lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CADVnQynaY08aoy-BGHO6ybx6ijUUdzoppxe9gyNpq-tb7z91sQ@mail.gmail.com>
Date: Wed, 1 May 2024 16:27:24 -0400
From: Neal Cardwell <ncardwell@...gle.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, 
	Paolo Abeni <pabeni@...hat.com>, Yuchung Cheng <ycheng@...gle.com>, 
	Kuniyuki Iwashima <kuniyu@...zon.com>, netdev@...r.kernel.org, eric.dumazet@...il.com, 
	syzbot <syzkaller@...glegroups.com>
Subject: Re: [PATCH net] tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

On Wed, May 1, 2024 at 8:54 AM Eric Dumazet <edumazet@...gle.com> wrote:
>
> TCP_SYN_RECV state is really special, it is only used by
> cross-syn connections, mostly used by fuzzers.
>
> In the following crash [1], syzbot managed to trigger a divide
> by zero in tcp_rcv_space_adjust()
>
> A socket makes the following state transitions,
> without ever calling tcp_init_transfer(),
> meaning tcp_init_buffer_space() is also not called.
>
>          TCP_CLOSE
> connect()
>          TCP_SYN_SENT
>          TCP_SYN_RECV
> shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)
>          TCP_FIN_WAIT1
>
> To fix this issue, change tcp_shutdown() to not
> perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,
> which makes no sense anyway.
>
> When tcp_rcv_state_process() later changes socket state
> from TCP_SYN_RECV to TCP_ESTABLISH, then look at
> sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,
> and send a FIN packet from a sane socket state.
>
> This means tcp_send_fin() can now be called from BH
> context, and must use GFP_ATOMIC allocations.
>
> [1]
> divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
>  RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767
> Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48
> RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246
> RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7
> R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30
> R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da
> FS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0
> Call Trace:
>  <TASK>
>   tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513
>   tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578
>   inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680
>   sock_recvmsg_nosec net/socket.c:1046 [inline]
>   sock_recvmsg+0x109/0x280 net/socket.c:1068
>   ____sys_recvmsg+0x1db/0x470 net/socket.c:2803
>   ___sys_recvmsg net/socket.c:2845 [inline]
>   do_recvmmsg+0x474/0xae0 net/socket.c:2939
>   __sys_recvmmsg net/socket.c:3018 [inline]
>   __do_sys_recvmmsg net/socket.c:3041 [inline]
>   __se_sys_recvmmsg net/socket.c:3034 [inline]
>   __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7faeb6363db9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9
> RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005
> RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c
> R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> ---

Very nice find and fix! Thanks, Eric!

Acked-by: Neal Cardwell <ncardwell@...gle.com>

neal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ