subject:"\[ovs\-dev\] \[datapath backport 03\/10\] compat\: ipv6\: orphan skbs in reassembly unit."

Re: [ovs-dev] [datapath backport 03/10] compat: ipv6: orphan skbs in reassembly unit.

2017-04-13 Thread Andy Zhou

On Thu, Apr 13, 2017 at 11:31 AM, Joe Stringer  wrote:
> On 6 April 2017 at 17:18, Andy Zhou  wrote:
>> From: Eric Dumazet 
>>
>> Upstream commit:
>> ipv6: orphan skbs in reassembly unit
>>
>> Andrey reported a use-after-free in IPv6 stack.
>>
>> Issue here is that we free the socket while it still has skb
>> in TX path and in some queues.
>>
>> It happens here because IPv6 reassembly unit messes skb->truesize,
>> breaking skb_set_owner_w() badly.
>>
>> We fixed a similar issue for IPV4 in commit 8282f27449bf ("inet: frag:
>> Always orphan skbs inside ip_defrag()")
>> Acked-by: Joe Stringer 
>>
>> ==
>> BUG: KASAN: use-after-free in sock_wfree+0x118/0x120
>> Read of size 8 at addr 880062da0060 by task a.out/4140
>>
>> page:ea00018b6800 count:1 mapcount:0 mapping:  (null)
>> index:0x0 compound_mapcount: 0
>> flags: 0x1008100(slab|head)
>> raw: 01008100   000180130013
>> raw: dead0100 dead0200 88006741f140 
>> page dumped because: kasan: bad access detected
>>
>> CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 
>> 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:15
>>  dump_stack+0x292/0x398 lib/dump_stack.c:51
>>  describe_address mm/kasan/report.c:262
>>  kasan_report_error+0x121/0x560 mm/kasan/report.c:370
>>  kasan_report mm/kasan/report.c:392
>>  __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413
>>  sock_flag ./arch/x86/include/asm/bitops.h:324
>>  sock_wfree+0x118/0x120 net/core/sock.c:1631
>>  skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655
>>  skb_release_all+0x15/0x60 net/core/skbuff.c:668
>>  __kfree_skb+0x15/0x20 net/core/skbuff.c:684
>>  kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705
>>  inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
>>  inet_frag_put ./include/net/inet_frag.h:133
>>  nf_ct_frag6_gather+0x1125/0x38b0 
>> net/ipv6/netfilter/nf_conntrack_reasm.c:617
>>  ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
>>  nf_hook_entry_hookfn ./include/linux/netfilter.h:102
>>  nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
>>  nf_hook ./include/linux/netfilter.h:212
>>  __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160
>>  ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
>>  ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
>>  ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
>>  rawv6_push_pending_frames net/ipv6/raw.c:613
>>  rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927
>>  inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
>>  sock_sendmsg_nosec net/socket.c:635
>>  sock_sendmsg+0xca/0x110 net/socket.c:645
>>  sock_write_iter+0x326/0x620 net/socket.c:848
>>  new_sync_write fs/read_write.c:499
>>  __vfs_write+0x483/0x760 fs/read_write.c:512
>>  vfs_write+0x187/0x530 fs/read_write.c:560
>>  SYSC_write fs/read_write.c:607
>>  SyS_write+0xfb/0x230 fs/read_write.c:599
>>  entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
>> RIP: 0033:0x7ff26e6f5b79
>> RSP: 002b:7ff268e0ed98 EFLAGS: 0206 ORIG_RAX: 0001
>> RAX: ffda RBX: 7ff268e0f9c0 RCX: 7ff26e6f5b79
>> RDX: 0010 RSI: 20f50fe1 RDI: 0003
>> RBP: 7ff26ebc1220 R08:  R09: 
>> R10:  R11: 0206 R12: 
>> R13: 7ff268e0f9c0 R14: 7ff26efec040 R15: 0003
>>
>> The buggy address belongs to the object at 880062da
>>  which belongs to the cache RAWv6 of size 1504
>> The buggy address 880062da0060 is located 96 bytes inside
>>  of 1504-byte region [880062da, 880062da05e0)
>>
>> Freed by task 4113:
>>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:502
>>  set_track mm/kasan/kasan.c:514
>>  kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
>>  slab_free_hook mm/slub.c:1352
>>  slab_free_freelist_hook mm/slub.c:1374
>>  slab_free mm/slub.c:2951
>>  kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973
>>  sk_prot_free net/core/sock.c:1377
>>  __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452
>>  sk_destruct+0x47/0x80 net/core/sock.c:1460
>>  __sk_free+0x57/0x230 net/core/sock.c:1468
>>  sk_free+0x23/0x30 net/core/sock.c:1479
>>  sock_put ./include/net/sock.h:1638
>>  sk_common_release+0x31e/0x4e0 net/core/sock.c:2782
>>  rawv6_close+0x54/0x80 net/ipv6/raw.c:1214
>>  inet_release+0xed/0x1c0

Re: [ovs-dev] [datapath backport 03/10] compat: ipv6: orphan skbs in reassembly unit.

2017-04-13 Thread Joe Stringer

On 6 April 2017 at 17:18, Andy Zhou  wrote:
> From: Eric Dumazet 
>
> Upstream commit:
> ipv6: orphan skbs in reassembly unit
>
> Andrey reported a use-after-free in IPv6 stack.
>
> Issue here is that we free the socket while it still has skb
> in TX path and in some queues.
>
> It happens here because IPv6 reassembly unit messes skb->truesize,
> breaking skb_set_owner_w() badly.
>
> We fixed a similar issue for IPV4 in commit 8282f27449bf ("inet: frag:
> Always orphan skbs inside ip_defrag()")
> Acked-by: Joe Stringer 
>
> ==
> BUG: KASAN: use-after-free in sock_wfree+0x118/0x120
> Read of size 8 at addr 880062da0060 by task a.out/4140
>
> page:ea00018b6800 count:1 mapcount:0 mapping:  (null)
> index:0x0 compound_mapcount: 0
> flags: 0x1008100(slab|head)
> raw: 01008100   000180130013
> raw: dead0100 dead0200 88006741f140 
> page dumped because: kasan: bad access detected
>
> CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 
> 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:15
>  dump_stack+0x292/0x398 lib/dump_stack.c:51
>  describe_address mm/kasan/report.c:262
>  kasan_report_error+0x121/0x560 mm/kasan/report.c:370
>  kasan_report mm/kasan/report.c:392
>  __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413
>  sock_flag ./arch/x86/include/asm/bitops.h:324
>  sock_wfree+0x118/0x120 net/core/sock.c:1631
>  skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655
>  skb_release_all+0x15/0x60 net/core/skbuff.c:668
>  __kfree_skb+0x15/0x20 net/core/skbuff.c:684
>  kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705
>  inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
>  inet_frag_put ./include/net/inet_frag.h:133
>  nf_ct_frag6_gather+0x1125/0x38b0 
> net/ipv6/netfilter/nf_conntrack_reasm.c:617
>  ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
>  nf_hook_entry_hookfn ./include/linux/netfilter.h:102
>  nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
>  nf_hook ./include/linux/netfilter.h:212
>  __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160
>  ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
>  ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
>  ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
>  rawv6_push_pending_frames net/ipv6/raw.c:613
>  rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927
>  inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
>  sock_sendmsg_nosec net/socket.c:635
>  sock_sendmsg+0xca/0x110 net/socket.c:645
>  sock_write_iter+0x326/0x620 net/socket.c:848
>  new_sync_write fs/read_write.c:499
>  __vfs_write+0x483/0x760 fs/read_write.c:512
>  vfs_write+0x187/0x530 fs/read_write.c:560
>  SYSC_write fs/read_write.c:607
>  SyS_write+0xfb/0x230 fs/read_write.c:599
>  entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
> RIP: 0033:0x7ff26e6f5b79
> RSP: 002b:7ff268e0ed98 EFLAGS: 0206 ORIG_RAX: 0001
> RAX: ffda RBX: 7ff268e0f9c0 RCX: 7ff26e6f5b79
> RDX: 0010 RSI: 20f50fe1 RDI: 0003
> RBP: 7ff26ebc1220 R08:  R09: 
> R10:  R11: 0206 R12: 
> R13: 7ff268e0f9c0 R14: 7ff26efec040 R15: 0003
>
> The buggy address belongs to the object at 880062da
>  which belongs to the cache RAWv6 of size 1504
> The buggy address 880062da0060 is located 96 bytes inside
>  of 1504-byte region [880062da, 880062da05e0)
>
> Freed by task 4113:
>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:502
>  set_track mm/kasan/kasan.c:514
>  kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
>  slab_free_hook mm/slub.c:1352
>  slab_free_freelist_hook mm/slub.c:1374
>  slab_free mm/slub.c:2951
>  kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973
>  sk_prot_free net/core/sock.c:1377
>  __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452
>  sk_destruct+0x47/0x80 net/core/sock.c:1460
>  __sk_free+0x57/0x230 net/core/sock.c:1468
>  sk_free+0x23/0x30 net/core/sock.c:1479
>  sock_put ./include/net/sock.h:1638
>  sk_common_release+0x31e/0x4e0 net/core/sock.c:2782
>  rawv6_close+0x54/0x80 net/ipv6/raw.c:1214
>  inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
>  inet6_release+0x50/0x70 net/ipv6/af_inet6.c:431
>  sock_release+0x8d/0x1e0 net/socket.c:599
>  sock_close+0x16/0x20 net/socket.c:1063
>

[ovs-dev] [datapath backport 03/10] compat: ipv6: orphan skbs in reassembly unit.

2017-04-06 Thread Andy Zhou

From: Eric Dumazet 

Upstream commit:
ipv6: orphan skbs in reassembly unit

Andrey reported a use-after-free in IPv6 stack.

Issue here is that we free the socket while it still has skb
in TX path and in some queues.

It happens here because IPv6 reassembly unit messes skb->truesize,
breaking skb_set_owner_w() badly.

We fixed a similar issue for IPV4 in commit 8282f27449bf ("inet: frag:
Always orphan skbs inside ip_defrag()")
Acked-by: Joe Stringer 

==
BUG: KASAN: use-after-free in sock_wfree+0x118/0x120
Read of size 8 at addr 880062da0060 by task a.out/4140

page:ea00018b6800 count:1 mapcount:0 mapping:  (null)
index:0x0 compound_mapcount: 0
flags: 0x1008100(slab|head)
raw: 01008100   000180130013
raw: dead0100 dead0200 88006741f140 
page dumped because: kasan: bad access detected

CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:15
 dump_stack+0x292/0x398 lib/dump_stack.c:51
 describe_address mm/kasan/report.c:262
 kasan_report_error+0x121/0x560 mm/kasan/report.c:370
 kasan_report mm/kasan/report.c:392
 __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413
 sock_flag ./arch/x86/include/asm/bitops.h:324
 sock_wfree+0x118/0x120 net/core/sock.c:1631
 skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655
 skb_release_all+0x15/0x60 net/core/skbuff.c:668
 __kfree_skb+0x15/0x20 net/core/skbuff.c:684
 kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705
 inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
 inet_frag_put ./include/net/inet_frag.h:133
 nf_ct_frag6_gather+0x1125/0x38b0 
net/ipv6/netfilter/nf_conntrack_reasm.c:617
 ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
 nf_hook_entry_hookfn ./include/linux/netfilter.h:102
 nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
 nf_hook ./include/linux/netfilter.h:212
 __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160
 ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
 ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
 ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
 rawv6_push_pending_frames net/ipv6/raw.c:613
 rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927
 inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
 sock_sendmsg_nosec net/socket.c:635
 sock_sendmsg+0xca/0x110 net/socket.c:645
 sock_write_iter+0x326/0x620 net/socket.c:848
 new_sync_write fs/read_write.c:499
 __vfs_write+0x483/0x760 fs/read_write.c:512
 vfs_write+0x187/0x530 fs/read_write.c:560
 SYSC_write fs/read_write.c:607
 SyS_write+0xfb/0x230 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
RIP: 0033:0x7ff26e6f5b79
RSP: 002b:7ff268e0ed98 EFLAGS: 0206 ORIG_RAX: 0001
RAX: ffda RBX: 7ff268e0f9c0 RCX: 7ff26e6f5b79
RDX: 0010 RSI: 20f50fe1 RDI: 0003
RBP: 7ff26ebc1220 R08:  R09: 
R10:  R11: 0206 R12: 
R13: 7ff268e0f9c0 R14: 7ff26efec040 R15: 0003

The buggy address belongs to the object at 880062da
 which belongs to the cache RAWv6 of size 1504
The buggy address 880062da0060 is located 96 bytes inside
 of 1504-byte region [880062da, 880062da05e0)

Freed by task 4113:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:502
 set_track mm/kasan/kasan.c:514
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
 slab_free_hook mm/slub.c:1352
 slab_free_freelist_hook mm/slub.c:1374
 slab_free mm/slub.c:2951
 kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973
 sk_prot_free net/core/sock.c:1377
 __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452
 sk_destruct+0x47/0x80 net/core/sock.c:1460
 __sk_free+0x57/0x230 net/core/sock.c:1468
 sk_free+0x23/0x30 net/core/sock.c:1479
 sock_put ./include/net/sock.h:1638
 sk_common_release+0x31e/0x4e0 net/core/sock.c:2782
 rawv6_close+0x54/0x80 net/ipv6/raw.c:1214
 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:431
 sock_release+0x8d/0x1e0 net/socket.c:599
 sock_close+0x16/0x20 net/socket.c:1063
 __fput+0x332/0x7f0 fs/file_table.c:208
 fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x19b/0x270 kernel/task_work.c:116
 exit_task_work ./include/linux/task_work.h:21
 do_exit+0x186b/0x2800 kernel/exit.c:839
 do_group_exit+0x149/0x420

Re: [ovs-dev] [datapath backport 03/10] compat: ipv6: orphan skbs in reassembly unit.

Re: [ovs-dev] [datapath backport 03/10] compat: ipv6: orphan skbs in reassembly unit.

[ovs-dev] [datapath backport 03/10] compat: ipv6: orphan skbs in reassembly unit.

3 matches

Site Navigation

Mail list logo

Footer information