| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230814113034.GB7324@breakpoint.cc>
Date: Mon, 14 Aug 2023 20:58:25 +0800
From: Dong Chenchen <dongchenchen2@...wei.com>
To: <fw@...len.de>
CC: <leon@...nel.org>, <steffen.klassert@...unet.com>,
<herbert@...dor.apana.org.au>, <davem@...emloft.net>, <edumazet@...gle.com>,
<kuba@...nel.org>, <pabeni@...hat.com>, <timo.teras@....fi>,
<yuehaibing@...wei.com>, <weiyongjun1@...wei.com>, <netdev@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net] net: xfrm: skip policies marked as dead while reinserting policies
Dong Chenchen <dongchenchen2@...wei.com> wrote:
>> BUG: KASAN: slab-use-after-free in xfrm_policy_inexact_list_reinsert+0xb6/0x430
>> Read of size 1 at addr ffff8881051f3bf8 by task ip/668
>>
>> CPU: 2 PID: 668 Comm: ip Not tainted 6.5.0-rc5-00182-g25aa0bebba72-dirty #64
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13 04/01/2014
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x72/0xa0
>> print_report+0xd0/0x620
>> kasan_report+0xb6/0xf0
>> xfrm_policy_inexact_list_reinsert+0xb6/0x430
>> xfrm_policy_inexact_insert_node.constprop.0+0x537/0x800
>> xfrm_policy_inexact_alloc_chain+0x23f/0x320
>> xfrm_policy_inexact_insert+0x6b/0x590
>> xfrm_policy_insert+0x3b1/0x480
>> xfrm_add_policy+0x23c/0x3c0
>> xfrm_user_rcv_msg+0x2d0/0x510
>> netlink_rcv_skb+0x10d/0x2d0
>> xfrm_netlink_rcv+0x49/0x60
>> netlink_unicast+0x3fe/0x540
>> netlink_sendmsg+0x528/0x970
>> sock_sendmsg+0x14a/0x160
>> ____sys_sendmsg+0x4fc/0x580
>> ___sys_sendmsg+0xef/0x160
>> __sys_sendmsg+0xf7/0x1b0
>> do_syscall_64+0x3f/0x90
>> entry_SYSCALL_64_after_hwframe+0x73/0xdd
>>
>> The root cause is:
>>
>> cpu 0 cpu1
>> xfrm_dump_policy
>> xfrm_policy_walk
>> list_move_tail
>> xfrm_add_policy
>> ... ...
>> xfrm_policy_inexact_list_reinsert
>> list_for_each_entry_reverse
>> if (!policy->bydst_reinsert)
>> //read non-existent policy
>> xfrm_dump_policy_done
>> xfrm_policy_walk_done
>> list_del(&walk->walk.all);
>>
>> If dump_one_policy() returns err (triggered by netlink socket),
>> xfrm_policy_walk() will move walk initialized by socket to list
>> net->xfrm.policy_all. so this socket becomes visible in the global
>> policy list. The head *walk can be traversed when users add policies
>> with different prefixlen and trigger xfrm_policy node merge.
>>
>> It can be fixed by skip such "policies" with walk.dead set to 1.
>>
>> Fixes: 9cf545ebd591 ("xfrm: policy: store inexact policies in a tree ordered by destination address")
>> Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
>> Signed-off-by: Dong Chenchen <dongchenchen2@...wei.com>
>> ---
>> net/xfrm/xfrm_policy.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
>> index d6b405782b63..5b56faad78e0 100644
>> --- a/net/xfrm/xfrm_policy.c
>> +++ b/net/xfrm/xfrm_policy.c
>> @@ -848,6 +848,9 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net,
>> matched_d = 0;
>>
>> list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
>> + if (policy->walk.dead)
>> + continue;
>> +
>
>Looks like we have other places that might trigger a splat, e.g.:
>
>1816 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
>..
>1827 again:
>1828 list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
>1829 dir = xfrm_policy_id2dir(pol->index);
>1830 if (pol->walk.dead ||
>1831 dir >= XFRM_POLICY_MAX ||
>
>'walker' has no pol->index, so I suspect this would trigger a kasan splat as well,
>this needs to check walk.dead before access to pol->index.
Yes, you are right. xfrm_hash_rebuild(),xfrm_dev_policy_flush() might also trigger
similar bug. xfrm_policy_walk() add "walker" to list tail and these func use
list_for_each_entry() to traverse list.So it is unlikely to trigger the bug.
But there's still possible, i will fix it in v2.
Thanks!
Powered by blists - more mailing lists