[PATCH 4.9 058/104] net: ipconfig: fix ic_close_devs() use-after-free

2017-12-22 Thread Greg Kroah-Hartman 
4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Mark Rutland 


[ Upstream commit ffefb6f4d6ad699a2b5484241bc46745a53235d0 ]

Our chosen ic_dev may be anywhere in our list of ic_devs, and we may
free it before attempting to close others. When we compare d->dev and
ic_dev->dev, we're potentially dereferencing memory returned to the
allocator. This causes KASAN to scream for each subsequent ic_dev we
check.

As there's a 1-1 mapping between ic_devs and netdevs, we can instead
compare d and ic_dev directly, which implicitly handles the !ic_dev
case, and avoids the use-after-free. The ic_dev pointer may be stale,
but we will not dereference it.

Original splat:

[6.487446] 
==
[6.494693] BUG: KASAN: use-after-free in ic_close_devs+0xc4/0x154 at addr 
800367efa708
[6.503013] Read of size 8 by task swapper/0/1
[6.507452] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 
4.11.0-rc3-2-gda42158 #8
[6.514993] Hardware name: AppliedMicro Mustang/Mustang, BIOS 
3.05.05-beta_rc Jan 27 2016
[6.523138] Call trace:
[6.525590] [] dump_backtrace+0x0/0x570
[6.530976] [] show_stack+0x20/0x30
[6.536017] [] dump_stack+0x120/0x188
[6.541231] [] kasan_object_err+0x24/0xa0
[6.546790] [] kasan_report_error+0x244/0x738
[6.552695] [] __asan_report_load8_noabort+0x54/0x80
[6.559204] [] ic_close_devs+0xc4/0x154
[6.564590] [] ip_auto_config+0x2ed4/0x2f1c
[6.570321] [] do_one_initcall+0xcc/0x370
[6.575882] [] kernel_init_freeable+0x5f8/0x6c4
[6.581959] [] kernel_init+0x18/0x190
[6.587171] [] ret_from_fork+0x10/0x40
[6.592468] Object at 800367efa700, in cache kmalloc-128 size: 128
[6.598969] Allocated:
[6.601324] PID = 1
[6.603427]  save_stack_trace_tsk+0x0/0x418
[6.607603]  save_stack_trace+0x20/0x30
[6.611430]  kasan_kmalloc+0xd8/0x188
[6.615087]  ip_auto_config+0x8c4/0x2f1c
[6.619002]  do_one_initcall+0xcc/0x370
[6.622832]  kernel_init_freeable+0x5f8/0x6c4
[6.627178]  kernel_init+0x18/0x190
[6.630660]  ret_from_fork+0x10/0x40
[6.634223] Freed:
[6.636233] PID = 1
[6.638334]  save_stack_trace_tsk+0x0/0x418
[6.642510]  save_stack_trace+0x20/0x30
[6.646337]  kasan_slab_free+0x88/0x178
[6.650167]  kfree+0xb8/0x478
[6.653131]  ic_close_devs+0x130/0x154
[6.656875]  ip_auto_config+0x2ed4/0x2f1c
[6.660875]  do_one_initcall+0xcc/0x370
[6.664705]  kernel_init_freeable+0x5f8/0x6c4
[6.669051]  kernel_init+0x18/0x190
[6.672534]  ret_from_fork+0x10/0x40
[6.676098] Memory state around the buggy address:
[6.680880]  800367efa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00
[6.688078]  800367efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc
[6.695276] >800367efa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb
[6.702469]   ^
[6.705952]  800367efa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc
[6.713149]  800367efa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb
[6.720343] 
==
[6.727536] Disabling lock debugging due to kernel taint

Signed-off-by: Mark Rutland 
Cc: Alexey Kuznetsov 
Cc: David S. Miller 
Cc: Hideaki YOSHIFUJI 
Cc: James Morris 
Cc: Patrick McHardy 
Cc: net...@vger.kernel.org
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/ipconfig.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -306,7 +306,7 @@ static void __init ic_close_devs(void)
while ((d = next)) {
next = d->next;
dev = d->dev;
-   if ((!ic_dev || dev != ic_dev->dev) && !netdev_uses_dsa(dev)) {
+   if (d != ic_dev && !netdev_uses_dsa(dev)) {
pr_debug("IP-Config: Downing %s\n", dev->name);
dev_change_flags(dev, d->flags);
}

[PATCH 4.9 058/104] net: ipconfig: fix ic_close_devs() use-after-free

2017-12-22 Thread Greg Kroah-Hartman 
4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Mark Rutland 


[ Upstream commit ffefb6f4d6ad699a2b5484241bc46745a53235d0 ]

Our chosen ic_dev may be anywhere in our list of ic_devs, and we may
free it before attempting to close others. When we compare d->dev and
ic_dev->dev, we're potentially dereferencing memory returned to the
allocator. This causes KASAN to scream for each subsequent ic_dev we
check.

As there's a 1-1 mapping between ic_devs and netdevs, we can instead
compare d and ic_dev directly, which implicitly handles the !ic_dev
case, and avoids the use-after-free. The ic_dev pointer may be stale,
but we will not dereference it.

Original splat:

[6.487446] 
==
[6.494693] BUG: KASAN: use-after-free in ic_close_devs+0xc4/0x154 at addr 
800367efa708
[6.503013] Read of size 8 by task swapper/0/1
[6.507452] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 
4.11.0-rc3-2-gda42158 #8
[6.514993] Hardware name: AppliedMicro Mustang/Mustang, BIOS 
3.05.05-beta_rc Jan 27 2016
[6.523138] Call trace:
[6.525590] [] dump_backtrace+0x0/0x570
[6.530976] [] show_stack+0x20/0x30
[6.536017] [] dump_stack+0x120/0x188
[6.541231] [] kasan_object_err+0x24/0xa0
[6.546790] [] kasan_report_error+0x244/0x738
[6.552695] [] __asan_report_load8_noabort+0x54/0x80
[6.559204] [] ic_close_devs+0xc4/0x154
[6.564590] [] ip_auto_config+0x2ed4/0x2f1c
[6.570321] [] do_one_initcall+0xcc/0x370
[6.575882] [] kernel_init_freeable+0x5f8/0x6c4
[6.581959] [] kernel_init+0x18/0x190
[6.587171] [] ret_from_fork+0x10/0x40
[6.592468] Object at 800367efa700, in cache kmalloc-128 size: 128
[6.598969] Allocated:
[6.601324] PID = 1
[6.603427]  save_stack_trace_tsk+0x0/0x418
[6.607603]  save_stack_trace+0x20/0x30
[6.611430]  kasan_kmalloc+0xd8/0x188
[6.615087]  ip_auto_config+0x8c4/0x2f1c
[6.619002]  do_one_initcall+0xcc/0x370
[6.622832]  kernel_init_freeable+0x5f8/0x6c4
[6.627178]  kernel_init+0x18/0x190
[6.630660]  ret_from_fork+0x10/0x40
[6.634223] Freed:
[6.636233] PID = 1
[6.638334]  save_stack_trace_tsk+0x0/0x418
[6.642510]  save_stack_trace+0x20/0x30
[6.646337]  kasan_slab_free+0x88/0x178
[6.650167]  kfree+0xb8/0x478
[6.653131]  ic_close_devs+0x130/0x154
[6.656875]  ip_auto_config+0x2ed4/0x2f1c
[6.660875]  do_one_initcall+0xcc/0x370
[6.664705]  kernel_init_freeable+0x5f8/0x6c4
[6.669051]  kernel_init+0x18/0x190
[6.672534]  ret_from_fork+0x10/0x40
[6.676098] Memory state around the buggy address:
[6.680880]  800367efa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00
[6.688078]  800367efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc
[6.695276] >800367efa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb
[6.702469]   ^
[6.705952]  800367efa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc
[6.713149]  800367efa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb
[6.720343] 
==
[6.727536] Disabling lock debugging due to kernel taint

Signed-off-by: Mark Rutland 
Cc: Alexey Kuznetsov 
Cc: David S. Miller 
Cc: Hideaki YOSHIFUJI 
Cc: James Morris 
Cc: Patrick McHardy 
Cc: net...@vger.kernel.org
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/ipconfig.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -306,7 +306,7 @@ static void __init ic_close_devs(void)
while ((d = next)) {
next = d->next;
dev = d->dev;
-   if ((!ic_dev || dev != ic_dev->dev) && !netdev_uses_dsa(dev)) {
+   if (d != ic_dev && !netdev_uses_dsa(dev)) {
pr_debug("IP-Config: Downing %s\n", dev->name);
dev_change_flags(dev, d->flags);
}