| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8fca8bc2-d8a8-eb41-9649-f96b5801f72c@kernel.org>
Date: Thu, 28 Jul 2022 10:13:52 -0600
From: David Ahern <dsahern@...nel.org>
To: Kuniyuki Iwashima <kuniyu@...zon.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>
Cc: Lorenzo Colitti <lorenzo@...gle.com>,
Benjamin Herrenschmidt <benh@...zon.com>,
Ayushman Dutta <ayudutta@...zon.com>, netdev@...r.kernel.org,
syzbot+a8430774139ec3ab7176@...kaller.appspotmail.com
Subject: Re: [PATCH v2 net] net: ping6: Fix memleak in ipv6_renew_options().
On 7/27/22 7:22 PM, Kuniyuki Iwashima wrote:
> When we close ping6 sockets, some resources are left unfreed because
> pingv6_prot is missing sk->sk_prot->destroy(). As reported by
> syzbot [0], just three syscalls leak 96 bytes and easily cause OOM.
>
> struct ipv6_sr_hdr *hdr;
> char data[24] = {0};
> int fd;
>
> hdr = (struct ipv6_sr_hdr *)data;
> hdr->hdrlen = 2;
> hdr->type = IPV6_SRCRT_TYPE_4;
>
> fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP);
> setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24);
> close(fd);
>
> To fix memory leaks, let's add a destroy function.
>
> Note the socket() syscall checks if the GID is within the range of
> net.ipv4.ping_group_range. The default value is [1, 0] so that no
> GID meets the condition (1 <= GID <= 0). Thus, the local DoS does
> not succeed until we change the default value. However, at least
> Ubuntu/Fedora/RHEL loosen it.
>
> $ cat /usr/lib/sysctl.d/50-default.conf
> ...
> -net.ipv4.ping_group_range = 0 2147483647
>
> Also, there could be another path reported with these options, and
> some of them require CAP_NET_RAW.
>
> setsockopt
> IPV6_ADDRFORM (inet6_sk(sk)->pktoptions)
> IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu)
> IPV6_HOPOPTS (inet6_sk(sk)->opt)
> IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt)
> IPV6_RTHDR (inet6_sk(sk)->opt)
> IPV6_DSTOPTS (inet6_sk(sk)->opt)
> IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt)
>
> getsockopt
> IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list)
>
> For the record, I left a different splat with syzbot's one.
>
> unreferenced object 0xffff888006270c60 (size 96):
> comm "repro2", pid 231, jiffies 4294696626 (age 13.118s)
> hex dump (first 32 bytes):
> 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D...........
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554)
> [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715)
> [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024)
> [<000000007096a025>] __sys_setsockopt (net/socket.c:2254)
> [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262)
> [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
>
> [0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176
>
> Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
> Reported-by: syzbot+a8430774139ec3ab7176@...kaller.appspotmail.com
> Reported-by: Ayushman Dutta <ayudutta@...zon.com>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
> ---
> v2:
> - Remove ip6_flush_pending_frames() (Jakub Kicinski)
>
> v1: offlist
> ---
> net/ipv6/ping.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
Reviewed-by: David Ahern <dsahern@...nel.org>
Powered by blists - more mailing lists