lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250618064126.2cf21b31@kernel.org>
Date: Wed, 18 Jun 2025 06:41:26 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Kuniyuki Iwashima <kuni1840@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
 <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Simon Horman
 <horms@...nel.org>, Kuniyuki Iwashima <kuniyu@...gle.com>,
 netdev@...r.kernel.org
Subject: Re: [PATCH v1 net 0/4] af_unix: Fix two OOB issues.

On Tue, 17 Jun 2025 21:34:38 -0700 Kuniyuki Iwashima wrote:
> Patch 1 fixes issues that happen when multiple consumed OOB
> skbs are placed consecutively in the recv queue.
> 
> Patch 2 fixes an inconsistent behaviour that close()ing a socket
> with a consumed OOB skb at the head of the recv queue triggers
> -ECONNRESET on the peer's recv().

It appears to break the scm_rights tests, including a UAF.


# #  RUN           scm_rights.stream_listener.self_ref ...
# # scm_rights.c:176:self_ref:Expected 0 (0) == ret (4)
# # self_ref: Test terminated by assertion
# #          FAIL  scm_rights.stream_listener.self_ref
# not ok 25 scm_rights.stream_listener.self_ref
# #  RUN           scm_rights.stream_listener.triangle ...
# # scm_rights.c:176:triangle:Expected 0 (0) == ret (12)
# # triangle: Test terminated by assertion
# #          FAIL  scm_rights.stream_listener.triangle
# not ok 26 scm_rights.stream_listener.triangle
# #  RUN           scm_rights.stream_listener.cross_edge ...
# # scm_rights.c:176:cross_edge:Expected 0 (0) == ret (16)
# # cross_edge: Test terminated by assertion
# #          FAIL  scm_rights.stream_listener.cross_edge
# not ok 27 scm_rights.stream_listener.cross_edge
# #  RUN           scm_rights.stream_listener.backtrack_from_scc ...

[ 5716.340166][T26625] ==================================================================
[ 5716.340494][T26625] BUG: KASAN: slab-use-after-free in __unix_walk_scc+0x8e0/0xce0
[ 5716.340761][T26625] Read of size 8 at addr ffff88801d8c6fd0 by task kworker/u17:0/26625
[ 5716.341015][T26625] 
[ 5716.341103][T26625] CPU: 2 UID: 0 PID: 26625 Comm: kworker/u17:0 Not tainted 6.16.0-rc1-virtme #1 PREEMPT(full) 
[ 5716.341109][T26625] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 5716.341112][T26625] Workqueue: events_unbound __unix_gc
[ 5716.341118][T26625] Call Trace:
[ 5716.341120][T26625]  <TASK>
[ 5716.341123][T26625]  dump_stack_lvl+0x82/0xd0
[ 5716.341133][T26625]  print_address_description.constprop.0+0x2c/0x400
[ 5716.341141][T26625]  ? __unix_walk_scc+0x8e0/0xce0
[ 5716.341145][T26625]  print_report+0xb4/0x270
[ 5716.341148][T26625]  ? __unix_walk_scc+0x8e0/0xce0
[ 5716.341152][T26625]  ? kasan_addr_to_slab+0x25/0x80
[ 5716.341155][T26625]  ? __unix_walk_scc+0x8e0/0xce0
[ 5716.341158][T26625]  kasan_report+0xca/0x100
[ 5716.341163][T26625]  ? __unix_walk_scc+0x8e0/0xce0
[ 5716.341168][T26625]  __unix_walk_scc+0x8e0/0xce0
[ 5716.341174][T26625]  ? __pfx___unix_walk_scc+0x10/0x10
[ 5716.341178][T26625]  ? do_raw_spin_lock+0x130/0x270
[ 5716.341185][T26625]  ? __pfx_do_raw_spin_lock+0x10/0x10
[ 5716.341189][T26625]  ? lock_acquire+0x10c/0x170
[ 5716.341192][T26625]  ? __unix_gc+0x8b/0x400
[ 5716.341197][T26625]  __unix_gc+0x29f/0x400
[ 5716.341201][T26625]  ? __pfx___unix_gc+0x10/0x10
[ 5716.341207][T26625]  ? rcu_is_watching+0x12/0xc0
[ 5716.341215][T26625]  ? rcu_is_watching+0x12/0xc0
[ 5716.341219][T26625]  process_one_work+0xe43/0x1660
[ 5716.341228][T26625]  ? __pfx_process_one_work+0x10/0x10
[ 5716.341233][T26625]  ? assign_work+0x16c/0x240
[ 5716.341241][T26625]  worker_thread+0x591/0xcf0
[ 5716.341246][T26625]  ? __pfx_worker_thread+0x10/0x10
[ 5716.341250][T26625]  kthread+0x37e/0x600
[ 5716.341254][T26625]  ? __pfx_kthread+0x10/0x10
[ 5716.341256][T26625]  ? ret_from_fork+0x1b/0x320
[ 5716.341261][T26625]  ? __lock_release+0x5d/0x170
[ 5716.341265][T26625]  ? rcu_is_watching+0x12/0xc0
[ 5716.341268][T26625]  ? __pfx_kthread+0x10/0x10
[ 5716.341271][T26625]  ret_from_fork+0x240/0x320
[ 5716.341274][T26625]  ? __pfx_kthread+0x10/0x10
[ 5716.341276][T26625]  ret_from_fork_asm+0x1a/0x30
[ 5716.341286][T26625]  </TASK>
[ 5716.341288][T26625] 
[ 5716.347648][T26625] Allocated by task 12654:
[ 5716.347814][T26625]  kasan_save_stack+0x24/0x50
[ 5716.347983][T26625]  kasan_save_track+0x14/0x30
[ 5716.348171][T26625]  __kasan_slab_alloc+0x59/0x70
[ 5716.348348][T26625]  kmem_cache_alloc_noprof+0x10b/0x330
[ 5716.348522][T26625]  sk_prot_alloc.constprop.0+0x4e/0x1b0
[ 5716.348695][T26625]  sk_alloc+0x36/0x6c0
[ 5716.348823][T26625]  unix_create1+0x84/0x6f0
[ 5716.348991][T26625]  unix_create+0xcb/0x170
[ 5716.349119][T26625]  __sock_create+0x23c/0x6a0
[ 5716.349287][T26625]  __sys_socket+0x11a/0x1d0
[ 5716.349457][T26625]  __x64_sys_socket+0x72/0xb0
[ 5716.349634][T26625]  do_syscall_64+0xc1/0x380
[ 5716.349803][T26625]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 5716.350014][T26625] 
[ 5716.350098][T26625] Freed by task 12654:
[ 5716.350223][T26625]  kasan_save_stack+0x24/0x50
[ 5716.350390][T26625]  kasan_save_track+0x14/0x30
[ 5716.350586][T26625]  kasan_save_free_info+0x3b/0x60
[ 5716.350759][T26625]  __kasan_slab_free+0x38/0x50
[ 5716.350930][T26625]  kmem_cache_free+0x149/0x330
[ 5716.351099][T26625]  __sk_destruct+0x46e/0x780
[ 5716.351269][T26625]  unix_release_sock+0xa0e/0xf90
[ 5716.351440][T26625]  unix_release+0x8c/0xf0
[ 5716.351574][T26625]  __sock_release+0xa6/0x260
[ 5716.351763][T26625]  sock_close+0x18/0x20
[ 5716.351980][T26625]  __fput+0x35c/0xa80
[ 5716.352125][T26625]  fput_close_sync+0xdd/0x190
[ 5716.352293][T26625]  __x64_sys_close+0x7d/0xd0
[ 5716.352464][T26625]  do_syscall_64+0xc1/0x380
[ 5716.352724][T26625]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 5716.352933][T26625] 
[ 5716.353018][T26625] The buggy address belongs to the object at ffff88801d8c6940
[ 5716.353018][T26625]  which belongs to the cache UNIX-STREAM of size 1984
[ 5716.353553][T26625] The buggy address is located 1680 bytes inside of
[ 5716.353553][T26625]  freed 1984-byte region [ffff88801d8c6940, ffff88801d8c7100)
[ 5716.353951][T26625] 
[ 5716.354037][T26625] The buggy address belongs to the physical page:
[ 5716.354324][T26625] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d8c0
[ 5716.354621][T26625] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 5716.354966][T26625] flags: 0x80000000000040(head|node=0|zone=1)
[ 5716.355181][T26625] page_type: f5(slab)
[ 5716.355311][T26625] raw: 0080000000000040 ffff888005b4edc0 ffffea00002b7610 ffffea0000763210
[ 5716.355702][T26625] raw: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000
[ 5716.356022][T26625] head: 0080000000000040 ffff888005b4edc0 ffffea00002b7610 ffffea0000763210
[ 5716.356330][T26625] head: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000
[ 5716.356727][T26625] head: 0080000000000003 ffffea0000763001 00000000ffffffff 00000000ffffffff
[ 5716.357027][T26625] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 5716.357434][T26625] page dumped because: kasan: bad access detected
[ 5716.357635][T26625] 
[ 5716.357716][T26625] Memory state around the buggy address:
[ 5716.357874][T26625]  ffff88801d8c6e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.358115][T26625]  ffff88801d8c6f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.358382][T26625] >ffff88801d8c6f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.358720][T26625]                                                  ^
[ 5716.358921][T26625]  ffff88801d8c7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.359162][T26625]  ffff88801d8c7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.359506][T26625] ==================================================================
[ 5716.359805][T26625] Disabling lock debugging due to kernel taint

# # scm_rights.c:176:backtrack_from_scc:Expected 0 (0) == ret (22)
# # backtrack_from_scc: Test terminated by assertion
# #          FAIL  scm_rights.stream_listener.backtrack_from_scc
# not ok 28 scm_rights.stream_listener.backtrack_from_scc
-- 
pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ