Re: [ovs-dev] [datapath backport 03/10] compat: ipv6: orphan skbs in reassembly unit.
On Thu, Apr 13, 2017 at 11:31 AM, Joe Stringerwrote: > On 6 April 2017 at 17:18, Andy Zhou wrote: >> From: Eric Dumazet >> >> Upstream commit: >> ipv6: orphan skbs in reassembly unit >> >> Andrey reported a use-after-free in IPv6 stack. >> >> Issue here is that we free the socket while it still has skb >> in TX path and in some queues. >> >> It happens here because IPv6 reassembly unit messes skb->truesize, >> breaking skb_set_owner_w() badly. >> >> We fixed a similar issue for IPV4 in commit 8282f27449bf ("inet: frag: >> Always orphan skbs inside ip_defrag()") >> Acked-by: Joe Stringer >> >> == >> BUG: KASAN: use-after-free in sock_wfree+0x118/0x120 >> Read of size 8 at addr 880062da0060 by task a.out/4140 >> >> page:ea00018b6800 count:1 mapcount:0 mapping: (null) >> index:0x0 compound_mapcount: 0 >> flags: 0x1008100(slab|head) >> raw: 01008100 000180130013 >> raw: dead0100 dead0200 88006741f140 >> page dumped because: kasan: bad access detected >> >> CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs >> 01/01/2011 >> Call Trace: >> __dump_stack lib/dump_stack.c:15 >> dump_stack+0x292/0x398 lib/dump_stack.c:51 >> describe_address mm/kasan/report.c:262 >> kasan_report_error+0x121/0x560 mm/kasan/report.c:370 >> kasan_report mm/kasan/report.c:392 >> __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413 >> sock_flag ./arch/x86/include/asm/bitops.h:324 >> sock_wfree+0x118/0x120 net/core/sock.c:1631 >> skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655 >> skb_release_all+0x15/0x60 net/core/skbuff.c:668 >> __kfree_skb+0x15/0x20 net/core/skbuff.c:684 >> kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705 >> inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304 >> inet_frag_put ./include/net/inet_frag.h:133 >> nf_ct_frag6_gather+0x1125/0x38b0 >> net/ipv6/netfilter/nf_conntrack_reasm.c:617 >> ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68 >> nf_hook_entry_hookfn ./include/linux/netfilter.h:102 >> nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310 >> nf_hook ./include/linux/netfilter.h:212 >> __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160 >> ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170 >> ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722 >> ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742 >> rawv6_push_pending_frames net/ipv6/raw.c:613 >> rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927 >> inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744 >> sock_sendmsg_nosec net/socket.c:635 >> sock_sendmsg+0xca/0x110 net/socket.c:645 >> sock_write_iter+0x326/0x620 net/socket.c:848 >> new_sync_write fs/read_write.c:499 >> __vfs_write+0x483/0x760 fs/read_write.c:512 >> vfs_write+0x187/0x530 fs/read_write.c:560 >> SYSC_write fs/read_write.c:607 >> SyS_write+0xfb/0x230 fs/read_write.c:599 >> entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203 >> RIP: 0033:0x7ff26e6f5b79 >> RSP: 002b:7ff268e0ed98 EFLAGS: 0206 ORIG_RAX: 0001 >> RAX: ffda RBX: 7ff268e0f9c0 RCX: 7ff26e6f5b79 >> RDX: 0010 RSI: 20f50fe1 RDI: 0003 >> RBP: 7ff26ebc1220 R08: R09: >> R10: R11: 0206 R12: >> R13: 7ff268e0f9c0 R14: 7ff26efec040 R15: 0003 >> >> The buggy address belongs to the object at 880062da >> which belongs to the cache RAWv6 of size 1504 >> The buggy address 880062da0060 is located 96 bytes inside >> of 1504-byte region [880062da, 880062da05e0) >> >> Freed by task 4113: >> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 >> save_stack+0x43/0xd0 mm/kasan/kasan.c:502 >> set_track mm/kasan/kasan.c:514 >> kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578 >> slab_free_hook mm/slub.c:1352 >> slab_free_freelist_hook mm/slub.c:1374 >> slab_free mm/slub.c:2951 >> kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973 >> sk_prot_free net/core/sock.c:1377 >> __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452 >> sk_destruct+0x47/0x80 net/core/sock.c:1460 >> __sk_free+0x57/0x230 net/core/sock.c:1468 >> sk_free+0x23/0x30 net/core/sock.c:1479 >> sock_put ./include/net/sock.h:1638 >> sk_common_release+0x31e/0x4e0 net/core/sock.c:2782 >> rawv6_close+0x54/0x80 net/ipv6/raw.c:1214 >> inet_release+0xed/0x1c0
Re: [ovs-dev] [datapath backport 03/10] compat: ipv6: orphan skbs in reassembly unit.
On 6 April 2017 at 17:18, Andy Zhouwrote: > From: Eric Dumazet > > Upstream commit: > ipv6: orphan skbs in reassembly unit > > Andrey reported a use-after-free in IPv6 stack. > > Issue here is that we free the socket while it still has skb > in TX path and in some queues. > > It happens here because IPv6 reassembly unit messes skb->truesize, > breaking skb_set_owner_w() badly. > > We fixed a similar issue for IPV4 in commit 8282f27449bf ("inet: frag: > Always orphan skbs inside ip_defrag()") > Acked-by: Joe Stringer > > == > BUG: KASAN: use-after-free in sock_wfree+0x118/0x120 > Read of size 8 at addr 880062da0060 by task a.out/4140 > > page:ea00018b6800 count:1 mapcount:0 mapping: (null) > index:0x0 compound_mapcount: 0 > flags: 0x1008100(slab|head) > raw: 01008100 000180130013 > raw: dead0100 dead0200 88006741f140 > page dumped because: kasan: bad access detected > > CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs > 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:15 > dump_stack+0x292/0x398 lib/dump_stack.c:51 > describe_address mm/kasan/report.c:262 > kasan_report_error+0x121/0x560 mm/kasan/report.c:370 > kasan_report mm/kasan/report.c:392 > __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413 > sock_flag ./arch/x86/include/asm/bitops.h:324 > sock_wfree+0x118/0x120 net/core/sock.c:1631 > skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655 > skb_release_all+0x15/0x60 net/core/skbuff.c:668 > __kfree_skb+0x15/0x20 net/core/skbuff.c:684 > kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705 > inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304 > inet_frag_put ./include/net/inet_frag.h:133 > nf_ct_frag6_gather+0x1125/0x38b0 > net/ipv6/netfilter/nf_conntrack_reasm.c:617 > ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68 > nf_hook_entry_hookfn ./include/linux/netfilter.h:102 > nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310 > nf_hook ./include/linux/netfilter.h:212 > __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160 > ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170 > ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722 > ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742 > rawv6_push_pending_frames net/ipv6/raw.c:613 > rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927 > inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744 > sock_sendmsg_nosec net/socket.c:635 > sock_sendmsg+0xca/0x110 net/socket.c:645 > sock_write_iter+0x326/0x620 net/socket.c:848 > new_sync_write fs/read_write.c:499 > __vfs_write+0x483/0x760 fs/read_write.c:512 > vfs_write+0x187/0x530 fs/read_write.c:560 > SYSC_write fs/read_write.c:607 > SyS_write+0xfb/0x230 fs/read_write.c:599 > entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203 > RIP: 0033:0x7ff26e6f5b79 > RSP: 002b:7ff268e0ed98 EFLAGS: 0206 ORIG_RAX: 0001 > RAX: ffda RBX: 7ff268e0f9c0 RCX: 7ff26e6f5b79 > RDX: 0010 RSI: 20f50fe1 RDI: 0003 > RBP: 7ff26ebc1220 R08: R09: > R10: R11: 0206 R12: > R13: 7ff268e0f9c0 R14: 7ff26efec040 R15: 0003 > > The buggy address belongs to the object at 880062da > which belongs to the cache RAWv6 of size 1504 > The buggy address 880062da0060 is located 96 bytes inside > of 1504-byte region [880062da, 880062da05e0) > > Freed by task 4113: > save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 > save_stack+0x43/0xd0 mm/kasan/kasan.c:502 > set_track mm/kasan/kasan.c:514 > kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578 > slab_free_hook mm/slub.c:1352 > slab_free_freelist_hook mm/slub.c:1374 > slab_free mm/slub.c:2951 > kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973 > sk_prot_free net/core/sock.c:1377 > __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452 > sk_destruct+0x47/0x80 net/core/sock.c:1460 > __sk_free+0x57/0x230 net/core/sock.c:1468 > sk_free+0x23/0x30 net/core/sock.c:1479 > sock_put ./include/net/sock.h:1638 > sk_common_release+0x31e/0x4e0 net/core/sock.c:2782 > rawv6_close+0x54/0x80 net/ipv6/raw.c:1214 > inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425 > inet6_release+0x50/0x70 net/ipv6/af_inet6.c:431 > sock_release+0x8d/0x1e0 net/socket.c:599 > sock_close+0x16/0x20 net/socket.c:1063 >
[ovs-dev] [datapath backport 03/10] compat: ipv6: orphan skbs in reassembly unit.
From: Eric DumazetUpstream commit: ipv6: orphan skbs in reassembly unit Andrey reported a use-after-free in IPv6 stack. Issue here is that we free the socket while it still has skb in TX path and in some queues. It happens here because IPv6 reassembly unit messes skb->truesize, breaking skb_set_owner_w() badly. We fixed a similar issue for IPV4 in commit 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") Acked-by: Joe Stringer == BUG: KASAN: use-after-free in sock_wfree+0x118/0x120 Read of size 8 at addr 880062da0060 by task a.out/4140 page:ea00018b6800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x1008100(slab|head) raw: 01008100 000180130013 raw: dead0100 dead0200 88006741f140 page dumped because: kasan: bad access detected CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:15 dump_stack+0x292/0x398 lib/dump_stack.c:51 describe_address mm/kasan/report.c:262 kasan_report_error+0x121/0x560 mm/kasan/report.c:370 kasan_report mm/kasan/report.c:392 __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413 sock_flag ./arch/x86/include/asm/bitops.h:324 sock_wfree+0x118/0x120 net/core/sock.c:1631 skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655 skb_release_all+0x15/0x60 net/core/skbuff.c:668 __kfree_skb+0x15/0x20 net/core/skbuff.c:684 kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705 inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304 inet_frag_put ./include/net/inet_frag.h:133 nf_ct_frag6_gather+0x1125/0x38b0 net/ipv6/netfilter/nf_conntrack_reasm.c:617 ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68 nf_hook_entry_hookfn ./include/linux/netfilter.h:102 nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310 nf_hook ./include/linux/netfilter.h:212 __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160 ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170 ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722 ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742 rawv6_push_pending_frames net/ipv6/raw.c:613 rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927 inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744 sock_sendmsg_nosec net/socket.c:635 sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x326/0x620 net/socket.c:848 new_sync_write fs/read_write.c:499 __vfs_write+0x483/0x760 fs/read_write.c:512 vfs_write+0x187/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 SyS_write+0xfb/0x230 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203 RIP: 0033:0x7ff26e6f5b79 RSP: 002b:7ff268e0ed98 EFLAGS: 0206 ORIG_RAX: 0001 RAX: ffda RBX: 7ff268e0f9c0 RCX: 7ff26e6f5b79 RDX: 0010 RSI: 20f50fe1 RDI: 0003 RBP: 7ff26ebc1220 R08: R09: R10: R11: 0206 R12: R13: 7ff268e0f9c0 R14: 7ff26efec040 R15: 0003 The buggy address belongs to the object at 880062da which belongs to the cache RAWv6 of size 1504 The buggy address 880062da0060 is located 96 bytes inside of 1504-byte region [880062da, 880062da05e0) Freed by task 4113: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:502 set_track mm/kasan/kasan.c:514 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578 slab_free_hook mm/slub.c:1352 slab_free_freelist_hook mm/slub.c:1374 slab_free mm/slub.c:2951 kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973 sk_prot_free net/core/sock.c:1377 __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452 sk_destruct+0x47/0x80 net/core/sock.c:1460 __sk_free+0x57/0x230 net/core/sock.c:1468 sk_free+0x23/0x30 net/core/sock.c:1479 sock_put ./include/net/sock.h:1638 sk_common_release+0x31e/0x4e0 net/core/sock.c:2782 rawv6_close+0x54/0x80 net/ipv6/raw.c:1214 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:431 sock_release+0x8d/0x1e0 net/socket.c:599 sock_close+0x16/0x20 net/socket.c:1063 __fput+0x332/0x7f0 fs/file_table.c:208 fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x19b/0x270 kernel/task_work.c:116 exit_task_work ./include/linux/task_work.h:21 do_exit+0x186b/0x2800 kernel/exit.c:839 do_group_exit+0x149/0x420