Re: KASAN: use-after-free Read in rxrpc_send_keepalive

2019-10-04 Thread David Howells 
This is the fix, I think.

David
---
rxrpc: Fix call ref leak

When sendmsg() finds a call to continue on with, if the call is in an
inappropriate state, it doesn't release the ref it just got on that call
before returning an error.

This causes the following symptom to show up with kasan:

BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
net/rxrpc/output.c:635
Read of size 8 at addr 888064219698 by task kworker/0:3/11077

where line 635 is:

whdr.epoch  = htonl(peer->local->rxnet->epoch);

The local endpoint (which cannot be pinned by the call) has been released,
but not the peer (which is pinned by the call).

Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception")
Reported-by: syzbot+d850c266e3df14da1...@syzkaller.appspotmail.com
Signed-off-by: David Howells 
---
 sendmsg.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index 6cd55b1d79f9..79b5b23db4c1 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -661,6 +661,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr 
*msg, size_t len)
case RXRPC_CALL_SERVER_PREALLOC:
case RXRPC_CALL_SERVER_SECURING:
case RXRPC_CALL_SERVER_ACCEPTING:
+   rxrpc_put_call(call, rxrpc_call_put);
ret = -EBUSY;
goto error_release_sock;
default:

Re: KASAN: use-after-free Read in rxrpc_send_keepalive

2019-09-10 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:3120b9a6 Merge tag 'ipc-fixes' of git://git.kernel.org/pub..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=107d1ca560
kernel config:  https://syzkaller.appspot.com/x/.config?x=ed2b148cd67382ec
dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31
compiler:   clang version 9.0.0 (/home/glider/llvm/clang  
80fee25776c2fb61e74c1ecb1a523375c2500b69)

syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=1734709560
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=143bcca560

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d850c266e3df14da1...@syzkaller.appspotmail.com

==
BUG: KASAN: use-after-free in rxrpc_send_keepalive+0xe2/0x3c0  
net/rxrpc/output.c:634

Read of size 8 at addr 8880a859a058 by task kworker/0:2/3016

CPU: 0 PID: 3016 Comm: kworker/0:2 Not tainted 5.3.0-rc8+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: krxrpcd rxrpc_peer_keepalive_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
 print_address_description+0x75/0x5b0 mm/kasan/report.c:351
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:482
 kasan_report+0x26/0x50 mm/kasan/common.c:618
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 rxrpc_send_keepalive+0xe2/0x3c0 net/rxrpc/output.c:634
 rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline]
 rxrpc_peer_keepalive_worker+0x76e/0xb40 net/rxrpc/peer_event.c:430
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 9378:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:493
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507
 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3550
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:748 [inline]
 rxrpc_alloc_connection+0x79/0x490 net/rxrpc/conn_object.c:41
 rxrpc_alloc_client_connection net/rxrpc/conn_client.c:176 [inline]
 rxrpc_get_client_conn net/rxrpc/conn_client.c:339 [inline]
 rxrpc_connect_call+0xb30/0x2c40 net/rxrpc/conn_client.c:697
 rxrpc_new_client_call+0x6d5/0xb60 net/rxrpc/call_object.c:289
 rxrpc_new_client_call_for_sendmsg net/rxrpc/sendmsg.c:595 [inline]
 rxrpc_do_sendmsg+0xf2b/0x19b0 net/rxrpc/sendmsg.c:652
 rxrpc_sendmsg+0x5eb/0x8b0 net/rxrpc/af_rxrpc.c:585
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg net/socket.c:657 [inline]
 ___sys_sendmsg+0x60d/0x910 net/socket.c:2311
 __sys_sendmmsg+0x239/0x470 net/socket.c:2413
 __do_sys_sendmmsg net/socket.c:2442 [inline]
 __se_sys_sendmmsg net/socket.c:2439 [inline]
 __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2439
 do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 16:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:455
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x115/0x200 mm/slab.c:3756
 rxrpc_destroy_connection+0x1ec/0x240 net/rxrpc/conn_object.c:372
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2114 [inline]
 rcu_core+0x892/0xf10 kernel/rcu/tree.c:2314
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323
 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:778

The buggy address belongs to the object at 8880a859a040
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes inside of
 1024-byte region [8880a859a040, 8880a859a440)
The buggy address belongs to the page:
page:ea0002a16680 refcount:1 mapcount:0 mapping:8880aa400c40  
index:0x0 compound_mapcount: 0

flags: 0x1fffc010200(slab|head)
raw: 01fffc010200 ea00024cc688 ea0002684d88 8880aa400c40
raw:  8880a859a040 00010007 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8880a8599f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 8880a8599f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

8880a859a000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb

^
 8880a859a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 8880a859a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==

Re: KASAN: use-after-free Read in rxrpc_send_keepalive

2019-08-29 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:ed2393ca Add linux-next specific files for 20190827
git tree:   linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=156adb1e60
kernel config:  https://syzkaller.appspot.com/x/.config?x=2ef5940a07ed45f4
dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31
compiler:   gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=167ab58260

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d850c266e3df14da1...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
==
BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940  
net/rxrpc/output.c:634

Read of size 8 at addr 888086b01218 by task kworker/0:1/12

CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc6-next-20190827 #74
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: krxrpcd rxrpc_peer_keepalive_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:634
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:634
 rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline]
 rxrpc_peer_keepalive_worker+0x7be/0xd02 net/rxrpc/peer_event.c:430
 process_one_work+0x9af/0x1740 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x361/0x430 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 8741:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc mm/kasan/common.c:510 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:483
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x163/0x770 mm/slab.c:3664
 kmalloc_array include/linux/slab.h:614 [inline]
 kcalloc include/linux/slab.h:625 [inline]
 alloc_pipe_info+0x199/0x420 fs/pipe.c:676
 get_pipe_inode fs/pipe.c:738 [inline]
 create_pipe_files+0x8e/0x730 fs/pipe.c:770
 __do_pipe_flags+0x48/0x250 fs/pipe.c:807
 do_pipe2+0x84/0x160 fs/pipe.c:855
 __do_sys_pipe2 fs/pipe.c:873 [inline]
 __se_sys_pipe2 fs/pipe.c:871 [inline]
 __x64_sys_pipe2+0x54/0x80 fs/pipe.c:871
 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8741:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3756
 free_pipe_info+0x243/0x300 fs/pipe.c:709
 put_pipe_info+0xd0/0xf0 fs/pipe.c:582
 pipe_release+0x1e6/0x280 fs/pipe.c:603
 __fput+0x2ff/0x890 fs/file_table.c:280
 fput+0x16/0x20 fs/file_table.c:313
 task_work_run+0x145/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x316/0x380 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x65f/0x760 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 888086b01200
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes inside of
 1024-byte region [888086b01200, 888086b01600)
The buggy address belongs to the page:
page:ea00021ac000 refcount:1 mapcount:0 mapping:8880aa400c40  
index:0x888086b00480 compound_mapcount: 0

flags: 0x1fffc010200(slab|head)
raw: 01fffc010200 ea00027b5588 ea00028e3808 8880aa400c40
raw: 888086b00480 888086b0 00010003 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 888086b01100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 888086b01180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

888086b01200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

^
 888086b01280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 888086b01300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==

KASAN: use-after-free Read in rxrpc_send_keepalive

2019-08-09 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:b678c568 Merge tag 'nfs-for-5.3-2' of git://git.linux-nfs...
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ea5e3660
kernel config:  https://syzkaller.appspot.com/x/.config?x=a4c9e9f08e9e8960
dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31
compiler:   gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d850c266e3df14da1...@syzkaller.appspotmail.com

==
BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940  
net/rxrpc/output.c:635

Read of size 8 at addr 888064219698 by task kworker/0:3/11077

CPU: 0 PID: 11077 Comm: kworker/0:3 Not tainted 5.3.0-rc3+ #96
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: krxrpcd rxrpc_peer_keepalive_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0xd4/0x306 mm/kasan/report.c:351
 __kasan_report.cold+0x1b/0x36 mm/kasan/report.c:482
 kasan_report+0x12/0x17 mm/kasan/common.c:612
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635
 rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline]
 rxrpc_peer_keepalive_worker+0x7be/0xd02 net/rxrpc/peer_event.c:430
 process_one_work+0x9af/0x1740 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x361/0x430 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 20465:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc mm/kasan/common.c:487 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:460
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501
 kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3550
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:748 [inline]
 rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
 rxrpc_lookup_local+0x64c/0x1b70 net/rxrpc/local_object.c:279
 rxrpc_sendmsg+0x379/0x5f0 net/rxrpc/af_rxrpc.c:566
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:657
 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
 __do_sys_sendmmsg net/socket.c:2442 [inline]
 __se_sys_sendmmsg net/socket.c:2439 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:449
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:457
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3756
 rxrpc_local_rcu+0x62/0x80 net/rxrpc/local_object.c:471
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2114 [inline]
 rcu_core+0x67f/0x1580 kernel/rcu/tree.c:2314
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323
 __do_softirq+0x262/0x98c kernel/softirq.c:292

The buggy address belongs to the object at 888064219680
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes inside of
 1024-byte region [888064219680, 888064219a80)
The buggy address belongs to the page:
page:ea0001908600 refcount:1 mapcount:0 mapping:8880aa400c40  
index:0x888064218480 compound_mapcount: 0

flags: 0x1fffc010200(slab|head)
raw: 01fffc010200 ea00025f5a08 ea00028fca08 8880aa400c40
raw: 888064218480 888064218000 00010001 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 888064219580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 888064219600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

888064219680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

^
 888064219700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 888064219780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.