Re: Fw: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability.

2018-04-18 Thread Ursula Braun 


On 04/18/2018 04:56 AM, Stephen Hemminger wrote:
> This may already be fixed.
> 
> Begin forwarded message:
> 
> Date: Wed, 18 Apr 2018 01:52:59 +
> From: bugzilla-dae...@bugzilla.kernel.org
> To: step...@networkplumber.org
> Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing 
> null pointer vulnerability.
> 
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=199429
> 
> Bug ID: 199429
>Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null
> pointer vulnerability.
>Product: Networking
>Version: 2.5
> Kernel Version: 4.16.0-rc7
>   Hardware: All
> OS: Linux
>   Tree: Mainline
> Status: NEW
>   Severity: normal
>   Priority: P1
>  Component: Other
>   Assignee: step...@networkplumber.org
>   Reporter: 1773876...@qq.com
> Regression: No
> 
> Created attachment 275431
>   --> https://bugzilla.kernel.org/attachment.cgi?id=275431=edit  
> POC
> 
> Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug.
> 
> NET: Registered protocol family 43

Thanks for reporting. This fix is needed here:

 net/smc/af_smc.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1314,7 +1314,7 @@ static int smc_shutdown(struct socket *s
(sk->sk_state != SMC_APPCLOSEWAIT2) &&
(sk->sk_state != SMC_APPFINCLOSEWAIT))
goto out;
-   if (smc->use_fallback) {
+   if (smc->use_fallback || sk->sk_state == SMC_LISTEN) {
rc = kernel_sock_shutdown(smc->clcsock, how);
sk->sk_shutdown = smc->clcsock->sk->sk_shutdown;
if (sk->sk_shutdown == SHUTDOWN_MASK)

Kind regards, Ursula

Fw: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability.

2018-04-17 Thread Stephen Hemminger 
This may already be fixed.

Begin forwarded message:

Date: Wed, 18 Apr 2018 01:52:59 +
From: bugzilla-dae...@bugzilla.kernel.org
To: step...@networkplumber.org
Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing 
null pointer vulnerability.


https://bugzilla.kernel.org/show_bug.cgi?id=199429

Bug ID: 199429
   Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null
pointer vulnerability.
   Product: Networking
   Version: 2.5
Kernel Version: 4.16.0-rc7
  Hardware: All
OS: Linux
  Tree: Mainline
Status: NEW
  Severity: normal
  Priority: P1
 Component: Other
  Assignee: step...@networkplumber.org
  Reporter: 1773876...@qq.com
Regression: No

Created attachment 275431
  --> https://bugzilla.kernel.org/attachment.cgi?id=275431=edit  
POC

Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug.

NET: Registered protocol family 43
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN PTI
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in: smc ib_core binfmt_misc joydev hid_generic snd_pcm snd_timer
snd usbmouse usbhid soundcore psmouse e1000 hid pcspkr parport_pc input_leds
i2c_piix4 parport serio_raw floppy qemu_fw_cfg evbug mac_hid
CPU: 1 PID: 1751 Comm: syzkaller252340 Not tainted 4.16.0-rc7+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
RIP: 0010:kernel_sock_shutdown+0x29/0x70 net/socket.c:3255
RSP: 0018:88000666fcf8 EFLAGS: 00010206
RAX: dc00 RBX:  RCX: 829206e4
RDX: 0005 RSI:  RDI: 0028
RBP: 88003b43a0d2 R08: 0003 R09: 0002b3c0
R10: 0ae7 R11: 00eb R12: 
R13:  R14:  R15: 
FS:  0225b880() GS:88003fc0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f5b8580 CR3: 3bcde004 CR4: 001606e0
Call Trace:
 smc_shutdown+0x431/0x4a0 [smc]
 SYSC_shutdown net/socket.c:1901 [inline]
 SyS_shutdown+0x140/0x250 net/socket.c:1892
 do_syscall_64+0x2ee/0x580 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4431a9
RSP: 002b:7ffcccb77758 EFLAGS: 0217 ORIG_RAX: 0030
RAX: ffda RBX: 004003d0 RCX: 004431a9
RDX: 004431a9 RSI:  RDI: 0003
RBP: 00401800 R08: 004003d0 R09: 004003d0
R10: 004003d0 R11: 0217 R12: 00401890
R13:  R14: 006b1018 R15: 
Code: 00 00 0f 1f 44 00 00 41 54 55 41 89 f4 53 48 89 fb e8 4c bd ad fe 48 8d
7b 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 74 05 e8
7c 62 e0 fe 48 8b 6b 28 48 b8 00 00 00 00 
RIP: kernel_sock_shutdown+0x29/0x70 net/socket.c:3255 RSP: 88000666fcf8
---[ end trace ac1ba3c5e5bfa977 ]---

0xa02d1a82  1258rc =
smc_close_active(smc);
Dump of assembler code from 0xa02d1a82 to 0xa02d1a8c:
=> 0xa02d1a82 :  call   0xa02f3c50  

   0xa02d1a87 :  movr13d,eax
   0xa02d1a8a :  call   0x813fc430
End of assembler dump.
rax0x88005a6217c0   -131939878955072
rbx0x88005be55b40   -131939853575360
rcx0xa02d1a7f   -1607656833
rdx0x0  0
rsi0xfe01   4294966785
rdi0x88005be55b40   -131939853575360
rbp0x88005be55b52   0x88005be55b52
rsp0x88005e887d18   0x88005e887d18
r8 0x88005f9d0258   -131939791207848
r9 0x880060e2bc00   -131939769861120
r100x88005f9e7340   -131939791113408
r110xb9ed   47597
r120x0  0
r130x0  0
r140x0  0
r150x0  0
rip0xa02d1a82   0xa02d1a82 
eflags 0x293[ CF AF SF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0  0
es 0x0  0
fs 0x0  0
gs 0x0  0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) b *0xa02d1a87
Breakpoint 36 at 0xa02d1a87: file ../net/smc/af_smc.c, line 1258.
(gdb) c
Continuing.
[Switching to Thread 4]

Thread 4 hit Hardware watchpoint 34: ((struct smc_sock*)
0x88005be55b40)->clcsock

Old value = (struct socket *) 0x880058fa5100
New value = (struct socket