Re: Fw: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability.
On 04/18/2018 04:56 AM, Stephen Hemminger wrote: > This may already be fixed. > > Begin forwarded message: > > Date: Wed, 18 Apr 2018 01:52:59 + > From: bugzilla-dae...@bugzilla.kernel.org > To: step...@networkplumber.org > Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing > null pointer vulnerability. > > > https://bugzilla.kernel.org/show_bug.cgi?id=199429 > > Bug ID: 199429 >Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null > pointer vulnerability. >Product: Networking >Version: 2.5 > Kernel Version: 4.16.0-rc7 > Hardware: All > OS: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Other > Assignee: step...@networkplumber.org > Reporter: 1773876...@qq.com > Regression: No > > Created attachment 275431 > --> https://bugzilla.kernel.org/attachment.cgi?id=275431=edit > POC > > Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug. > > NET: Registered protocol family 43 Thanks for reporting. This fix is needed here: net/smc/af_smc.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -1314,7 +1314,7 @@ static int smc_shutdown(struct socket *s (sk->sk_state != SMC_APPCLOSEWAIT2) && (sk->sk_state != SMC_APPFINCLOSEWAIT)) goto out; - if (smc->use_fallback) { + if (smc->use_fallback || sk->sk_state == SMC_LISTEN) { rc = kernel_sock_shutdown(smc->clcsock, how); sk->sk_shutdown = smc->clcsock->sk->sk_shutdown; if (sk->sk_shutdown == SHUTDOWN_MASK) Kind regards, Ursula
Fw: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability.
This may already be fixed. Begin forwarded message: Date: Wed, 18 Apr 2018 01:52:59 + From: bugzilla-dae...@bugzilla.kernel.org To: step...@networkplumber.org Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability. https://bugzilla.kernel.org/show_bug.cgi?id=199429 Bug ID: 199429 Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability. Product: Networking Version: 2.5 Kernel Version: 4.16.0-rc7 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Other Assignee: step...@networkplumber.org Reporter: 1773876...@qq.com Regression: No Created attachment 275431 --> https://bugzilla.kernel.org/attachment.cgi?id=275431=edit POC Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug. NET: Registered protocol family 43 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN PTI Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: smc ib_core binfmt_misc joydev hid_generic snd_pcm snd_timer snd usbmouse usbhid soundcore psmouse e1000 hid pcspkr parport_pc input_leds i2c_piix4 parport serio_raw floppy qemu_fw_cfg evbug mac_hid CPU: 1 PID: 1751 Comm: syzkaller252340 Not tainted 4.16.0-rc7+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 RIP: 0010:kernel_sock_shutdown+0x29/0x70 net/socket.c:3255 RSP: 0018:88000666fcf8 EFLAGS: 00010206 RAX: dc00 RBX: RCX: 829206e4 RDX: 0005 RSI: RDI: 0028 RBP: 88003b43a0d2 R08: 0003 R09: 0002b3c0 R10: 0ae7 R11: 00eb R12: R13: R14: R15: FS: 0225b880() GS:88003fc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f5b8580 CR3: 3bcde004 CR4: 001606e0 Call Trace: smc_shutdown+0x431/0x4a0 [smc] SYSC_shutdown net/socket.c:1901 [inline] SyS_shutdown+0x140/0x250 net/socket.c:1892 do_syscall_64+0x2ee/0x580 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x4431a9 RSP: 002b:7ffcccb77758 EFLAGS: 0217 ORIG_RAX: 0030 RAX: ffda RBX: 004003d0 RCX: 004431a9 RDX: 004431a9 RSI: RDI: 0003 RBP: 00401800 R08: 004003d0 R09: 004003d0 R10: 004003d0 R11: 0217 R12: 00401890 R13: R14: 006b1018 R15: Code: 00 00 0f 1f 44 00 00 41 54 55 41 89 f4 53 48 89 fb e8 4c bd ad fe 48 8d 7b 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 74 05 e8 7c 62 e0 fe 48 8b 6b 28 48 b8 00 00 00 00 RIP: kernel_sock_shutdown+0x29/0x70 net/socket.c:3255 RSP: 88000666fcf8 ---[ end trace ac1ba3c5e5bfa977 ]--- 0xa02d1a82 1258rc = smc_close_active(smc); Dump of assembler code from 0xa02d1a82 to 0xa02d1a8c: => 0xa02d1a82: call 0xa02f3c50 0xa02d1a87 : movr13d,eax 0xa02d1a8a : call 0x813fc430 End of assembler dump. rax0x88005a6217c0 -131939878955072 rbx0x88005be55b40 -131939853575360 rcx0xa02d1a7f -1607656833 rdx0x0 0 rsi0xfe01 4294966785 rdi0x88005be55b40 -131939853575360 rbp0x88005be55b52 0x88005be55b52 rsp0x88005e887d18 0x88005e887d18 r8 0x88005f9d0258 -131939791207848 r9 0x880060e2bc00 -131939769861120 r100x88005f9e7340 -131939791113408 r110xb9ed 47597 r120x0 0 r130x0 0 r140x0 0 r150x0 0 rip0xa02d1a82 0xa02d1a82 eflags 0x293[ CF AF SF IF ] cs 0x10 16 ss 0x18 24 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 ni:3: Error in sourced command file: Could not fetch register "fs_base"; remote failure reply 'E14' (gdb) b *0xa02d1a87 Breakpoint 36 at 0xa02d1a87: file ../net/smc/af_smc.c, line 1258. (gdb) c Continuing. [Switching to Thread 4] Thread 4 hit Hardware watchpoint 34: ((struct smc_sock*) 0x88005be55b40)->clcsock Old value = (struct socket *) 0x880058fa5100 New value = (struct socket