lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALkECRgvg9us9Mp79G-cQ8dOwUA=oHH8jY=Q0ApLNDDNGAg4OQ@mail.gmail.com>
Date: Tue, 15 Apr 2025 11:39:31 +0800
From: Abagail ren <renzezhongucas@...il.com>
To: netdev@...r.kernel.org
Subject: [BUG] General protection fault in percpu_counter_add_batch() during
 netns cleanup

Hi maintainers,

In case the previous message was rejected due to attachments and HTML,
I am resending this report in plain text format.

During fuzzing of the Linux kernel, we encountered a general protection
fault in `percpu_counter_add_batch()` while executing the
`cleanup_net` workqueue. The crash was triggered during the destruction of a
network namespace containing a WireGuard interface. This was reproduced
on kernel version v6.12-rc6.

Crash Details:

Oops: general protection fault, probably for non-canonical address
0xfc3ffbf11006d3ec: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xe1ffff8880369f60-0xe1ffff8880369f67]

CPU: 0 PID: 10492 Comm: kworker/u8:4 Not tainted 6.12.0-rc6 #2
Hardware: QEMU Standard PC (i440FX + PIIX, 1996)

RIP: 0010:percpu_counter_add_batch+0x36/0x1f0 lib/percpu_counter.c:98
Faulting instruction:
    cmpb $0x0,(%rdx,%rax,1)

Call Trace:
 dst_entries_add                    include/net/dst_ops.h:59
 dst_count_dec                      net/core/dst.c:159
 dst_release                        net/core/dst.c:165
 dst_cache_reset_now                net/core/dst_cache.c:169
 wg_socket_clear_peer_endpoint_src drivers/net/wireguard/socket.c:312
 wg_netns_pre_exit                  drivers/net/wireguard/device.c:423
 ops_pre_exit_list                  net/core/net_namespace.c:163
 cleanup_net                        net/core/net_namespace.c:606
 process_one_work                   kernel/workqueue.c:3229
 worker_thread                      kernel/workqueue.c:3391
 kthread                            kernel/kthread.c:389
 ret_from_fork                      arch/x86/kernel/process.c:147

Reproducer Notes:

The issue was triggered during `netns` teardown while a WireGuard device
was active. It appears to involve use-after-free of a `percpu_counter`
structure, likely after its owning peer or device was destroyed.

Environment:

 - Kernel: 6.12.0-rc6
 - Platform: QEMU (x86_64)
 - Trigger: `netns` teardown with WireGuard devices present

Related discussion (possible fix?):

Subject: [PATCH net] net: decrease cached dst counters in dst_release

Upstream fix ac888d58869b ("net: do not delay dst_entries_add() in
dst_release()") moved decrementing the dst count from dst_destroy to
dst_release to avoid accessing already freed data in case of netns
dismantle. However, in case CONFIG_DST_CACHE is enabled and OvS+tunnels
are used, this fix is incomplete, as the same issue will be seen for
cached dsts:

  Unable to handle kernel paging request at virtual address ffff5aabf6b5c000
  Call trace:
   percpu_counter_add_batch+0x3c/0x160 (P)
   dst_release+0xec/0x108
   dst_cache_destroy+0x68/0xd8
   dst_destroy+0x13c/0x168
   dst_destroy_rcu+0x1c/0xb0
   rcu_do_batch+0x18c/0x7d0
   rcu_core+0x174/0x378
   rcu_core_si+0x18/0x30

Fix this by invalidating the cache, and thus decrementing cached dst
counters, in dst_release too.

Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel")

If this has already been resolved, I'm sorry for the noise. Please let
me know if more trace or repro information would be useful.

Best regards,
Zezhong Ren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ