[PATCH 4.9 058/104] net: ipconfig: fix ic_close_devs() use-after-free
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Mark Rutland[ Upstream commit ffefb6f4d6ad699a2b5484241bc46745a53235d0 ] Our chosen ic_dev may be anywhere in our list of ic_devs, and we may free it before attempting to close others. When we compare d->dev and ic_dev->dev, we're potentially dereferencing memory returned to the allocator. This causes KASAN to scream for each subsequent ic_dev we check. As there's a 1-1 mapping between ic_devs and netdevs, we can instead compare d and ic_dev directly, which implicitly handles the !ic_dev case, and avoids the use-after-free. The ic_dev pointer may be stale, but we will not dereference it. Original splat: [6.487446] == [6.494693] BUG: KASAN: use-after-free in ic_close_devs+0xc4/0x154 at addr 800367efa708 [6.503013] Read of size 8 by task swapper/0/1 [6.507452] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 4.11.0-rc3-2-gda42158 #8 [6.514993] Hardware name: AppliedMicro Mustang/Mustang, BIOS 3.05.05-beta_rc Jan 27 2016 [6.523138] Call trace: [6.525590] [] dump_backtrace+0x0/0x570 [6.530976] [] show_stack+0x20/0x30 [6.536017] [] dump_stack+0x120/0x188 [6.541231] [] kasan_object_err+0x24/0xa0 [6.546790] [] kasan_report_error+0x244/0x738 [6.552695] [] __asan_report_load8_noabort+0x54/0x80 [6.559204] [] ic_close_devs+0xc4/0x154 [6.564590] [] ip_auto_config+0x2ed4/0x2f1c [6.570321] [] do_one_initcall+0xcc/0x370 [6.575882] [] kernel_init_freeable+0x5f8/0x6c4 [6.581959] [] kernel_init+0x18/0x190 [6.587171] [] ret_from_fork+0x10/0x40 [6.592468] Object at 800367efa700, in cache kmalloc-128 size: 128 [6.598969] Allocated: [6.601324] PID = 1 [6.603427] save_stack_trace_tsk+0x0/0x418 [6.607603] save_stack_trace+0x20/0x30 [6.611430] kasan_kmalloc+0xd8/0x188 [6.615087] ip_auto_config+0x8c4/0x2f1c [6.619002] do_one_initcall+0xcc/0x370 [6.622832] kernel_init_freeable+0x5f8/0x6c4 [6.627178] kernel_init+0x18/0x190 [6.630660] ret_from_fork+0x10/0x40 [6.634223] Freed: [6.636233] PID = 1 [6.638334] save_stack_trace_tsk+0x0/0x418 [6.642510] save_stack_trace+0x20/0x30 [6.646337] kasan_slab_free+0x88/0x178 [6.650167] kfree+0xb8/0x478 [6.653131] ic_close_devs+0x130/0x154 [6.656875] ip_auto_config+0x2ed4/0x2f1c [6.660875] do_one_initcall+0xcc/0x370 [6.664705] kernel_init_freeable+0x5f8/0x6c4 [6.669051] kernel_init+0x18/0x190 [6.672534] ret_from_fork+0x10/0x40 [6.676098] Memory state around the buggy address: [6.680880] 800367efa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [6.688078] 800367efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [6.695276] >800367efa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [6.702469] ^ [6.705952] 800367efa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [6.713149] 800367efa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [6.720343] == [6.727536] Disabling lock debugging due to kernel taint Signed-off-by: Mark Rutland Cc: Alexey Kuznetsov Cc: David S. Miller Cc: Hideaki YOSHIFUJI Cc: James Morris Cc: Patrick McHardy Cc: net...@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/ipv4/ipconfig.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/ipconfig.c +++ b/net/ipv4/ipconfig.c @@ -306,7 +306,7 @@ static void __init ic_close_devs(void) while ((d = next)) { next = d->next; dev = d->dev; - if ((!ic_dev || dev != ic_dev->dev) && !netdev_uses_dsa(dev)) { + if (d != ic_dev && !netdev_uses_dsa(dev)) { pr_debug("IP-Config: Downing %s\n", dev->name); dev_change_flags(dev, d->flags); }
[PATCH 4.9 058/104] net: ipconfig: fix ic_close_devs() use-after-free
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Mark Rutland [ Upstream commit ffefb6f4d6ad699a2b5484241bc46745a53235d0 ] Our chosen ic_dev may be anywhere in our list of ic_devs, and we may free it before attempting to close others. When we compare d->dev and ic_dev->dev, we're potentially dereferencing memory returned to the allocator. This causes KASAN to scream for each subsequent ic_dev we check. As there's a 1-1 mapping between ic_devs and netdevs, we can instead compare d and ic_dev directly, which implicitly handles the !ic_dev case, and avoids the use-after-free. The ic_dev pointer may be stale, but we will not dereference it. Original splat: [6.487446] == [6.494693] BUG: KASAN: use-after-free in ic_close_devs+0xc4/0x154 at addr 800367efa708 [6.503013] Read of size 8 by task swapper/0/1 [6.507452] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 4.11.0-rc3-2-gda42158 #8 [6.514993] Hardware name: AppliedMicro Mustang/Mustang, BIOS 3.05.05-beta_rc Jan 27 2016 [6.523138] Call trace: [6.525590] [] dump_backtrace+0x0/0x570 [6.530976] [] show_stack+0x20/0x30 [6.536017] [] dump_stack+0x120/0x188 [6.541231] [] kasan_object_err+0x24/0xa0 [6.546790] [] kasan_report_error+0x244/0x738 [6.552695] [] __asan_report_load8_noabort+0x54/0x80 [6.559204] [] ic_close_devs+0xc4/0x154 [6.564590] [] ip_auto_config+0x2ed4/0x2f1c [6.570321] [] do_one_initcall+0xcc/0x370 [6.575882] [] kernel_init_freeable+0x5f8/0x6c4 [6.581959] [] kernel_init+0x18/0x190 [6.587171] [] ret_from_fork+0x10/0x40 [6.592468] Object at 800367efa700, in cache kmalloc-128 size: 128 [6.598969] Allocated: [6.601324] PID = 1 [6.603427] save_stack_trace_tsk+0x0/0x418 [6.607603] save_stack_trace+0x20/0x30 [6.611430] kasan_kmalloc+0xd8/0x188 [6.615087] ip_auto_config+0x8c4/0x2f1c [6.619002] do_one_initcall+0xcc/0x370 [6.622832] kernel_init_freeable+0x5f8/0x6c4 [6.627178] kernel_init+0x18/0x190 [6.630660] ret_from_fork+0x10/0x40 [6.634223] Freed: [6.636233] PID = 1 [6.638334] save_stack_trace_tsk+0x0/0x418 [6.642510] save_stack_trace+0x20/0x30 [6.646337] kasan_slab_free+0x88/0x178 [6.650167] kfree+0xb8/0x478 [6.653131] ic_close_devs+0x130/0x154 [6.656875] ip_auto_config+0x2ed4/0x2f1c [6.660875] do_one_initcall+0xcc/0x370 [6.664705] kernel_init_freeable+0x5f8/0x6c4 [6.669051] kernel_init+0x18/0x190 [6.672534] ret_from_fork+0x10/0x40 [6.676098] Memory state around the buggy address: [6.680880] 800367efa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [6.688078] 800367efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [6.695276] >800367efa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [6.702469] ^ [6.705952] 800367efa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [6.713149] 800367efa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [6.720343] == [6.727536] Disabling lock debugging due to kernel taint Signed-off-by: Mark Rutland Cc: Alexey Kuznetsov Cc: David S. Miller Cc: Hideaki YOSHIFUJI Cc: James Morris Cc: Patrick McHardy Cc: net...@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/ipv4/ipconfig.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/ipconfig.c +++ b/net/ipv4/ipconfig.c @@ -306,7 +306,7 @@ static void __init ic_close_devs(void) while ((d = next)) { next = d->next; dev = d->dev; - if ((!ic_dev || dev != ic_dev->dev) && !netdev_uses_dsa(dev)) { + if (d != ic_dev && !netdev_uses_dsa(dev)) { pr_debug("IP-Config: Downing %s\n", dev->name); dev_change_flags(dev, d->flags); }