| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250104065911.39876-1-kuniyu@amazon.com>
Date: Sat, 4 Jan 2025 15:59:11 +0900
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <edumazet@...gle.com>
CC: <davem@...emloft.net>, <eric.dumazet@...il.com>, <horms@...nel.org>,
<kuba@...nel.org>, <kuniyu@...zon.com>, <netdev@...r.kernel.org>,
<pabeni@...hat.com>, <syzkaller@...glegroups.com>
Subject: Re: [PATCH net-next] ax25: rcu protect dev->ax25_ptr
From: Eric Dumazet <edumazet@...gle.com>
Date: Fri, 3 Jan 2025 21:05:14 +0000
> syzbot found a lockdep issue [1].
>
> We should remove ax25 RTNL dependency in ax25_setsockopt()
>
> This should also fix a variety of possible UAF in ax25.
>
> [1]
>
> WARNING: possible circular locking dependency detected
> 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted
> ------------------------------------------------------
> syz.5.1818/12806 is trying to acquire lock:
> ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680
>
> but task is already holding lock:
> ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline]
> ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574
>
> which lock already depends on the new lock.
>
> the existing dependency chain (in reverse order) is:
>
> -> #1 (sk_lock-AF_AX25){+.+.}-{0:0}:
> lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
> lock_sock_nested+0x48/0x100 net/core/sock.c:3642
> lock_sock include/net/sock.h:1618 [inline]
> ax25_kill_by_device net/ax25/af_ax25.c:101 [inline]
> ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146
> notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85
> __dev_notify_flags+0x207/0x400
> dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026
> dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563
> dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820
> sock_do_ioctl+0x240/0x460 net/socket.c:1234
> sock_ioctl+0x626/0x8e0 net/socket.c:1339
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:906 [inline]
> __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> -> #0 (rtnl_mutex){+.+.}-{4:4}:
> check_prev_add kernel/locking/lockdep.c:3161 [inline]
> check_prevs_add kernel/locking/lockdep.c:3280 [inline]
> validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
> __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
> lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
> __mutex_lock_common kernel/locking/mutex.c:585 [inline]
> __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
> ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680
> do_sock_setsockopt+0x3af/0x720 net/socket.c:2324
> __sys_setsockopt net/socket.c:2349 [inline]
> __do_sys_setsockopt net/socket.c:2355 [inline]
> __se_sys_setsockopt net/socket.c:2352 [inline]
> __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> other info that might help us debug this:
>
> Possible unsafe locking scenario:
>
> CPU0 CPU1
> ---- ----
> lock(sk_lock-AF_AX25);
> lock(rtnl_mutex);
> lock(sk_lock-AF_AX25);
> lock(rtnl_mutex);
>
> *** DEADLOCK ***
>
> 1 lock held by syz.5.1818/12806:
> #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline]
> #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574
>
> stack backtrace:
> CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
> check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
> check_prev_add kernel/locking/lockdep.c:3161 [inline]
> check_prevs_add kernel/locking/lockdep.c:3280 [inline]
> validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
> __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
> lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
> __mutex_lock_common kernel/locking/mutex.c:585 [inline]
> __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
> ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680
> do_sock_setsockopt+0x3af/0x720 net/socket.c:2324
> __sys_setsockopt net/socket.c:2349 [inline]
> __do_sys_setsockopt net/socket.c:2355 [inline]
> __se_sys_setsockopt net/socket.c:2352 [inline]
> __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f7b62385d29
>
> Fixes: c433570458e4 ("ax25: fix a use-after-free in ax25_fillin_cb()")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
Not sure if net-next is intentional, but whichever is fine to me :)
Reviewed-by: Kuniyuki Iwashima <kuniyu@...zon.com>
Powered by blists - more mailing lists