lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <dd9915aa-8fdb-8f37-669c-7715e44e0abd@ispras.ru>
Date: Fri, 26 May 2023 18:49:04 +0300
From: Ефанов Владислав Александрович <vefanov@...ras.ru>
To: Eric Dumazet <edumazet@...gle.com>
Cc: Willem de Bruijn <willemdebruijn.kernel@...il.com>,
 "David S. Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
 lvc-project@...uxtesting.org
Subject: Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect

Eric,

Here is the full report:

==================================================================
BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018
Read of size 8 at addr ffff88814c2cc8c0 by task syz-executor.5/22717

CPU: 1 PID: 22717 Comm: syz-executor.5 Not tainted 5.10.179-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x107/0x167 lib/dump_stack.c:118
  print_address_description.constprop.0+0x1e/0x250 mm/kasan/report.c:384
  __kasan_report mm/kasan/report.c:584 [inline]
  kasan_report.cold+0x1f/0x37 mm/kasan/report.c:601
  sk_setup_caps+0x621/0x690 net/core/sock.c:2018
  ip6_dst_store include/net/ip6_route.h:234 [inline]
  ip6_sk_dst_store_flow+0x2c9/0x7b0 net/ipv6/route.c:2852
  ip6_datagram_dst_update+0x801/0xe30 net/ipv6/datagram.c:107
  __ip6_datagram_connect+0x5f2/0x1360 net/ipv6/datagram.c:248
  ip6_datagram_connect+0x2b/0x50 net/ipv6/datagram.c:272
  inet_dgram_connect+0x150/0x2e0 net/ipv4/af_inet.c:577
  __sys_connect_file+0x15c/0x1a0 net/socket.c:1846
  __sys_connect+0x165/0x1a0 net/socket.c:1863
  __do_sys_connect net/socket.c:1873 [inline]
  __se_sys_connect net/socket.c:1870 [inline]
  __x64_sys_connect+0x6e/0xb0 net/socket.c:1870
  do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x469fe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b6e7e0c08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000056c030 RCX: 0000000000469fe9
RDX: 000000000000001c RSI: 0000000020000080 RDI: 0000000000000004
RBP: 000000000056c030 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdd98ee44f R14: 00007f6b6e7e1700 R15: 0000000000000001

Allocated by task 22717:
  kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
  kasan_set_track mm/kasan/common.c:56 [inline]
  __kasan_kmalloc.constprop.0+0xc9/0xd0 mm/kasan/common.c:461
  slab_post_alloc_hook mm/slab.h:532 [inline]
  slab_alloc_node mm/slub.c:2896 [inline]
  slab_alloc mm/slub.c:2904 [inline]
  kmem_cache_alloc+0x146/0x2e0 mm/slub.c:2909
  dst_alloc+0xa0/0x660 net/core/dst.c:93
  ip6_blackhole_route+0x61/0x550 net/ipv6/route.c:2535
  make_blackhole net/xfrm/xfrm_policy.c:3019 [inline]
  xfrm_lookup_route net/xfrm/xfrm_policy.c:3212 [inline]
  xfrm_lookup_route+0x109/0x200 net/xfrm/xfrm_policy.c:3203
  ip6_dst_lookup_flow+0x159/0x1d0 net/ipv6/ip6_output.c:1235
  ip6_datagram_dst_update+0x5d5/0xe30 net/ipv6/datagram.c:89
  __ip6_datagram_connect+0x5f2/0x1360 net/ipv6/datagram.c:248
  ip6_datagram_connect+0x2b/0x50 net/ipv6/datagram.c:272
  inet_dgram_connect+0x150/0x2e0 net/ipv4/af_inet.c:577
  __sys_connect_file+0x15c/0x1a0 net/socket.c:1846
  __sys_connect+0x165/0x1a0 net/socket.c:1863
  __do_sys_connect net/socket.c:1873 [inline]
  __se_sys_connect net/socket.c:1870 [inline]
  __x64_sys_connect+0x6e/0xb0 net/socket.c:1870
  do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x61/0xc6

Freed by task 5512:
  kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
  kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
  kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
  __kasan_slab_free+0x112/0x170 mm/kasan/common.c:422
  slab_free_hook mm/slub.c:1542 [inline]
  slab_free_freelist_hook+0xb8/0x1b0 mm/slub.c:1576
  slab_free mm/slub.c:3149 [inline]
  kmem_cache_free+0xaa/0x2e0 mm/slub.c:3165
  dst_destroy+0x2c1/0x3c0 net/core/dst.c:129
  rcu_do_batch kernel/rcu/tree.c:2492 [inline]
  rcu_core+0x649/0x1310 kernel/rcu/tree.c:2733
  __do_softirq+0x1d4/0x8d3 kernel/softirq.c:298

Last call_rcu():
  kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
  kasan_record_aux_stack+0xad/0xc0 mm/kasan/generic.c:346
  __call_rcu kernel/rcu/tree.c:2974 [inline]
  call_rcu+0xb6/0x950 kernel/rcu/tree.c:3048
  dst_release net/core/dst.c:179 [inline]
  dst_release+0x7e/0xe0 net/core/dst.c:169
  sk_dst_set include/net/sock.h:2024 [inline]
  sk_setup_caps+0x95/0x690 net/core/sock.c:2017
  ip6_dst_store include/net/ip6_route.h:234 [inline]
  ip6_sk_dst_store_flow+0x2c9/0x7b0 net/ipv6/route.c:2852
  ip6_sk_dst_lookup_flow+0x641/0x9a0 net/ipv6/ip6_output.c:1269
  udpv6_sendmsg+0x183f/0x2d10 net/ipv6/udp.c:1522
  inet6_sendmsg+0x105/0x140 net/ipv6/af_inet6.c:651
  sock_sendmsg_nosec net/socket.c:651 [inline]
  sock_sendmsg+0xf2/0x190 net/socket.c:671
  ____sys_sendmsg+0x32e/0x870 net/socket.c:2356
  ___sys_sendmsg+0x100/0x170 net/socket.c:2410
  __sys_sendmmsg+0x192/0x460 net/socket.c:2496
  __do_sys_sendmmsg net/socket.c:2525 [inline]
  __se_sys_sendmmsg net/socket.c:2522 [inline]
  __x64_sys_sendmmsg+0x98/0x100 net/socket.c:2522
  do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x61/0xc6

Second to last call_rcu():
  kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
  kasan_record_aux_stack+0xad/0xc0 mm/kasan/generic.c:346
  __call_rcu kernel/rcu/tree.c:2974 [inline]
  call_rcu+0xb6/0x950 kernel/rcu/tree.c:3048
  dst_release net/core/dst.c:179 [inline]
  dst_release+0x7e/0xe0 net/core/dst.c:169
  rawv6_sendmsg+0xf73/0x3cf0 net/ipv6/raw.c:964
  inet_sendmsg+0x11d/0x140 net/ipv4/af_inet.c:817
  sock_sendmsg_nosec net/socket.c:651 [inline]
  sock_sendmsg+0x13c/0x190 net/socket.c:671
  ____sys_sendmsg+0x32e/0x870 net/socket.c:2356
  ___sys_sendmsg+0x100/0x170 net/socket.c:2410
  __sys_sendmmsg+0x192/0x460 net/socket.c:2496
  __do_sys_sendmmsg net/socket.c:2525 [inline]
  __se_sys_sendmmsg net/socket.c:2522 [inline]
  __x64_sys_sendmmsg+0x98/0x100 net/socket.c:2522
  do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x61/0xc6

The buggy address belongs to the object at ffff88814c2cc8c0
  which belongs to the cache ip6_dst_cache of size 232
The buggy address is located 0 bytes inside of
  232-byte region [ffff88814c2cc8c0, ffff88814c2cc9a8)
The buggy address belongs to the page:
page:000000009e9a5247 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14c2cc
head:000000009e9a5247 order:1 compound_mapcount:0
flags: 0x57ffe0000010200(slab|head)
raw: 057ffe0000010200 dead000000000100 dead000000000122 ffff888019cc8dc0
raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff88814c2cc780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff88814c2cc800: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
>ffff88814c2cc880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
                                            ^
  ffff88814c2cc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88814c2cc980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
==================================================================


Best regards,

Vlad.


On 26.05.2023 18:29, Eric Dumazet wrote:
> On Fri, May 26, 2023 at 5:08 PM Vladislav Efanov <VEfanov@...ras.ru> wrote:
>> Syzkaller got the following report:
>> BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018
>> Read of size 8 at addr ffff888027f82780 by task syz-executor276/3255
> Please include a full report.
>
>> The function sk_setup_caps (called by ip6_sk_dst_store_flow->
>> ip6_dst_store) referenced already freed memory as this memory was
>> freed by parallel task in udpv6_sendmsg->ip6_sk_dst_lookup_flow->
>> sk_dst_check.
>>
>>            task1 (connect)              task2 (udp6_sendmsg)
>>          sk_setup_caps->sk_dst_set |
>>                                    |  sk_dst_check->
>>                                    |      sk_dst_set
>>                                    |      dst_release
>>          sk_setup_caps references  |
>>          to already freed dst_entry|
>
>> The reason for this race condition is: udp6_sendmsg() calls
>> ip6_sk_dst_lookup() without lock for sock structure and tries to
>> allocate/add dst_entry structure to sock structure in parallel with
>> "connect" task.
>>
>> Found by Linux Verification Center (linuxtesting.org) with syzkaller.
>>
>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> This is a bogus Fixes: tag
>
> In old times, UDP sendmsg() was using the socket lock.
>
> Then, in linux-4.0 Vlad Yasevich made UDP v6 sendmsg() lockless (and
> racy in many points)
>
>
>> Signed-off-by: Vladislav Efanov <VEfanov@...ras.ru>
>> ---
>>   net/ipv6/udp.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
>> index e5a337e6b970..a5ecd5d93b0a 100644
>> --- a/net/ipv6/udp.c
>> +++ b/net/ipv6/udp.c
>> @@ -1563,12 +1563,15 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
>>
>>          fl6->flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6->flowlabel);
>>
>> +       lock_sock(sk);
>>          dst = ip6_sk_dst_lookup_flow(sk, fl6, final_p, connected);
>>          if (IS_ERR(dst)) {
>>                  err = PTR_ERR(dst);
>>                  dst = NULL;
>> +               release_sock(sk);
>>                  goto out;
>>          }
>> +       release_sock(sk);
>>
>>          if (ipc6.hlimit < 0)
>>                  ipc6.hlimit = ip6_sk_dst_hoplimit(np, fl6, dst);
>> --
>> 2.34.1
>>
> There must be another way really.
> You just killed UDP performance.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ