AM Eric Dumazet <eric.dumazet@...il.com> wrote:
>
> From: Eric Dumazet <edumazet@...gle.com>
>
> syzbot reported a kernel infoleak [1] of 4 bytes.
>
> After analysis, it turned out r->idiag_expires is not initialized
> if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()
>
> Make sure to clear idiag_timer/idiag_retrans/idiag_expires
> and let inet_diag_msg_sctpasoc_fill() fill them again if needed.
>
> [1]
>
> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
> BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]
> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
> instrument_copy_to_user include/linux/instrumented.h:121 [inline]
> copyout lib/iov_iter.c:154 [inline]
> _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
> copy_to_iter include/linux/uio.h:162 [inline]
> simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
> __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425
> skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
> skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]
> netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977
> sock_recvmsg_nosec net/socket.c:948 [inline]
> sock_recvmsg net/socket.c:966 [inline]
> __sys_recvfrom+0x795/0xa10 net/socket.c:2097
> __do_sys_recvfrom net/socket.c:2115 [inline]
> __se_sys_recvfrom net/socket.c:2111 [inline]
> __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Uninit was created at:
> slab_post_alloc_hook mm/slab.h:737 [inline]
> slab_alloc_node mm/slub.c:3247 [inline]
> __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975
> kmalloc_reserve net/core/skbuff.c:354 [inline]
> __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
> alloc_skb include/linux/skbuff.h:1158 [inline]
> netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248
> __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373
> netlink_dump_start include/linux/netlink.h:254 [inline]
> inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341
> sock_diag_rcv_msg+0x24a/0x620
> netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494
> sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277
> netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
> netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343
> netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919
> sock_sendmsg_nosec net/socket.c:705 [inline]
> sock_sendmsg net/socket.c:725 [inline]
> sock_write_iter+0x594/0x690 net/socket.c:1061
> do_iter_readv_writev+0xa7f/0xc70
> do_iter_write+0x52c/0x1500 fs/read_write.c:851
> vfs_writev fs/read_write.c:924 [inline]
> do_writev+0x645/0xe00 fs/read_write.c:967
> __do_sys_writev fs/read_write.c:1040 [inline]
> __se_sys_writev fs/read_write.c:1037 [inline]
> __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Bytes 68-71 of 2508 are uninitialized
> Memory access of size 2508 starts at ffff888114f9b000
> Data copied to user address 00007f7fe09ff2e0
>
> CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>
> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Cc: Xin Long <lucien.xin@...il.com>
> Cc: Vlad Yasevich <vyasevich@...il.com>
> Cc: Neil Horman <nhorman@...driver.com>
> Cc: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
> ---
> net/sctp/diag.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/net/sctp/diag.c b/net/sctp/diag.c
> index 034e2c74497df7f841d5d5b13b9695d291389089..d9c6d8f30f0935910a5c62a5a78c3813392b8231 100644
> --- a/net/sctp/diag.c
> +++ b/net/sctp/diag.c
> @@ -61,10 +61,6 @@ static void inet_diag_msg_sctpasoc_fill(struct inet_diag_msg *r,
> r->idiag_timer = SCTP_EVENT_TIMEOUT_T3_RTX;
> r->idiag_retrans = asoc->rtx_data_chunks;
> r->idiag_expires = jiffies_to_msecs(t3_rtx->expires - jiffies);
> - } else {
> - r->idiag_timer = 0;
> - r->idiag_retrans = 0;
> - r->idiag_expires = 0;
> }
> }
>
> @@ -144,13 +140,14 @@ static int inet_sctp_diag_fill(struct sock *sk, struct sctp_association *asoc,
> r = nlmsg_data(nlh);
> BUG_ON(!sk_fullsock(sk));
>
> + r->idiag_timer = 0;
> + r->idiag_retrans = 0;
> + r->idiag_expires = 0;
> if (asoc) {
> inet_diag_msg_sctpasoc_fill(r, sk, asoc);
> } else {
> inet_diag_msg_common_fill(r, sk);
> r->idiag_state = sk->sk_state;
> - r->idiag_timer = 0;
> - r->idiag_retrans = 0;
> }
>
> if (inet_diag_msg_attrs_fill(sk, skb, r, ext, user_ns, net_admin))
> --
> 2.35.1.616.g0bdcbb4464-goog
>
Reviewed-by: Xin Long <lucien.xin@...il.com>
Powered by blists - more mailing lists