lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAJwJo6aKKpjLO5uQWQDGayxjBYfunoObTezW0Ps-diTLEaAmNg@mail.gmail.com>
Date: Tue, 16 Jul 2024 03:38:54 +0100
From: Dmitry Safonov <0x7f454c46@...il.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, 
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, David Ahern <dsahern@...nel.org>, 
	Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org, 
	syzkaller <syzkaller@...glegroups.com>
Subject: Re: [PATCH v1 net] tcp: Don't access uninit tcp_rsk(req)->ao_keyid in tcp_create_openreq_child().

On Sun, 14 Jul 2024 at 17:17, Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
>
> syzkaller reported KMSAN splat in tcp_create_openreq_child(). [0]
>
> The uninit variable is tcp_rsk(req)->ao_keyid.
>
> tcp_rsk(req)->ao_keyid is initialised only when tcp_conn_request() finds
> a valid TCP AO option in SYN.  Then, tcp_rsk(req)->used_tcp_ao is set
> accordingly.
>
> Let's not read tcp_rsk(req)->ao_keyid when tcp_rsk(req)->used_tcp_ao is
> false.
>
> [0]:
> BUG: KMSAN: uninit-value in tcp_create_openreq_child+0x198b/0x1ff0 net/ipv4/tcp_minisocks.c:610
>  tcp_create_openreq_child+0x198b/0x1ff0 net/ipv4/tcp_minisocks.c:610
>  tcp_v4_syn_recv_sock+0x18e/0x2170 net/ipv4/tcp_ipv4.c:1754
>  tcp_check_req+0x1a3e/0x20c0 net/ipv4/tcp_minisocks.c:852
>  tcp_v4_rcv+0x26a4/0x53a0 net/ipv4/tcp_ipv4.c:2265
>  ip_protocol_deliver_rcu+0x884/0x1270 net/ipv4/ip_input.c:205
>  ip_local_deliver_finish+0x30f/0x530 net/ipv4/ip_input.c:233
>  NF_HOOK include/linux/netfilter.h:314 [inline]
>  ip_local_deliver+0x230/0x4c0 net/ipv4/ip_input.c:254
>  dst_input include/net/dst.h:460 [inline]
>  ip_sublist_rcv_finish net/ipv4/ip_input.c:580 [inline]
>  ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline]
>  ip_sublist_rcv+0x10f7/0x13e0 net/ipv4/ip_input.c:639
>  ip_list_rcv+0x952/0x9c0 net/ipv4/ip_input.c:674
>  __netif_receive_skb_list_ptype net/core/dev.c:5703 [inline]
>  __netif_receive_skb_list_core+0xd92/0x11d0 net/core/dev.c:5751
>  __netif_receive_skb_list net/core/dev.c:5803 [inline]
>  netif_receive_skb_list_internal+0xd8f/0x1350 net/core/dev.c:5895
>  gro_normal_list include/net/gro.h:515 [inline]
>  napi_complete_done+0x3f2/0x990 net/core/dev.c:6246
>  e1000_clean+0x1fa4/0x5e50 drivers/net/ethernet/intel/e1000/e1000_main.c:3808
>  __napi_poll+0xd9/0x990 net/core/dev.c:6771
>  napi_poll net/core/dev.c:6840 [inline]
>  net_rx_action+0x90f/0x17e0 net/core/dev.c:6962
>  handle_softirqs+0x152/0x6b0 kernel/softirq.c:554
>  __do_softirq kernel/softirq.c:588 [inline]
>  invoke_softirq kernel/softirq.c:428 [inline]
>  __irq_exit_rcu kernel/softirq.c:637 [inline]
>  irq_exit_rcu+0x5d/0x120 kernel/softirq.c:649
>  common_interrupt+0x83/0x90 arch/x86/kernel/irq.c:278
>  asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
>  __msan_instrument_asm_store+0xd6/0xe0
>  arch_atomic_inc arch/x86/include/asm/atomic.h:53 [inline]
>  raw_atomic_inc include/linux/atomic/atomic-arch-fallback.h:992 [inline]
>  atomic_inc include/linux/atomic/atomic-instrumented.h:436 [inline]
>  page_ref_inc include/linux/page_ref.h:153 [inline]
>  folio_ref_inc include/linux/page_ref.h:160 [inline]
>  filemap_map_order0_folio mm/filemap.c:3596 [inline]
>  filemap_map_pages+0x11c7/0x2270 mm/filemap.c:3644
>  do_fault_around mm/memory.c:4879 [inline]
>  do_read_fault mm/memory.c:4912 [inline]
>  do_fault mm/memory.c:5051 [inline]
>  do_pte_missing mm/memory.c:3897 [inline]
>  handle_pte_fault mm/memory.c:5381 [inline]
>  __handle_mm_fault mm/memory.c:5524 [inline]
>  handle_mm_fault+0x3677/0x6f00 mm/memory.c:5689
>  do_user_addr_fault+0x1373/0x2b20 arch/x86/mm/fault.c:1338
>  handle_page_fault arch/x86/mm/fault.c:1481 [inline]
>  exc_page_fault+0x54/0xc0 arch/x86/mm/fault.c:1539
>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
>
> Uninit was stored to memory at:
>  tcp_create_openreq_child+0x1984/0x1ff0 net/ipv4/tcp_minisocks.c:611
>  tcp_v4_syn_recv_sock+0x18e/0x2170 net/ipv4/tcp_ipv4.c:1754
>  tcp_check_req+0x1a3e/0x20c0 net/ipv4/tcp_minisocks.c:852
>  tcp_v4_rcv+0x26a4/0x53a0 net/ipv4/tcp_ipv4.c:2265
>  ip_protocol_deliver_rcu+0x884/0x1270 net/ipv4/ip_input.c:205
>  ip_local_deliver_finish+0x30f/0x530 net/ipv4/ip_input.c:233
>  NF_HOOK include/linux/netfilter.h:314 [inline]
>  ip_local_deliver+0x230/0x4c0 net/ipv4/ip_input.c:254
>  dst_input include/net/dst.h:460 [inline]
>  ip_sublist_rcv_finish net/ipv4/ip_input.c:580 [inline]
>  ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline]
>  ip_sublist_rcv+0x10f7/0x13e0 net/ipv4/ip_input.c:639
>  ip_list_rcv+0x952/0x9c0 net/ipv4/ip_input.c:674
>  __netif_receive_skb_list_ptype net/core/dev.c:5703 [inline]
>  __netif_receive_skb_list_core+0xd92/0x11d0 net/core/dev.c:5751
>  __netif_receive_skb_list net/core/dev.c:5803 [inline]
>  netif_receive_skb_list_internal+0xd8f/0x1350 net/core/dev.c:5895
>  gro_normal_list include/net/gro.h:515 [inline]
>  napi_complete_done+0x3f2/0x990 net/core/dev.c:6246
>  e1000_clean+0x1fa4/0x5e50 drivers/net/ethernet/intel/e1000/e1000_main.c:3808
>  __napi_poll+0xd9/0x990 net/core/dev.c:6771
>  napi_poll net/core/dev.c:6840 [inline]
>  net_rx_action+0x90f/0x17e0 net/core/dev.c:6962
>  handle_softirqs+0x152/0x6b0 kernel/softirq.c:554
>  __do_softirq kernel/softirq.c:588 [inline]
>  invoke_softirq kernel/softirq.c:428 [inline]
>  __irq_exit_rcu kernel/softirq.c:637 [inline]
>  irq_exit_rcu+0x5d/0x120 kernel/softirq.c:649
>  common_interrupt+0x83/0x90 arch/x86/kernel/irq.c:278
>  asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
>
> Uninit was created at:
>  __alloc_pages_noprof+0x82d/0xcb0 mm/page_alloc.c:4706
>  __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
>  alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
>  alloc_slab_page mm/slub.c:2265 [inline]
>  allocate_slab mm/slub.c:2428 [inline]
>  new_slab+0x2af/0x14e0 mm/slub.c:2481
>  ___slab_alloc+0xf73/0x3150 mm/slub.c:3667
>  __slab_alloc mm/slub.c:3757 [inline]
>  __slab_alloc_node mm/slub.c:3810 [inline]
>  slab_alloc_node mm/slub.c:3990 [inline]
>  kmem_cache_alloc_noprof+0x53a/0x9f0 mm/slub.c:4009
>  reqsk_alloc_noprof net/ipv4/inet_connection_sock.c:920 [inline]
>  inet_reqsk_alloc+0x63/0x700 net/ipv4/inet_connection_sock.c:951
>  tcp_conn_request+0x339/0x4860 net/ipv4/tcp_input.c:7177
>  tcp_v4_conn_request+0x13b/0x190 net/ipv4/tcp_ipv4.c:1719
>  tcp_rcv_state_process+0x2dd/0x4a10 net/ipv4/tcp_input.c:6711
>  tcp_v4_do_rcv+0xbee/0x10d0 net/ipv4/tcp_ipv4.c:1932
>  tcp_v4_rcv+0x3fad/0x53a0 net/ipv4/tcp_ipv4.c:2334
>  ip_protocol_deliver_rcu+0x884/0x1270 net/ipv4/ip_input.c:205
>  ip_local_deliver_finish+0x30f/0x530 net/ipv4/ip_input.c:233
>  NF_HOOK include/linux/netfilter.h:314 [inline]
>  ip_local_deliver+0x230/0x4c0 net/ipv4/ip_input.c:254
>  dst_input include/net/dst.h:460 [inline]
>  ip_sublist_rcv_finish net/ipv4/ip_input.c:580 [inline]
>  ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline]
>  ip_sublist_rcv+0x10f7/0x13e0 net/ipv4/ip_input.c:639
>  ip_list_rcv+0x952/0x9c0 net/ipv4/ip_input.c:674
>  __netif_receive_skb_list_ptype net/core/dev.c:5703 [inline]
>  __netif_receive_skb_list_core+0xd92/0x11d0 net/core/dev.c:5751
>  __netif_receive_skb_list net/core/dev.c:5803 [inline]
>  netif_receive_skb_list_internal+0xd8f/0x1350 net/core/dev.c:5895
>  gro_normal_list include/net/gro.h:515 [inline]
>  napi_complete_done+0x3f2/0x990 net/core/dev.c:6246
>  e1000_clean+0x1fa4/0x5e50 drivers/net/ethernet/intel/e1000/e1000_main.c:3808
>  __napi_poll+0xd9/0x990 net/core/dev.c:6771
>  napi_poll net/core/dev.c:6840 [inline]
>  net_rx_action+0x90f/0x17e0 net/core/dev.c:6962
>  handle_softirqs+0x152/0x6b0 kernel/softirq.c:554
>  __do_softirq kernel/softirq.c:588 [inline]
>  invoke_softirq kernel/softirq.c:428 [inline]
>  __irq_exit_rcu kernel/softirq.c:637 [inline]
>  irq_exit_rcu+0x5d/0x120 kernel/softirq.c:649
>  common_interrupt+0x83/0x90 arch/x86/kernel/irq.c:278
>  asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
>
> CPU: 0 PID: 239 Comm: modprobe Tainted: G    B              6.10.0-rc7-01816-g852e42cc2dd4 #3 1107521f0c7b55c9309062382d0bda9f604dbb6d
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
>
> Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets")
> Reported-by: syzkaller <syzkaller@...glegroups.com>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>

LGTM, thank you!
Acked-by: Dmitry Safonov <0x7f454c46@...il.com>

-- 
             Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ