Re: net/l2tp:BUG: KASAN: use-after-free in l2tp_ip6_close

[Baozeng Ding]

Hello Guillaume,
On 2016/11/17 5:07, Guillaume Nault wrote:
> On Wed, Nov 16, 2016 at 11:08:23AM -0800, Cong Wang wrote:
>> On Wed, Nov 16, 2016 at 8:30 AM, Guillaume Nault  
>> wrote:
>>> diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
>>> index fce25af..982f6c4 100644
>>> --- a/net/l2tp/l2tp_ip.c
>>> +++ b/net/l2tp/l2tp_ip.c
>>> @@ -251,8 +251,6 @@ static int l2tp_ip_bind(struct sock *sk, struct 
>>> sockaddr *uaddr, int addr_len)
>>> int ret;
>>> int chk_addr_ret;
>>>
>>> -   if (!sock_flag(sk, SOCK_ZAPPED))
>>> -   return -EINVAL;
>>> if (addr_len < sizeof(struct sockaddr_l2tpip))
>>> return -EINVAL;
>>> if (addr->l2tp_family != AF_INET)
>>> @@ -267,6 +265,9 @@ static int l2tp_ip_bind(struct sock *sk, struct 
>>> sockaddr *uaddr, int addr_len)
>>> read_unlock_bh(&l2tp_ip_lock);
>>>
>>> lock_sock(sk);
>>> +   if (!sock_flag(sk, SOCK_ZAPPED))
>>> +   goto out;
>>> +
>>> if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct 
>>> sockaddr_l2tpip))
>>> goto out;
>>>
>>> diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
>>> index ad3468c..9978d01 100644
>>> --- a/net/l2tp/l2tp_ip6.c
>>> +++ b/net/l2tp/l2tp_ip6.c
>>> @@ -269,8 +269,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct 
>>> sockaddr *uaddr, int addr_len)
>>> int addr_type;
>>> int err;
>>>
>>> -   if (!sock_flag(sk, SOCK_ZAPPED))
>>> -   return -EINVAL;
>>> if (addr->l2tp_family != AF_INET6)
>>> return -EINVAL;
>>> if (addr_len < sizeof(*addr))
>>> @@ -296,6 +294,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct 
>>> sockaddr *uaddr, int addr_len)
>>> lock_sock(sk);
>>>
>>> err = -EINVAL;
>>> +   if (!sock_flag(sk, SOCK_ZAPPED))
>>> +   goto out_unlock;
>>> +
>>> if (sk->sk_state != TCP_CLOSE)
>>> goto out_unlock;
>>
>>
>> Makes sense, it should prevent a concurrent caller adding the socket
>> into bind table
>> twice after passing __l2tp_ip_bind_lookup() check.
> 
> Yes, and the __l2tp_ip_bind_lookup() call is also racy. But, by
> properly checking the SOCK_ZAPPED flag, we probably can remove this
> call entirely.
> 
> For now, I only wanted to make sure the issue was well identified. I'll
> submit a more complete patch for net (with protected SOCK_ZAPPED check
> in l2tp_ip_connect() too).
>
The patch fixes the issues both for l2tp_ip and l2tp_ip6

Tested-by: Baozeng Ding 


Best Regards,
Baozeng Ding

Re: net/sctp: BUG: KASAN: stack-out-of-bounds in memcmp

[Baozeng Ding]

On 2016/11/10 13:48, Xin Long wrote:
> On Sat, Oct 15, 2016 at 4:28 PM, Baozeng Ding  wrote:
>> Hello Xin Long,
>>
>> On 2016/10/14 19:13, Xin Long wrote:
>>> On Sat, Aug 20, 2016 at 3:51 PM, Baozeng Ding  wrote:
>>>> Hello all,
>>>> The following program triggers  stack-out-of-bounds in memcmp. The kernel 
>>>> version is 4.8.0-rc1+ (on Aug 13 commit 
>>>> 118253a593bd1c57de2d1193df1ccffe1abe745b). Thanks.
>>> ...
>>>>
>>>> #define _GNU_SOURCE
>>>> #include 
>>>> #include 
>>>> #include 
>>>> #include 
>>>> #include 
>>>> #include 
>>>> #include 
>>>> #include 
>>>>
>>>> int main()
>>>> {
>>>> int fd;
>>>> mmap((void *)0x2000ul, 0xff2000ul, 0x3ul, 0x32ul, -1, 0x0ul);
>>>> fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
>>>> memcpy((void*)0x20f82f80, 
>>>> "\x0a\x00\xab\x12\x72\xd4\x19\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x85\xda\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
>>>>  128);
>>>> bind(fd, (struct sockaddr*)0x20f82f80ul, 0x80ul);
>>>> *(uint64_t*)0x202e1fc8 = (uint64_t)0x20f77f80;
>>>> *(uint32_t*)0x202e1fd0 = (uint32_t)0x80;
>>>> *(uint64_t*)0x202e1fd8 = (uint64_t)0x20f7dfe0;
>>>> *(uint64_t*)0x202e1fe0 = (uint64_t)0x2;
>>>> *(uint64_t*)0x202e1fe8 = (uint64_t)0x20f77000;
>>>> *(uint64_t*)0x202e1ff0 = (uint64_t)0x3;
>>>> *(uint32_t*)0x202e1ff8 = (uint32_t)0x80;
>>>> memcpy((void*)0x20f77f80, 
>>>> "\x0a\x00\xab\x12\xb0\xb3\x20\x7b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc2\xc2\x0b\xb2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
>>>>  128);
>>>> *(uint64_t*)0x20f7dfe0 = (uint64_t)0x20f77fc5;
>>>> *(uint64_t*)0x20f7dfe8 = (uint64_t)0x3b;
>>>> *(uint64_t*)0x20f7dff0 = (uint64_t)0x20f77fac;
>>>> *(uint64_t*)0x20f7dff8 = (uint64_t)0x54;
>>>> memcpy((void*)0x20f77fc5, 
>>>> "\xa5\x7d\xf3\xc4\xfe\xd3\xfd\x44\x63\x00\x8c\x1e\x4c\x2e\x8d\x8d\x9a\x9c\x9c\x9d\x5b\x7c\xe1\x06\xf7\x15\x16\xed\x68\xd1\xfc\xf4\xa4\x3a\xe4\x69\x51\x16\x74\xf4\x1a\xcf\x0e\x99\xc3\xa3\x87\xe7\x81\x6c\x10\x78\x75\x17\x69\x9d\x11\x0c\xc7",
>>>>  59);
>>>> memcpy((void*)0x20f77fac, 
>>>> "\x86\x08\x89\x3c\xf3\x58\xea\xe7\x64\x6a\xfb\xb5\xe8\xdd\x5f\x69\xa5\xd4\xdc\xd9\xe7\x71\x95\x07\x78\x7b\x21\xda\x43\x9c\x62\x4d\xca\x64\xb5\x6e\x96\x55\xe9\x58\x76\x66\x1d\xb9\x7b\xe6\x20\xc1\xa9\xed\x70\xc1\x2b\x7c\x86\x8c\xba\x28\xb3\x2c\xb9\x64\xb7\x84\x65\x0d\x7f\xa6\x98\x6f\x49\xcb\x35\xad\x5a\xdf\x13\x75\x99\x57\x7e\xbb\x38\x89",
>>>>  84);
>>>> *(uint64_t*)0x20f77000 = (uint64_t)0x15;
>>>> *(uint32_t*)0x20f77008 = (uint32_t)0x1;
>>>> *(uint32_t*)0x20f7700c = (uint32_t)0xfffe;
>>>> *(uint8_t*)0x20f77010 = (uint8_t)0xbb;
>>>> *(uint8_t*)0x20f77011 = (uint8_t)0x2;
>>>> *(uint8_t*)0x20f77012 = (uint8_t)0x5;
>>>> *(uint8_t*)0x20f77013 = (uint8_t)0x2;
>>>> *(uint8_t*)0x20f77014 = (uint8_t)0x8000;
>>>> *(uint64_t*)0x20f77015 = (uint64_t)0x10;
>>>> *(uint32_t*)0x20f7701d = (uint32_t)0x;
>>>> *(uint32_t*)0x20f77021 = (uint32_t)0x1;
>>>> *(uint64_t*)0x20f77025 = (uint64_t)0x13;
>>>> *(uint32_t*)0x20f7702d = (uint32_t)0x6;
>>>> *(uint32_t*)0x20f77031 = (uint32_t)0xfe00;
>>>> *(uint8_t*)0x20f77035 = (uint8_t)0x8000;
>>>> *(uint8_t*)0x20f77036 = (uint8_t)0xfff8;
>>>&g

Re: BUG: KASAN: use-after-free in udp_lib_get_port

[Baozeng Ding]

fb fb fb fb fb fb fb
 88002f163d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
======

Best Regards,
Baozeng Ding

On 2016/10/17 3:53, Cong Wang wrote:
> On Sun, Oct 16, 2016 at 6:46 AM, Baozeng Ding  wrote:
>> Hello all,
>> While running syzkaller fuzzer I have got the following use-after-free
>> bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit 
>> d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a 
>> reproducer for it.
>>
>> BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr 
>> 88000804cb60
>> Write of size 8 by task syz-executor/31190
>> CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
>> rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
>>  880015ac7a48 829f835b 880032b531c0 88000804cb40
>>  88000804d250 880017415a4a 880015ac7a70 8174d3cc
>>  880015ac7b00 88000804cb00 880032b531c0 880015ac7af0
>> Call Trace:
>>  [] dump_stack+0xb3/0x118 lib/dump_stack.c:15
>>  [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
>>  [< inline >] print_address_description mm/kasan/report.c:194
>>  [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
>>  [< inline >] kasan_report mm/kasan/report.c:303
>>  [] __asan_report_store8_noabort+0x3e/0x40 
>> mm/kasan/report.c:329
>>  [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487
>>  [] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345
>>  [] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106
>>  [] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384
>>  [] SYSC_bind+0x1ea/0x250 net/socket.c:1367
>>  [] SyS_bind+0x24/0x30 net/socket.c:1353
>>  [] entry_SYSCALL_64_fastpath+0x23/0xc6
> 
> 
> We should have a reference to this sock via fd and its sock->sk too,
> so I fail to see why it could be freed while we holding this reference.
> Maybe a VFS layer bug?
> 
>> Object at 88000804cb40, in cache UDPv6 size: 1496
>> Allocated:
>> PID = 30789
>>  [  378.305168] [] save_stack_trace+0x16/0x20
>>  [  378.305168] [] save_stack+0x46/0xd0
>>  [  378.305168] [] kasan_kmalloc+0xad/0xe0
>>  [  378.305168] [] kasan_slab_alloc+0x12/0x20
>>  [  378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417
>>  [  378.305168] [< inline >] slab_alloc_node mm/slub.c:2708
>>  [  378.305168] [< inline >] slab_alloc mm/slub.c:2716
>>  [  378.305168] [] kmem_cache_alloc+0xc8/0x2b0 
>> mm/slub.c:2721
>>  [  378.305168] [] sk_prot_alloc+0x69/0x2b0 
>> net/core/sock.c:1326
>>  [  378.305168] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388
>>  [  378.305168] [] inet6_create+0x2d7/0x1000 
>> net/ipv6/af_inet6.c:182
>>  [  378.305168] [] __sock_create+0x37b/0x640 
>> net/socket.c:1153
>>  [  378.305168] [< inline >] sock_create net/socket.c:1193
>>  [  378.305168] [< inline >] SYSC_socket net/socket.c:1223
>>  [  378.305168] [] SyS_socket+0xef/0x1b0 net/socket.c:1203
>>  [  378.305168] [] entry_SYSCALL_64_fastpath+0x23/0xc6
>> Freed:
>> PID = 30789
>>  [  378.305168] [] save_stack_trace+0x16/0x20
>>  [  378.305168] [] save_stack+0x46/0xd0
>>  [  378.305168] [] kasan_slab_free+0x71/0xb0
>>  [  378.305168] [< inline >] slab_free_hook mm/slub.c:1352
>>  [  378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374
>>  [  378.305168] [< inline >] slab_free mm/slub.c:2951
>>  [  378.305168] [] kmem_cache_free+0xc8/0x330 
>> mm/slub.c:2973
>>  [  378.305168] [< inline >] sk_prot_free net/core/sock.c:1369
>>  [  378.305168] [] __sk_destruct+0x32b/0x4f0 
>> net/core/sock.c:1444
>>  [  378.305168] [] sk_destruct+0x44/0x80 
>> net/core/sock.c:1452
>>  [  378.305168] [] __sk_free+0x53/0x220 
>> net/core/sock.c:1460
>>  [  378.305168] [] sk_free+0x23/0x30 net/core/sock.c:1471
>>  [  378.305168] [] sk_common_release+0x28c/0x3e0 
>> ./include/net/sock.h:1589
>>  [  378.305168] [] udp_lib_close+0x15/0x20 
>> ./include/net/udp.h:203
>>  [  378.305168] [] inet_release+0xed/0x1c0 
>> net/ipv4/af_inet.c:415
>>  [  378.305168] [] inet6_release+0x50/0x70 
>> net/ipv6/af_inet6.c:422
>>  [  378.305168] [] sock_release+0x8d/0x1d0 net/socket.c:570
>>  [  378.305168] [] sock_close+0x16/0x20 net/socket.c:1017
>>  [  378.305168] [] __fput+0x28c/0x780 fs/file_table.c:208
>>  [  378.305168] [

Re: net/l2tp:BUG: KASAN: use-after-free in l2tp_ip6_close

[Baozeng Ding]

This use-after-free seems to be triggered by some race. I use stress tool for 
this: 
https://github.com/golang/tools/blob/master/cmd/stress/stress.go 
If you have Go toolchain installed, then the following will do: 
$ go get golang.org/x/tools/cmd/stress 
$ stress ./a.out

=
#include 
#include 
#include 
#include 
#include 
#include 

int fd;
struct sockaddr_l2tpip sock_addr = {
.l2tp_family = AF_INET,
.l2tp_unused = 0,
.l2tp_addr = 0,
.l2tp_conn_id = 8,
.__pad = 0

};

void *thr(void *arg)
{
switch ((long)arg) {
case 0:
fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_L2TP);
break;
case 1:
bind(fd, (struct sockaddr*) &sock_addr, 0x10ul);
break;
case 2:
bind(fd, (struct sockaddr*)&sock_addr, 0x10ul);
break;
case 3:
connect(fd, (struct sockaddr*)&sock_addr, 0x10ul);
break;
}
return 0;
}

int main()
{
long i;
pthread_t th[4];
int n;
for (i = 0; i < 4; i++) {
   pthread_create(&th[i], 0, thr, (void*)i);
   usleep(1);
}
for (i = 0; i < 4; i++) {
   pthread_create(&th[i], 0, thr, (void*)i);
   if (i%2==0)
usleep(1);
}
usleep(10);
return 0;
}

On 2016/10/17 3:50, Cong Wang wrote:
> On Sun, Oct 16, 2016 at 8:07 AM, Baozeng Ding  wrote:
>> Hello,
>> While running syzkaller fuzzer I have got the following use-after-free
>> bug in l2tp_ip6_close. The kernel version is 4.8.0+ (on Oct 7 commit 
>> d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0).
>>
>> BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr 
>> 8800081b0ed8
>> Write of size 8 by task syz-executor/10987
>> CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
>> rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
>>  880031d97838 829f835b 88001b5a1640 8800081b0ec0
>>  8800081b15a0 8800081b6d20 880031d97860 8174d3cc
>>  880031d978f0 8800081b0e80 88001b5a1640 880031d978e0
>> Call Trace:
>>  [] dump_stack+0xb3/0x118 lib/dump_stack.c:15
>>  [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
>>  [< inline >] print_address_description mm/kasan/report.c:194
>>  [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
>>  [< inline >] kasan_report mm/kasan/report.c:303
>>  [] __asan_report_store8_noabort+0x3e/0x40 
>> mm/kasan/report.c:329
>>  [< inline >] __write_once_size ./include/linux/compiler.h:249
>>  [< inline >] __hlist_del ./include/linux/list.h:622
>>  [< inline >] hlist_del_init ./include/linux/list.h:637
>>  [] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
> 
> 
> This one looks pretty interesting, how the hell could we call fput() twice
> on the same fd...
> 
> 
>>  [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
>>  [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
>>  [] sock_release+0x8d/0x1d0 net/socket.c:570
>>  [] sock_close+0x16/0x20 net/socket.c:1017
>>  [] __fput+0x28c/0x780 fs/file_table.c:208
>>  [] fput+0x15/0x20 fs/file_table.c:244
>>  [] task_work_run+0xf9/0x170
>>  [] do_exit+0x85e/0x2a00
>>  [] do_group_exit+0x108/0x330
>>  [] get_signal+0x617/0x17a0 kernel/signal.c:2307
>>  [] do_signal+0x7f/0x18f0
>>  [] exit_to_usermode_loop+0xbf/0x150 
>> arch/x86/entry/common.c:156
>>  [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
>>  [] syscall_return_slowpath+0x1a0/0x1e0 
>> arch/x86/entry/common.c:259
>>  [] entry_SYSCALL_64_fastpath+0xc4/0xc6
>> Object at 8800081b0ec0, in cache L2TP/IPv6 size: 1448
>> Allocated:
>> PID = 10987
>>  [ 1116.897025] [] save_stack_trace+0x16/0x20
>>  [ 1116.897025] [] save_stack+0x46/0xd0
>>  [ 1116.897025] [] kasan_kmalloc+0xad/0xe0
>>  [ 1116.897025] [] kasan_slab_alloc+0x12/0x20
>>  [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417
>>  [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708
>>  [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716
>>  [ 1116.897025] [] kmem_cache_alloc+0xc8/0x2b0 
>> mm/slub.c:2721
>>  [ 1116.897025] [] sk_prot_alloc+0x69/0x2b0 
>> net/core/sock.c:1326
>>  [ 1116.897025] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388
>>  [ 1116.897025] 

Re: net/ipv6: potential deadlock in do_ipv6_setsockopt

[Baozeng Ding]

It fixes the issue for me. 
Tested-by: Baozeng Ding 

On 2016/10/17 17:54, Baozeng Ding wrote:
> Applied the patch to my test tree. I will tell you the result a few days 
> later. Thank you.
> 
> On 2016/10/17 2:50, Cong Wang wrote:
>> On Sun, Oct 16, 2016 at 6:34 AM, Baozeng Ding  wrote:
>>>  Possible unsafe locking scenario:
>>>
>>>CPU0CPU1
>>>
>>>   lock([  165.136033] sk_lock-AF_INET6
>>> );
>>>lock([  165.136033] rtnl_mutex
>>> );
>>>lock([  165.136033] sk_lock-AF_INET6
>>> );
>>>   lock([  165.136033] rtnl_mutex
>>> );
>>>
>>>  *** DEADLOCK ***
>>
>> This is caused by the conditional rtnl locking in do_ipv6_setsockopt().
>> It looks like we miss the case of IPV6_ADDRFORM.
>>
>> Please try the attached patch.
>>

Re: net/ipv6: potential deadlock in do_ipv6_setsockopt

[Baozeng Ding]

It fixes the issue for me. 
Tested-by: Baozeng Ding 

On 2016/10/17 17:54, Baozeng Ding wrote:
> Applied the patch to my test tree. I will tell you the result a few days 
> later. Thank you.
> 
> On 2016/10/17 2:50, Cong Wang wrote:
>> On Sun, Oct 16, 2016 at 6:34 AM, Baozeng Ding  wrote:
>>>  Possible unsafe locking scenario:
>>>
>>>CPU0CPU1
>>>
>>>   lock([  165.136033] sk_lock-AF_INET6
>>> );
>>>lock([  165.136033] rtnl_mutex
>>> );
>>>lock([  165.136033] sk_lock-AF_INET6
>>> );
>>>   lock([  165.136033] rtnl_mutex
>>> );
>>>
>>>  *** DEADLOCK ***
>>
>> This is caused by the conditional rtnl locking in do_ipv6_setsockopt().
>> It looks like we miss the case of IPV6_ADDRFORM.
>>
>> Please try the attached patch.
>>

Re: BUG: KASAN: use-after-free in udp_lib_get_port

[Baozeng Ding]

8 by task syz-executor/13522
CPU: 1 PID: 13522 Comm: syz-executor Tainted: GB   4.8.0+ #41
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 88002e4e77e0 829f835b 88002f488b40 88002f163c40
 88002f164350 880031781540 88002e4e7808 8174d3cc
 88002e4e7898 88002f163c00 88002f488b40 88002e4e7888
Call Trace:
 [] dump_stack+0xb3/0x118 /lib/dump_stack.c:15
 [] kasan_object_err+0x1c/0x70 /mm/kasan/report.c:156
 [< inline >] print_address_description /mm/kasan/report.c:194
 [] kasan_report_error+0x1f6/0x4d0 /mm/kasan/report.c:283
 [< inline >] kasan_report /mm/kasan/report.c:303
 [] __asan_report_store8_noabort+0x3e/0x40 
/mm/kasan/report.c:329
 [< inline >] hlist_del_init_rcu /./include/linux/list.h:624
 [] udp_lib_unhash+0x593/0x660 /net/ipv4/udp.c:1391
 [] sk_common_release+0xbd/0x3e0 /net/core/sock.c:2719
 [] udp_lib_close+0x15/0x20 /./include/net/udp.h:203
 [] inet_release+0xed/0x1c0 /net/ipv4/af_inet.c:415
 [] sock_release+0x8d/0x1d0 /net/socket.c:570
 [] sock_close+0x16/0x20 /net/socket.c:1017
 [] __fput+0x28c/0x780 /fs/file_table.c:208
 [] fput+0x15/0x20 /fs/file_table.c:244
 [] task_work_run+0xf9/0x170
 [] do_exit+0x85e/0x2a00
 [] do_group_exit+0x108/0x330
 [] get_signal+0x617/0x17a0 /kernel/signal.c:2307
 [] do_signal+0x7f/0x18f0
 [] exit_to_usermode_loop+0xbf/0x150 
/arch/x86/entry/common.c:156
 [< inline >] prepare_exit_to_usermode /arch/x86/entry/common.c:190
 [] syscall_return_slowpath+0x1a0/0x1e0 
/arch/x86/entry/common.c:259
 [] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at 88002f163c40, in cache UDPv6 size: 1496
Allocated:
PID = 13255
 [ 1773.617936] [] save_stack_trace+0x16/0x20
 [ 1773.617936] [] save_stack+0x46/0xd0
 [ 1773.617936] [] kasan_kmalloc+0xad/0xe0
 [ 1773.617936] [] kasan_slab_alloc+0x12/0x20
 [ 1773.617936] [< inline >] slab_post_alloc_hook /mm/slab.h:417
 [ 1773.617936] [< inline >] slab_alloc_node /mm/slub.c:2708
 [ 1773.617936] [< inline >] slab_alloc /mm/slub.c:2716
 [ 1773.617936] [] kmem_cache_alloc+0xc8/0x2b0 /mm/slub.c:2721
 [ 1773.617936] [] sk_prot_alloc+0x69/0x2b0 
/net/core/sock.c:1326
 [ 1773.617936] [] sk_alloc+0x38/0xae0 /net/core/sock.c:1388
 [ 1773.617936] [] inet6_create+0x2d7/0x1000 
/net/ipv6/af_inet6.c:182
 [ 1773.617936] [] __sock_create+0x37b/0x640 
/net/socket.c:1153
 [ 1773.617936] [< inline >] sock_create /net/socket.c:1193
 [ 1773.617936] [< inline >] SYSC_socket /net/socket.c:1223
 [ 1773.617936] [] SyS_socket+0xef/0x1b0 /net/socket.c:1203
 [ 1773.617936] [] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 13261
 [ 1773.617936] [] save_stack_trace+0x16/0x20
 [ 1773.617936] [] save_stack+0x46/0xd0
 [ 1773.617936] [] kasan_slab_free+0x71/0xb0
 [ 1773.617936] [< inline >] slab_free_hook /mm/slub.c:1352
 [ 1773.617936] [< inline >] slab_free_freelist_hook /mm/slub.c:1374
 [ 1773.617936] [< inline >] slab_free /mm/slub.c:2951
 [ 1773.617936] [] kmem_cache_free+0xc8/0x330 /mm/slub.c:2973
 [ 1773.617936] [< inline >] sk_prot_free /net/core/sock.c:1369
 [ 1773.617936] [] __sk_destruct+0x32b/0x4f0 
/net/core/sock.c:1444
 [ 1773.617936] [] sk_destruct+0x44/0x80 /net/core/sock.c:1452
 [ 1773.617936] [] __sk_free+0x53/0x220 /net/core/sock.c:1460
 [ 1773.617936] [] sk_free+0x23/0x30 /net/core/sock.c:1471
 [ 1773.617936] [] sk_common_release+0x28c/0x3e0 
/./include/net/sock.h:1589
 [ 1773.617936] [] udp_lib_close+0x15/0x20 
/./include/net/udp.h:203
 [ 1773.617936] [] inet_release+0xed/0x1c0 
/net/ipv4/af_inet.c:415
 [ 1773.617936] [] inet6_release+0x5a/0x80 
/net/ipv6/af_inet6.c:424
 [ 1773.617936] [] sock_release+0x8d/0x1d0 /net/socket.c:570
 [ 1773.617936] [] sock_close+0x16/0x20 /net/socket.c:1017
 [ 1773.617936] [] __fput+0x28c/0x780 /fs/file_table.c:208
 [ 1773.617936] [] fput+0x15/0x20 /fs/file_table.c:244
 [ 1773.617936] [] task_work_run+0xf9/0x170
 [ 1773.617936] [] do_exit+0x85e/0x2a00
 [ 1773.617936] [] do_group_exit+0x108/0x330
 [ 1773.617936] [] get_signal+0x617/0x17a0 
/kernel/signal.c:2307
 [ 1773.617936] [] do_signal+0x7f/0x18f0
 [ 1773.617936] [] exit_to_usermode_loop+0xbf/0x150 
/arch/x86/entry/common.c:156
 [ 1773.617936] [< inline >] prepare_exit_to_usermode 
/arch/x86/entry/common.c:190
 [ 1773.617936] [] syscall_return_slowpath+0x1a0/0x1e0 
/arch/x86/entry/common.c:259
 [ 1773.617936] [] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 88002f163b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 88002f163b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>88002f163c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
   ^
 88002f163c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 88002f163d00: fb fb fb fb fb fb fb fb fb fb

Re: net/ipv6: potential deadlock in do_ipv6_setsockopt

[Baozeng Ding]

Applied the patch to my test tree. I will tell you the result a few days later. 
Thank you.

On 2016/10/17 2:50, Cong Wang wrote:
> On Sun, Oct 16, 2016 at 6:34 AM, Baozeng Ding  wrote:
>>  Possible unsafe locking scenario:
>>
>>CPU0CPU1
>>
>>   lock([  165.136033] sk_lock-AF_INET6
>> );
>>lock([  165.136033] rtnl_mutex
>> );
>>lock([  165.136033] sk_lock-AF_INET6
>> );
>>   lock([  165.136033] rtnl_mutex
>> );
>>
>>  *** DEADLOCK ***
> 
> This is caused by the conditional rtnl locking in do_ipv6_setsockopt().
> It looks like we miss the case of IPV6_ADDRFORM.
> 
> Please try the attached patch.
> 

net/l2tp:BUG: KASAN: use-after-free in l2tp_ip6_close

[Baozeng Ding]

fc fc fc fc fc fc fc fc fc fc
 8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
 8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==

Best Regards,
Baozeng Ding

BUG: KASAN: use-after-free in udp_lib_rehash

[Baozeng Ding]

Hello all,
While running syzkaller fuzzer I have got the following use-after-free
bug in udp_lib_rehash. The kernel version is 4.8.0+ (on Oct 7 commit 
d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a 
reproducer for it.

BUG: KASAN: use-after-free in udp_lib_rehash+0x634/0x640 at addr 
88002f3fe1e0
Write of size 8 by task syz-executor/11156
CPU: 3 PID: 11156 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 88001acb7b58 829f835b 880034acd900 88002f3fe1c0
 88002f3fe8d0 c9230810 88001acb7b80 8174d3cc
 88001acb7c10 88002f3fe180 880034acd900 88001acb7c00
Call Trace:
 [] dump_stack+0xb3/0x118 lib/dump_stack.c:15
 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [< inline >] print_address_description mm/kasan/report.c:194
 [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
 [< inline >] kasan_report mm/kasan/report.c:303
 [] __asan_report_store8_noabort+0x3e/0x40 
mm/kasan/report.c:329
 [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487
 [] udp_lib_rehash+0x634/0x640 net/ipv4/udp.c:1429
 [] udp_v6_rehash+0x72/0xa0 net/ipv6/udp.c:115
 [] ip6_datagram_connect+0x786/0xc40
 [] inet_dgram_connect+0x112/0x1f0 net/ipv4/af_inet.c:530
 [] SYSC_connect+0x23e/0x2e0 net/socket.c:1533
 [] SyS_connect+0x24/0x30 net/socket.c:1514
 [] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at 88002f3fe1c0, in cache UDPv6 size: 1496
Allocated:
PID = 11149
 [ 1921.980207] [] save_stack_trace+0x16/0x20
 [ 1921.980207] [] save_stack+0x46/0xd0
 [ 1921.980207] [] kasan_kmalloc+0xad/0xe0
 [ 1921.980207] [] kasan_slab_alloc+0x12/0x20
 [ 1921.980207] [< inline >] slab_post_alloc_hook mm/slab.h:417
 [ 1921.980207] [< inline >] slab_alloc_node mm/slub.c:2708
 [ 1921.980207] [< inline >] slab_alloc mm/slub.c:2716
 [ 1921.980207] [] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
 [ 1921.980207] [] sk_prot_alloc+0x69/0x2b0 
net/core/sock.c:1326
 [ 1921.980207] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388
 [ 1921.980207] [] inet6_create+0x2d7/0x1000 
net/ipv6/af_inet6.c:182
 [ 1921.980207] [] __sock_create+0x37b/0x640 net/socket.c:1153
 [ 1921.980207] [< inline >] sock_create net/socket.c:1193
 [ 1921.980207] [< inline >] SYSC_socket net/socket.c:1223
 [ 1921.980207] [] SyS_socket+0xef/0x1b0 net/socket.c:1203
 [ 1921.980207] [] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 11157
 [ 1921.980207] [] save_stack_trace+0x16/0x20
 [ 1921.980207] [] save_stack+0x46/0xd0
 [ 1921.980207] [] kasan_slab_free+0x71/0xb0
 [ 1921.980207] [< inline >] slab_free_hook mm/slub.c:1352
 [ 1921.980207] [< inline >] slab_free_freelist_hook mm/slub.c:1374
 [ 1921.980207] [< inline >] slab_free mm/slub.c:2951
 [ 1921.980207] [] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
 [ 1921.980207] [< inline >] sk_prot_free net/core/sock.c:1369
 [ 1921.980207] [] __sk_destruct+0x32b/0x4f0 
net/core/sock.c:1444
 [ 1921.980207] [] sk_destruct+0x44/0x80 net/core/sock.c:1452
 [ 1921.980207] [] __sk_free+0x53/0x220 net/core/sock.c:1460
 [ 1921.980207] [] sk_free+0x23/0x30 net/core/sock.c:1471
 [ 1921.980207] [] sk_common_release+0x28c/0x3e0 
./include/net/sock.h:1589
 [ 1921.980207] [] udp_lib_close+0x15/0x20 
./include/net/udp.h:203
 [ 1921.980207] [] inet_release+0xed/0x1c0 
net/ipv4/af_inet.c:415
 [ 1921.980207] [] inet6_release+0x50/0x70 
net/ipv6/af_inet6.c:422
 [ 1921.980207] [] sock_release+0x8d/0x1d0 net/socket.c:570
 [ 1921.980207] [] sock_close+0x16/0x20 net/socket.c:1017
 [ 1921.980207] [] __fput+0x28c/0x780 fs/file_table.c:208
 [ 1921.980207] [] fput+0x15/0x20 fs/file_table.c:244
 [ 1921.980207] [] task_work_run+0xf9/0x170
 [ 1921.980207] [] do_exit+0x85e/0x2a00
 [ 1921.980207] [] do_group_exit+0x108/0x330
 [ 1921.980207] [] get_signal+0x617/0x17a0 
kernel/signal.c:2307
 [ 1921.980207] [] do_signal+0x7f/0x18f0
 [ 1921.980207] [] exit_to_usermode_loop+0xbf/0x150 
arch/x86/entry/common.c:156
 [ 1921.980207] [< inline >] prepare_exit_to_usermode 
arch/x86/entry/common.c:190
 [ 1921.980207] [] syscall_return_slowpath+0x1a0/0x1e0 
arch/x86/entry/common.c:259
 [ 1921.980207] [] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 88002f3fe080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 88002f3fe100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>88002f3fe180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
   ^
 88002f3fe200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 88002f3fe280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Thansk && Best Regards,
Baozeng Ding

BUG: KASAN: use-after-free in udp_lib_get_port

[Baozeng Ding]

Hello all,
While running syzkaller fuzzer I have got the following use-after-free
bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit 
d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a 
reproducer for it.

BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr 
88000804cb60
Write of size 8 by task syz-executor/31190
CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 880015ac7a48 829f835b 880032b531c0 88000804cb40
 88000804d250 880017415a4a 880015ac7a70 8174d3cc
 880015ac7b00 88000804cb00 880032b531c0 880015ac7af0
Call Trace:
 [] dump_stack+0xb3/0x118 lib/dump_stack.c:15
 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [< inline >] print_address_description mm/kasan/report.c:194
 [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
 [< inline >] kasan_report mm/kasan/report.c:303
 [] __asan_report_store8_noabort+0x3e/0x40 
mm/kasan/report.c:329
 [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487
 [] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345
 [] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106
 [] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384
 [] SYSC_bind+0x1ea/0x250 net/socket.c:1367
 [] SyS_bind+0x24/0x30 net/socket.c:1353
 [] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at 88000804cb40, in cache UDPv6 size: 1496
Allocated:
PID = 30789
 [  378.305168] [] save_stack_trace+0x16/0x20
 [  378.305168] [] save_stack+0x46/0xd0
 [  378.305168] [] kasan_kmalloc+0xad/0xe0
 [  378.305168] [] kasan_slab_alloc+0x12/0x20
 [  378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417
 [  378.305168] [< inline >] slab_alloc_node mm/slub.c:2708
 [  378.305168] [< inline >] slab_alloc mm/slub.c:2716
 [  378.305168] [] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
 [  378.305168] [] sk_prot_alloc+0x69/0x2b0 
net/core/sock.c:1326
 [  378.305168] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388
 [  378.305168] [] inet6_create+0x2d7/0x1000 
net/ipv6/af_inet6.c:182
 [  378.305168] [] __sock_create+0x37b/0x640 net/socket.c:1153
 [  378.305168] [< inline >] sock_create net/socket.c:1193
 [  378.305168] [< inline >] SYSC_socket net/socket.c:1223
 [  378.305168] [] SyS_socket+0xef/0x1b0 net/socket.c:1203
 [  378.305168] [] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 30789
 [  378.305168] [] save_stack_trace+0x16/0x20
 [  378.305168] [] save_stack+0x46/0xd0
 [  378.305168] [] kasan_slab_free+0x71/0xb0
 [  378.305168] [< inline >] slab_free_hook mm/slub.c:1352
 [  378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374
 [  378.305168] [< inline >] slab_free mm/slub.c:2951
 [  378.305168] [] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
 [  378.305168] [< inline >] sk_prot_free net/core/sock.c:1369
 [  378.305168] [] __sk_destruct+0x32b/0x4f0 
net/core/sock.c:1444
 [  378.305168] [] sk_destruct+0x44/0x80 net/core/sock.c:1452
 [  378.305168] [] __sk_free+0x53/0x220 net/core/sock.c:1460
 [  378.305168] [] sk_free+0x23/0x30 net/core/sock.c:1471
 [  378.305168] [] sk_common_release+0x28c/0x3e0 
./include/net/sock.h:1589
 [  378.305168] [] udp_lib_close+0x15/0x20 
./include/net/udp.h:203
 [  378.305168] [] inet_release+0xed/0x1c0 
net/ipv4/af_inet.c:415
 [  378.305168] [] inet6_release+0x50/0x70 
net/ipv6/af_inet6.c:422
 [  378.305168] [] sock_release+0x8d/0x1d0 net/socket.c:570
 [  378.305168] [] sock_close+0x16/0x20 net/socket.c:1017
 [  378.305168] [] __fput+0x28c/0x780 fs/file_table.c:208
 [  378.305168] [] fput+0x15/0x20 fs/file_table.c:244
 [  378.305168] [] task_work_run+0xf9/0x170
 [  378.305168] [] do_exit+0x85e/0x2a00
 [  378.305168] [] do_group_exit+0x108/0x330
 [  378.376437] [] get_signal+0x617/0x17a0 
kernel/signal.c:2307
 [  378.376437] [] do_signal+0x7f/0x18f0
 [  378.376437] [] exit_to_usermode_loop+0xbf/0x150 
arch/x86/entry/common.c:156
 [  378.376437] [< inline >] prepare_exit_to_usermode 
arch/x86/entry/common.c:190
 [  378.376437] [] syscall_return_slowpath+0x1a0/0x1e0 
arch/x86/entry/common.c:259
 [  378.376437] [] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 88000804ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 88000804ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>88000804cb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
   ^
 88000804cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 88000804cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==========

Thanks && Best Regards,
Baozeng Ding

net/ipv6: potential deadlock in do_ipv6_setsockopt

[Baozeng Ding]

Hello,
While running syzkaller fuzzer I have got the following deadlock
report. The kernel version is 4.8.0+ (on Oct 7 commit 
d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a 
reproducer for it. 
===
[ INFO: possible circular locking dependency detected ]
4.8.0+ #39 Not tainted
---
syz-executor/21301 is trying to acquire lock:
 ([  165.136033] rtnl_mutex
[] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70

but task is already holding lock:
 ([  165.136033] sk_lock-AF_INET6
[] do_ipv6_setsockopt.isra.7+0x1f1/0x2960

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

:
   [  165.136033] [] lock_acquire+0x1a8/0x380 
kernel/locking/lockdep.c:3746
   [  165.136033] [] lock_sock_nested+0xcb/0x120 
net/core/sock.c:2493
   [  165.136033] [] 
do_ipv6_setsockopt.isra.7+0x268/0x2960
   [  165.136033] [] ipv6_setsockopt+0x9b/0x140
   [  165.136033] [] udpv6_setsockopt+0x45/0x80 
net/ipv6/udp.c:1344
   [  165.136033] [] sock_common_setsockopt+0x95/0xd0 
net/core/sock.c:2688
   [  165.136033] [< inline >] SYSC_setsockopt net/socket.c:1742
   [  165.136033] [] SyS_setsockopt+0x158/0x240 
net/socket.c:1721
   [  165.136033] [] entry_SYSCALL_64_fastpath+0x23/0xc6

:
   [  165.136033] [< inline >] check_prev_add 
kernel/locking/lockdep.c:1829
   [  165.136033] [< inline >] check_prevs_add 
kernel/locking/lockdep.c:1939
   [  165.136033] [< inline >] validate_chain 
kernel/locking/lockdep.c:2266
   [  165.136033] [] __lock_acquire+0x35a9/0x4bc0 
kernel/locking/lockdep.c:3335
   [  165.136033] [] lock_acquire+0x1a8/0x380 
kernel/locking/lockdep.c:3746
   [  165.136033] [< inline >] __mutex_lock_common 
kernel/locking/mutex.c:521
   [  165.136033] [] mutex_lock_nested+0xb1/0x860 
kernel/locking/mutex.c:621
   [  165.136033] [] rtnl_lock+0x17/0x20 
net/core/rtnetlink.c:70
   [  165.136033] [] ipv6_sock_mc_close+0xfe/0x350 
net/ipv6/mcast.c:288
   [  165.136033] [] 
do_ipv6_setsockopt.isra.7+0x22fc/0x2960
   [  165.136033] [] ipv6_setsockopt+0x9b/0x140
   [  165.136033] [] udpv6_setsockopt+0x45/0x80 
net/ipv6/udp.c:1344
   [  165.136033] [] sock_common_setsockopt+0x95/0xd0 
net/core/sock.c:2688
   [  165.136033] [< inline >] SYSC_setsockopt net/socket.c:1742
   [  165.136033] [] SyS_setsockopt+0x158/0x240 
net/socket.c:1721
   [  165.136033] [] entry_SYSCALL_64_fastpath+0x23/0xc6
other info that might help us debug this:

 Possible unsafe locking scenario:

   CPU0CPU1
   
  lock([  165.136033] sk_lock-AF_INET6
);
   lock([  165.136033] rtnl_mutex
);
   lock([  165.136033] sk_lock-AF_INET6
);
  lock([  165.136033] rtnl_mutex
);

 *** DEADLOCK ***

1 lock held by syz-executor/21301:
 #0: [  165.136033]  (

stack backtrace:
CPU: 1 PID: 21301 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 880017217580 829f835b 88d65790 88d65790
 88dc6b70 880016f41fd8 8800172175d0 8141df18
 880016f41ffa dc00 8764c180 880016f41fd8
Call Trace:
 [] dump_stack+0xb3/0x118 lib/dump_stack.c:15
 [] print_circular_bug+0x288/0x340 
kernel/locking/lockdep.c:1202
 [< inline >] check_prev_add kernel/locking/lockdep.c:1829
 [< inline >] check_prevs_add kernel/locking/lockdep.c:1939
 [< inline >] validate_chain kernel/locking/lockdep.c:2266
 [] __lock_acquire+0x35a9/0x4bc0 kernel/locking/lockdep.c:3335
 [] lock_acquire+0x1a8/0x380 kernel/locking/lockdep.c:3746
 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521
 [] mutex_lock_nested+0xb1/0x860 kernel/locking/mutex.c:621
 [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
 [] ipv6_sock_mc_close+0xfe/0x350 net/ipv6/mcast.c:288
 [] do_ipv6_setsockopt.isra.7+0x22fc/0x2960
 [] ipv6_setsockopt+0x9b/0x140
 [] udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1344
 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2688
 [< inline >] SYSC_setsockopt net/socket.c:1742
 [] SyS_setsockopt+0x158/0x240 net/socket.c:1721
 [] entry_SYSCALL_64_fastpath+0x23/0xc6

Thanks && Best Regards,
Baozeng Ding

Re: net/sctp: BUG: KASAN: stack-out-of-bounds in memcmp

[Baozeng Ding]

Hello Xin Long,

On 2016/10/14 19:13, Xin Long wrote:
> On Sat, Aug 20, 2016 at 3:51 PM, Baozeng Ding  wrote:
>> Hello all,
>> The following program triggers  stack-out-of-bounds in memcmp. The kernel 
>> version is 4.8.0-rc1+ (on Aug 13 commit 
>> 118253a593bd1c57de2d1193df1ccffe1abe745b). Thanks.
> ...
>>
>> #define _GNU_SOURCE
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>>
>> int main()
>> {
>> int fd;
>> mmap((void *)0x2000ul, 0xff2000ul, 0x3ul, 0x32ul, -1, 0x0ul);
>> fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
>> memcpy((void*)0x20f82f80, 
>> "\x0a\x00\xab\x12\x72\xd4\x19\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x85\xda\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
>>  128);
>> bind(fd, (struct sockaddr*)0x20f82f80ul, 0x80ul);
>> *(uint64_t*)0x202e1fc8 = (uint64_t)0x20f77f80;
>> *(uint32_t*)0x202e1fd0 = (uint32_t)0x80;
>> *(uint64_t*)0x202e1fd8 = (uint64_t)0x20f7dfe0;
>> *(uint64_t*)0x202e1fe0 = (uint64_t)0x2;
>> *(uint64_t*)0x202e1fe8 = (uint64_t)0x20f77000;
>> *(uint64_t*)0x202e1ff0 = (uint64_t)0x3;
>> *(uint32_t*)0x202e1ff8 = (uint32_t)0x80;
>> memcpy((void*)0x20f77f80, 
>> "\x0a\x00\xab\x12\xb0\xb3\x20\x7b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc2\xc2\x0b\xb2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
>>  128);
>> *(uint64_t*)0x20f7dfe0 = (uint64_t)0x20f77fc5;
>> *(uint64_t*)0x20f7dfe8 = (uint64_t)0x3b;
>> *(uint64_t*)0x20f7dff0 = (uint64_t)0x20f77fac;
>> *(uint64_t*)0x20f7dff8 = (uint64_t)0x54;
>> memcpy((void*)0x20f77fc5, 
>> "\xa5\x7d\xf3\xc4\xfe\xd3\xfd\x44\x63\x00\x8c\x1e\x4c\x2e\x8d\x8d\x9a\x9c\x9c\x9d\x5b\x7c\xe1\x06\xf7\x15\x16\xed\x68\xd1\xfc\xf4\xa4\x3a\xe4\x69\x51\x16\x74\xf4\x1a\xcf\x0e\x99\xc3\xa3\x87\xe7\x81\x6c\x10\x78\x75\x17\x69\x9d\x11\x0c\xc7",
>>  59);
>> memcpy((void*)0x20f77fac, 
>> "\x86\x08\x89\x3c\xf3\x58\xea\xe7\x64\x6a\xfb\xb5\xe8\xdd\x5f\x69\xa5\xd4\xdc\xd9\xe7\x71\x95\x07\x78\x7b\x21\xda\x43\x9c\x62\x4d\xca\x64\xb5\x6e\x96\x55\xe9\x58\x76\x66\x1d\xb9\x7b\xe6\x20\xc1\xa9\xed\x70\xc1\x2b\x7c\x86\x8c\xba\x28\xb3\x2c\xb9\x64\xb7\x84\x65\x0d\x7f\xa6\x98\x6f\x49\xcb\x35\xad\x5a\xdf\x13\x75\x99\x57\x7e\xbb\x38\x89",
>>  84);
>> *(uint64_t*)0x20f77000 = (uint64_t)0x15;
>> *(uint32_t*)0x20f77008 = (uint32_t)0x1;
>> *(uint32_t*)0x20f7700c = (uint32_t)0xfffe;
>> *(uint8_t*)0x20f77010 = (uint8_t)0xbb;
>> *(uint8_t*)0x20f77011 = (uint8_t)0x2;
>> *(uint8_t*)0x20f77012 = (uint8_t)0x5;
>> *(uint8_t*)0x20f77013 = (uint8_t)0x2;
>> *(uint8_t*)0x20f77014 = (uint8_t)0x8000;
>> *(uint64_t*)0x20f77015 = (uint64_t)0x10;
>> *(uint32_t*)0x20f7701d = (uint32_t)0x;
>> *(uint32_t*)0x20f77021 = (uint32_t)0x1;
>> *(uint64_t*)0x20f77025 = (uint64_t)0x13;
>> *(uint32_t*)0x20f7702d = (uint32_t)0x6;
>> *(uint32_t*)0x20f77031 = (uint32_t)0xfe00;
>> *(uint8_t*)0x20f77035 = (uint8_t)0x8000;
>> *(uint8_t*)0x20f77036 = (uint8_t)0xfff8;
>> sendmmsg(fd, (struct mmsghdr *)0x202e1fc8ul, 0x1ul, 0x1ul);
>> return 0;
>> }
>>
> Hi, Baozeng, I couldn't reproduce this issue with this script,
> even in 118253a593bd1c57de2d1193df1ccffe1abe745b
> do I need to do some extra config for this ?
> 
You need config KASAN.
CONFIG_HAVE_ARCH_KASAN=y
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
CONFIG_KASAN_SHADOW_OFFSET=0xdc00

I justed tested with b67be92feb486f800d80d72c67fd87b47b79b18e(Octor 12),
it sitll exits. If you still cannot reproduce it, i will send the .config to 
you privately. Thanks.

BUG: net/ipv6: kernel memory leak in ip6_datagram_recv_specific_ctl

[Baozeng Ding]

Hi all,
The following program triggers use-after-free in 
ip6_datagram_recv_specific_ctl, which may leak kernel memory. The
kernel version is 4.8.0+ (on Oct 7 commit 
d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0).
==
BUG: KASAN: use-after-free in ip6_datagram_recv_specific_ctl+0x13f1/0x15c0 at 
addr 880029c84ec8
Read of size 1 by task poc/25548
Call Trace:
 [] dump_stack+0x12e/0x185 /lib/dump_stack.c:15
 [< inline >] print_address_description /mm/kasan/report.c:204
 [] kasan_report_error+0x48b/0x4b0 /mm/kasan/report.c:283
 [< inline >] kasan_report /mm/kasan/report.c:303
 [] __asan_report_load1_noabort+0x3e/0x40 
/mm/kasan/report.c:321
 [] ip6_datagram_recv_specific_ctl+0x13f1/0x15c0 
/net/ipv6/datagram.c:687
 [] ip6_datagram_recv_ctl+0x33/0x40
 [] do_ipv6_getsockopt.isra.4+0xaec/0x2150
 [] ipv6_getsockopt+0x116/0x230
 [] tcp_getsockopt+0x82/0xd0 /net/ipv4/tcp.c:3035
 [] sock_common_getsockopt+0x95/0xd0 /net/core/sock.c:2647
 [< inline >] SYSC_getsockopt /net/socket.c:1776
 [] SyS_getsockopt+0x142/0x230 /net/socket.c:1758
 [] entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 880029c84d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 880029c84e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> 880029c84e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  ^
 880029c84f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 880029c84f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff


==
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define IPV6_2292DSTOPTS4
#define IPV6_2292PKTOPTIONS 6
#define IPV6_FLOWINFO   11


int main()
{
  int fd;
  int i, r;
  int opt = 1, len = 0;
  struct msghdr msg;
  struct sockaddr_in6 addr;
  int sub_addr[4];
  struct iovec iov;
  memset(sub_addr, 0, sizeof(sub_addr));
  sub_addr[3] = 0x100;
  memcpy(&addr.sin6_addr, sub_addr, sizeof(sub_addr));
  addr.sin6_family = AF_INET6;
  addr.sin6_port = 0x10ab;
  addr.sin6_flowinfo = 0x1;
  addr.sin6_scope_id = 0;

  mmap(0x2000ul, 0x1c000ul, 0x3ul, 0x32ul, -1, 0x0ul, 0, 0, 0);
  memset(0x2000, 'a', 0x1c000);
  fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
  bind(fd, &addr, sizeof(addr));

  setsockopt(fd, IPPROTO_IPV6, IPV6_2292DSTOPTS, &opt, 4);
  setsockopt(fd, IPPROTO_IPV6, IPV6_FLOWINFO, &opt, 4);

  addr.sin6_flowinfo = 0;
  addr.sin6_scope_id = 0;
  msg.msg_name = &addr;
  msg.msg_namelen = sizeof(addr);
  msg.msg_iov = &iov;
  msg.msg_iovlen = 1;
  msg.msg_iov->iov_base = 0x2000;
  msg.msg_iov->iov_len = 0x100;
  msg.msg_control = 0x2000;
  msg.msg_controllen = 0x100;
  msg.msg_flags = 0;
  r = sendmsg(fd, &msg, MSG_FASTOPEN);
  if (r < 0) {
  printf("sendmsg errno=%d\n", r);
  }

  r = getsockopt(fd, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, 0x20012000ul, &len);
  if (r < 0) printf("getsockopt error\n");
  return 0;
}

The following lines case out-of-bounds read, which may leak kernel memory by 
put_cmsg.
686   u8 *ptr = nh + opt->dst0; // Out-of-bouds when opt->dst0 is large.
687   put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);

I debuged using printk and  got some values of opt as the following, which may 
help locate the root cause of the bug. Thanks.

[85564.842733] degug: opt->iif is 0xe111121c
[85564.842737] degug: opt->ra is 0x121c
[85564.842741] degug: opt->dst0 is 0xe111

Best Regards,
Baozeng Ding

net/sctp: BUG: KASAN: stack-out-of-bounds in memcmp

[Baozeng Ding]

0;
memcpy((void*)0x20f77f80, 
"\x0a\x00\xab\x12\xb0\xb3\x20\x7b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc2\xc2\x0b\xb2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
 128);
*(uint64_t*)0x20f7dfe0 = (uint64_t)0x20f77fc5;
*(uint64_t*)0x20f7dfe8 = (uint64_t)0x3b;
*(uint64_t*)0x20f7dff0 = (uint64_t)0x20f77fac;
*(uint64_t*)0x20f7dff8 = (uint64_t)0x54;
memcpy((void*)0x20f77fc5, 
"\xa5\x7d\xf3\xc4\xfe\xd3\xfd\x44\x63\x00\x8c\x1e\x4c\x2e\x8d\x8d\x9a\x9c\x9c\x9d\x5b\x7c\xe1\x06\xf7\x15\x16\xed\x68\xd1\xfc\xf4\xa4\x3a\xe4\x69\x51\x16\x74\xf4\x1a\xcf\x0e\x99\xc3\xa3\x87\xe7\x81\x6c\x10\x78\x75\x17\x69\x9d\x11\x0c\xc7",
 59);
memcpy((void*)0x20f77fac, 
"\x86\x08\x89\x3c\xf3\x58\xea\xe7\x64\x6a\xfb\xb5\xe8\xdd\x5f\x69\xa5\xd4\xdc\xd9\xe7\x71\x95\x07\x78\x7b\x21\xda\x43\x9c\x62\x4d\xca\x64\xb5\x6e\x96\x55\xe9\x58\x76\x66\x1d\xb9\x7b\xe6\x20\xc1\xa9\xed\x70\xc1\x2b\x7c\x86\x8c\xba\x28\xb3\x2c\xb9\x64\xb7\x84\x65\x0d\x7f\xa6\x98\x6f\x49\xcb\x35\xad\x5a\xdf\x13\x75\x99\x57\x7e\xbb\x38\x89",
 84);
*(uint64_t*)0x20f77000 = (uint64_t)0x15;
*(uint32_t*)0x20f77008 = (uint32_t)0x1;
*(uint32_t*)0x20f7700c = (uint32_t)0xfffe;
*(uint8_t*)0x20f77010 = (uint8_t)0xbb;
*(uint8_t*)0x20f77011 = (uint8_t)0x2;
*(uint8_t*)0x20f77012 = (uint8_t)0x5;
*(uint8_t*)0x20f77013 = (uint8_t)0x2;
*(uint8_t*)0x20f77014 = (uint8_t)0x8000;
*(uint64_t*)0x20f77015 = (uint64_t)0x10;
*(uint32_t*)0x20f7701d = (uint32_t)0x;
*(uint32_t*)0x20f77021 = (uint32_t)0x1;
*(uint64_t*)0x20f77025 = (uint64_t)0x13;
*(uint32_t*)0x20f7702d = (uint32_t)0x6;
*(uint32_t*)0x20f77031 = (uint32_t)0xfe00;
    *(uint8_t*)0x20f77035 = (uint8_t)0x8000;
*(uint8_t*)0x20f77036 = (uint8_t)0xfff8;
sendmmsg(fd, (struct mmsghdr *)0x202e1fc8ul, 0x1ul, 0x1ul);
return 0;
}

Best Regards,
Baozeng Ding

[PATCH] tipc: fix potential null pointer dereference in the nla_data function

[Baozeng Ding]

Before calling the nla_data function, make sure the argument is not null.
Fix potential null pointer dereference vulnerability for this.

Signed-off-by: Baozeng Ding 
---
 net/tipc/netlink_compat.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index f795b1d..efbba26 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -356,6 +356,9 @@ static int tipc_nl_compat_bearer_dump(struct 
tipc_nl_compat_msg *msg,
if (err)
return err;
 
+   if (!bearer[TIPC_NLA_BEARER_NAME])
+   return -EINVAL;
+
return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME,
nla_data(bearer[TIPC_NLA_BEARER_NAME]),
nla_len(bearer[TIPC_NLA_BEARER_NAME]));
@@ -492,6 +495,9 @@ static int tipc_nl_compat_link_stat_dump(struct 
tipc_nl_compat_msg *msg,
if (err)
return err;
 
+   if (!link[TIPC_NLA_LINK_NAME])
+   return -EINVAL;
+
name = (char *)TLV_DATA(msg->req);
if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
return 0;
@@ -602,6 +608,9 @@ static int tipc_nl_compat_link_dump(struct 
tipc_nl_compat_msg *msg,
if (err)
return err;
 
+   if (!link[TIPC_NLA_LINK_NAME])
+   return -EINVAL;
+
link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
@@ -981,6 +990,9 @@ static int tipc_nl_compat_media_dump(struct 
tipc_nl_compat_msg *msg,
if (err)
return err;
 
+   if (!media[TIPC_NLA_MEDIA_NAME])
+   return -EINVAL;
+
return tipc_add_tlv(msg->rep, TIPC_TLV_MEDIA_NAME,
nla_data(media[TIPC_NLA_MEDIA_NAME]),
nla_len(media[TIPC_NLA_MEDIA_NAME]));
-- 
1.9.1

Re: BUG: net/netlink: KASAN: use-after-free in netlink_sock_destruct

[Baozeng Ding]

On 2016/5/26 23:06, Eric Dumazet wrote:
> On Thu, 2016-05-26 at 22:48 +0800, Baozeng Ding wrote:
>> Hi all,
>> I've got the following report use-after-free in netlink_sock_destruct while 
>> running syzkaller.
>> Unfortunately no reproducer.The kernel version is 4.6 (May 15, on commit 
>> 2dcd0af568b0cf583645c8a317dd12e344b1c72a). Thanks.
>>
>> ==
>> BUG: KASAN: use-after-free in kfree_skb+0x28c/0x310 at addr 880036c1179c
>> Read of size 4 by task syz-executor/21618
>> =
>> BUG skbuff_head_cache (Tainted: GW  ): kasan: bad access detected
>> -
>>
>> Disabling lock debugging due to kernel taint
>> INFO: Slab 0xeadb0400 objects=25 used=3 fp=0x880036c116c0 
>> flags=0x1fffc004080
>> INFO: Object 0x880036c11680 @offset=5760 fp=0x
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
>> rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
>>  0002 88006da07c40 8295f5f1 88003e0fc5c0
>>  880036c11680 eadb0400 880036c1 88006da07c70
>>  8171144d 88003e0fc5c0 eadb0400 880036c11680
>> Call Trace:
>>  [< inline >] __dump_stack /lib/dump_stack.c:15
>>  [] dump_stack+0xb3/0x112 /lib/dump_stack.c:51
>>  [] print_trailer+0x10d/0x190 /mm/slub.c:667
>>  [] object_err+0x2f/0x40 /mm/slub.c:674
>>  [< inline >] print_address_description /mm/kasan/report.c:179
>>  [] kasan_report_error+0x218/0x530 /mm/kasan/report.c:275
>>  [] ? debug_check_no_locks_freed+0x290/0x290 
>> /kernel/locking/lockdep.c:4212
>>  [< inline >] kasan_report /mm/kasan/report.c:297
>>  [] __asan_report_load4_noabort+0x3e/0x40 
>> /mm/kasan/report.c:317
>>  [< inline >] ? atomic_read /include/linux/compiler.h:222
>>  [] ? kfree_skb+0x28c/0x310 /net/core/skbuff.c:699
>>  [< inline >] atomic_read /include/linux/compiler.h:222
>>  [] kfree_skb+0x28c/0x310 /net/core/skbuff.c:699
>>  [] netlink_sock_destruct+0xeb/0x2b0 
>> /net/netlink/af_netlink.c:334
>>  [] ? __netlink_create+0x1d0/0x1d0 
>> /net/netlink/af_netlink.c:577
>>  [] sk_destruct+0x4a/0x4f0 /net/core/sock.c:1429
>>  [] __sk_free+0x57/0x200 /net/core/sock.c:1459
>>  [] sk_free+0x30/0x40 /net/core/sock.c:1470
>>  [< inline >] sock_put /include/net/sock.h:1506
>>  [] deferred_put_nlk_sk+0x34/0x40 
>> /net/netlink/af_netlink.c:652
>>  [< inline >] __rcu_reclaim /kernel/rcu/rcu.h:118
>>  [< inline >] rcu_do_batch /kernel/rcu/tree.c:2681
>>  [< inline >] invoke_rcu_callbacks /kernel/rcu/tree.c:2947
>>  [< inline >] __rcu_process_callbacks /kernel/rcu/tree.c:2914
>>  [] rcu_process_callbacks+0xa71/0x11d0 
>> /kernel/rcu/tree.c:2931
>>  [< inline >] ? __rcu_reclaim /kernel/rcu/rcu.h:108
>>  [< inline >] ? rcu_do_batch /kernel/rcu/tree.c:2681
>>  [< inline >] ? invoke_rcu_callbacks /kernel/rcu/tree.c:2947
>>  [< inline >] ? __rcu_process_callbacks /kernel/rcu/tree.c:2914
>>  [] ? rcu_process_callbacks+0xa1c/0x11d0 
>> /kernel/rcu/tree.c:2931
>>  [] ? __netlink_deliver_tap+0x7c0/0x7c0 
>> /net/netlink/af_netlink.c:204
>>  [] __do_softirq+0x22b/0x8da /kernel/softirq.c:273
>>  [< inline >] invoke_softirq /kernel/softirq.c:350
>>  [] irq_exit+0x15d/0x190 /kernel/softirq.c:391
>>  [< inline >] exiting_irq /./arch/x86/include/asm/apic.h:658
>>  [] smp_apic_timer_interrupt+0x7b/0xa0 
>> /arch/x86/kernel/apic/apic.c:932
>>  [] apic_timer_interrupt+0x8c/0xa0 
>> /arch/x86/entry/entry_64.S:454
>>  [< inline >] ? atomic_add_return 
>> /./arch/x86/include/asm/atomic.h:156
>>  [< inline >] ? kref_get /include/linux/kref.h:46
>>  [] ? klist_next+0x177/0x400 /lib/klist.c:393
>>  [< inline >] ? kref_get /include/linux/kref.h:46
>>  [] ? klist_next+0x168/0x400 /lib/klist.c:393
>>  [] class_dev_iter_next+0x8b/0xd0 /drivers/base/class.c:324
>>  [] ? tty_get_pgrp+0x80/0x80 /drivers/tty/tty_io.c:2525
>>  [] class_find_device+0x101/0x1c0 /drivers/base/class.c:428
>>  [] ? class_for_each_device+0x1d0/0x1d0 
>> /drivers/base/class.c:375
>>  [< inline >] tty_get_device /drivers/tty/tty_io.c:3139
>>  [] alloc_t

BUG: net/netlink: KASAN: use-after-free in netlink_sock_destruct

[Baozeng Ding]

Hi all,
I've got the following report use-after-free in netlink_sock_destruct while 
running syzkaller.
Unfortunately no reproducer.The kernel version is 4.6 (May 15, on commit 
2dcd0af568b0cf583645c8a317dd12e344b1c72a). Thanks.

==
BUG: KASAN: use-after-free in kfree_skb+0x28c/0x310 at addr 880036c1179c
Read of size 4 by task syz-executor/21618
=
BUG skbuff_head_cache (Tainted: GW  ): kasan: bad access detected
-

Disabling lock debugging due to kernel taint
INFO: Slab 0xeadb0400 objects=25 used=3 fp=0x880036c116c0 
flags=0x1fffc004080
INFO: Object 0x880036c11680 @offset=5760 fp=0x
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 0002 88006da07c40 8295f5f1 88003e0fc5c0
 880036c11680 eadb0400 880036c1 88006da07c70
 8171144d 88003e0fc5c0 eadb0400 880036c11680
Call Trace:
 [< inline >] __dump_stack /lib/dump_stack.c:15
 [] dump_stack+0xb3/0x112 /lib/dump_stack.c:51
 [] print_trailer+0x10d/0x190 /mm/slub.c:667
 [] object_err+0x2f/0x40 /mm/slub.c:674
 [< inline >] print_address_description /mm/kasan/report.c:179
 [] kasan_report_error+0x218/0x530 /mm/kasan/report.c:275
 [] ? debug_check_no_locks_freed+0x290/0x290 
/kernel/locking/lockdep.c:4212
 [< inline >] kasan_report /mm/kasan/report.c:297
 [] __asan_report_load4_noabort+0x3e/0x40 
/mm/kasan/report.c:317
 [< inline >] ? atomic_read /include/linux/compiler.h:222
 [] ? kfree_skb+0x28c/0x310 /net/core/skbuff.c:699
 [< inline >] atomic_read /include/linux/compiler.h:222
 [] kfree_skb+0x28c/0x310 /net/core/skbuff.c:699
 [] netlink_sock_destruct+0xeb/0x2b0 
/net/netlink/af_netlink.c:334
 [] ? __netlink_create+0x1d0/0x1d0 
/net/netlink/af_netlink.c:577
 [] sk_destruct+0x4a/0x4f0 /net/core/sock.c:1429
 [] __sk_free+0x57/0x200 /net/core/sock.c:1459
 [] sk_free+0x30/0x40 /net/core/sock.c:1470
 [< inline >] sock_put /include/net/sock.h:1506
 [] deferred_put_nlk_sk+0x34/0x40 
/net/netlink/af_netlink.c:652
 [< inline >] __rcu_reclaim /kernel/rcu/rcu.h:118
 [< inline >] rcu_do_batch /kernel/rcu/tree.c:2681
 [< inline >] invoke_rcu_callbacks /kernel/rcu/tree.c:2947
 [< inline >] __rcu_process_callbacks /kernel/rcu/tree.c:2914
 [] rcu_process_callbacks+0xa71/0x11d0 /kernel/rcu/tree.c:2931
 [< inline >] ? __rcu_reclaim /kernel/rcu/rcu.h:108
 [< inline >] ? rcu_do_batch /kernel/rcu/tree.c:2681
 [< inline >] ? invoke_rcu_callbacks /kernel/rcu/tree.c:2947
 [< inline >] ? __rcu_process_callbacks /kernel/rcu/tree.c:2914
 [] ? rcu_process_callbacks+0xa1c/0x11d0 
/kernel/rcu/tree.c:2931
 [] ? __netlink_deliver_tap+0x7c0/0x7c0 
/net/netlink/af_netlink.c:204
 [] __do_softirq+0x22b/0x8da /kernel/softirq.c:273
 [< inline >] invoke_softirq /kernel/softirq.c:350
 [] irq_exit+0x15d/0x190 /kernel/softirq.c:391
 [< inline >] exiting_irq /./arch/x86/include/asm/apic.h:658
 [] smp_apic_timer_interrupt+0x7b/0xa0 
/arch/x86/kernel/apic/apic.c:932
 [] apic_timer_interrupt+0x8c/0xa0 
/arch/x86/entry/entry_64.S:454
 [< inline >] ? atomic_add_return /./arch/x86/include/asm/atomic.h:156
 [< inline >] ? kref_get /include/linux/kref.h:46
 [] ? klist_next+0x177/0x400 /lib/klist.c:393
 [< inline >] ? kref_get /include/linux/kref.h:46
 [] ? klist_next+0x168/0x400 /lib/klist.c:393
 [] class_dev_iter_next+0x8b/0xd0 /drivers/base/class.c:324
 [] ? tty_get_pgrp+0x80/0x80 /drivers/tty/tty_io.c:2525
 [] class_find_device+0x101/0x1c0 /drivers/base/class.c:428
 [] ? class_for_each_device+0x1d0/0x1d0 
/drivers/base/class.c:375
 [< inline >] tty_get_device /drivers/tty/tty_io.c:3139
 [] alloc_tty_struct+0x5fb/0x840 /drivers/tty/tty_io.c:3183
 [] ? do_SAK_work+0x20/0x20 /drivers/tty/tty_io.c:3112
 [] ? mutex_lock_interruptible_nested+0x980/0x980 ??:?
 [] tty_init_dev+0x78/0x4b0 /drivers/tty/tty_io.c:1532
 [< inline >] tty_open_by_driver /drivers/tty/tty_io.c:2065
 [] tty_open+0xd31/0x1050 /drivers/tty/tty_io.c:2113
 [] ? tty_init_dev+0x4b0/0x4b0 /drivers/tty/tty_io.c:1543
 [< inline >] ? spin_unlock /include/linux/spinlock.h:347
 [] ? chrdev_open+0xbf/0x4c0 /fs/char_dev.c:376
 [] ? tty_init_dev+0x4b0/0x4b0 /drivers/tty/tty_io.c:1543
 [] chrdev_open+0x22a/0x4c0 /fs/char_dev.c:388
 [] ? cdev_put+0x60/0x60 /fs/char_dev.c:338
 [] ? __fsnotify_parent+0x5e/0x2b0 /fs/notify/fsnotify.c:98
 [] ? security_file_open+0x89/0x190 /security/security.c:840
 [] do_dentry_open+0x6a2/0xcb0 /fs/open.c:736
 [] ? cdev_put+0x60/0x60 /fs/char_dev.c:338
 [] vfs_open+0x113/0x210 /fs/open.c:849
 [] ? may_open+0x1cd/0x260 /fs/namei.c:2776
 [< inline >] do_las

[PATCH net] ieee802154: fix logic error in ieee802154_llsec_parse_dev_addr

[Baozeng Ding]

Fix a logic error to avoid potential null pointer dereference.

Signed-off-by: Baozeng Ding 
---
 net/ieee802154/nl802154.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c
index ca207db..116187b 100644
--- a/net/ieee802154/nl802154.c
+++ b/net/ieee802154/nl802154.c
@@ -1289,8 +1289,8 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla,
 nl802154_dev_addr_policy))
return -EINVAL;
 
-   if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] &&
-   !attrs[NL802154_DEV_ADDR_ATTR_MODE] &&
+   if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] ||
+   !attrs[NL802154_DEV_ADDR_ATTR_MODE] ||
!(attrs[NL802154_DEV_ADDR_ATTR_SHORT] ||
  attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]))
return -EINVAL;
-- 
1.9.1

[PATCH net] ieee802154: fix logic error in, ieee802154_llsec_parse_dev_addr

[Baozeng Ding]

Fix a logic error to avoid potential null pointer dereference.

Signed-off-by: Baozeng Ding 
---
 net/ieee802154/nl802154.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c
index ca207db..116187b 100644
--- a/net/ieee802154/nl802154.c
+++ b/net/ieee802154/nl802154.c
@@ -1289,8 +1289,8 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla,
 nl802154_dev_addr_policy))
return -EINVAL;
 
-   if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] &&
-   !attrs[NL802154_DEV_ADDR_ATTR_MODE] &&
+   if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] ||
+   !attrs[NL802154_DEV_ADDR_ATTR_MODE] ||
!(attrs[NL802154_DEV_ADDR_ATTR_SHORT] ||
  attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]))
return -EINVAL;
-- 
1.9.1

[PATCH v2] tipc: fix potential null pointer dereferences in some compat functions

[Baozeng Ding]

Before calling the nla_parse_nested function, make sure the pointer to the
attribute is not null. This patch fixes several potential null pointer
dereference vulnerabilities in the tipc netlink functions.

Signed-off-by: Baozeng Ding 
---
v2: declare local variable as reverse christmas tree format and make the commit
log fit in 80 columns
---
 net/tipc/netlink_compat.c | 111 ++
 1 file changed, 93 insertions(+), 18 deletions(-)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index d7d050f..72a1c8f 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -346,9 +346,15 @@ static int tipc_nl_compat_bearer_dump(struct 
tipc_nl_compat_msg *msg,
  struct nlattr **attrs)
 {
struct nlattr *bearer[TIPC_NLA_BEARER_MAX + 1];
+   int err;
+
+   if (!attrs[TIPC_NLA_BEARER])
+   return -EINVAL;
 
-   nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, attrs[TIPC_NLA_BEARER],
-NULL);
+   err = nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX,
+  attrs[TIPC_NLA_BEARER], NULL);
+   if (err)
+   return err;
 
return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME,
nla_data(bearer[TIPC_NLA_BEARER_NAME]),
@@ -460,14 +466,31 @@ static int tipc_nl_compat_link_stat_dump(struct 
tipc_nl_compat_msg *msg,
struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];
+   int err;
 
-   nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
+   if (!attrs[TIPC_NLA_LINK])
+   return -EINVAL;
 
-   nla_parse_nested(prop, TIPC_NLA_PROP_MAX, link[TIPC_NLA_LINK_PROP],
-NULL);
+   err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK],
+  NULL);
+   if (err)
+   return err;
+
+   if (!link[TIPC_NLA_LINK_PROP])
+   return -EINVAL;
 
-   nla_parse_nested(stats, TIPC_NLA_STATS_MAX, link[TIPC_NLA_LINK_STATS],
-NULL);
+   err = nla_parse_nested(prop, TIPC_NLA_PROP_MAX,
+  link[TIPC_NLA_LINK_PROP], NULL);
+   if (err)
+   return err;
+
+   if (!link[TIPC_NLA_LINK_STATS])
+   return -EINVAL;
+
+   err = nla_parse_nested(stats, TIPC_NLA_STATS_MAX,
+  link[TIPC_NLA_LINK_STATS], NULL);
+   if (err)
+   return err;
 
name = (char *)TLV_DATA(msg->req);
if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
@@ -569,8 +592,15 @@ static int tipc_nl_compat_link_dump(struct 
tipc_nl_compat_msg *msg,
 {
struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
struct tipc_link_info link_info;
+   int err;
 
-   nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
+   if (!attrs[TIPC_NLA_LINK])
+   return -EINVAL;
+
+   err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK],
+  NULL);
+   if (err)
+   return err;
 
link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
@@ -758,12 +788,23 @@ static int tipc_nl_compat_name_table_dump(struct 
tipc_nl_compat_msg *msg,
u32 node, depth, type, lowbound, upbound;
static const char * const scope_str[] = {"", " zone", " cluster",
 " node"};
+   int err;
 
-   nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
-attrs[TIPC_NLA_NAME_TABLE], NULL);
+   if (!attrs[TIPC_NLA_NAME_TABLE])
+   return -EINVAL;
 
-   nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, nt[TIPC_NLA_NAME_TABLE_PUBL],
-NULL);
+   err = nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
+  attrs[TIPC_NLA_NAME_TABLE], NULL);
+   if (err)
+   return err;
+
+   if (!nt[TIPC_NLA_NAME_TABLE_PUBL])
+   return -EINVAL;
+
+   err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX,
+  nt[TIPC_NLA_NAME_TABLE_PUBL], NULL);
+   if (err)
+   return err;
 
ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req);
 
@@ -815,8 +856,15 @@ static int __tipc_nl_compat_publ_dump(struct 
tipc_nl_compat_msg *msg,
 {
u32 type, lower, upper;
struct nlattr *publ[TIPC_NLA_PUBL_MAX + 1];
+   int err;
 
-   nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, attrs[TIPC_NLA_PUBL], NULL);
+   if (!attrs[TIPC_NLA_PUBL])
+   return -EINVAL;
+
+   err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, attrs[TIPC_NLA_PUBL],
+  N

[PATCH net] tipc: fix potential null-ptr dereference bugs in netlink compat functions

[Baozeng Ding]

Before calling the nla_parse_nested function, its third argument should be
checked to make sure it is not null. This patch fixes several potential
null pointer dereference vulnerabilities in the tipc netlink functions.

Signed-off-by: Baozeng Ding 
---
 net/tipc/netlink_compat.c | 111 ++
 1 file changed, 93 insertions(+), 18 deletions(-)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 4dfc5c1..1e18b78 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -345,10 +345,16 @@ static int tipc_nl_compat_doit(struct 
tipc_nl_compat_cmd_doit *cmd,
 static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg,
  struct nlattr **attrs)
 {
+   int err;
struct nlattr *bearer[TIPC_NLA_BEARER_MAX + 1];
 
-   nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, attrs[TIPC_NLA_BEARER],
-NULL);
+   if (!attrs[TIPC_NLA_BEARER])
+   return -EINVAL;
+
+   err = nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX,
+  attrs[TIPC_NLA_BEARER], NULL);
+   if (err)
+   return err;
 
return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME,
nla_data(bearer[TIPC_NLA_BEARER_NAME]),
@@ -456,18 +462,35 @@ static void __fill_bc_link_stat(struct tipc_nl_compat_msg 
*msg,
 static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
 struct nlattr **attrs)
 {
+   int err;
char *name;
struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];
 
-   nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
+   if (!attrs[TIPC_NLA_LINK])
+   return -EINVAL;
 
-   nla_parse_nested(prop, TIPC_NLA_PROP_MAX, link[TIPC_NLA_LINK_PROP],
-NULL);
+   err = nla_parse_nested(link, TIPC_NLA_LINK_MAX,
+  attrs[TIPC_NLA_LINK], NULL);
+   if (err)
+   return err;
+
+   if (!link[TIPC_NLA_LINK_PROP])
+   return -EINVAL;
 
-   nla_parse_nested(stats, TIPC_NLA_STATS_MAX, link[TIPC_NLA_LINK_STATS],
-NULL);
+   err = nla_parse_nested(prop, TIPC_NLA_PROP_MAX,
+  link[TIPC_NLA_LINK_PROP], NULL);
+   if (err)
+   return err;
+
+   if (!link[TIPC_NLA_LINK_STATS])
+   return -EINVAL;
+
+   err = nla_parse_nested(stats, TIPC_NLA_STATS_MAX,
+  link[TIPC_NLA_LINK_STATS], NULL);
+   if (err)
+   return err;
 
name = (char *)TLV_DATA(msg->req);
if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
@@ -567,10 +590,17 @@ static int tipc_nl_compat_link_stat_dump(struct 
tipc_nl_compat_msg *msg,
 static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
struct nlattr **attrs)
 {
+   int err;
struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
struct tipc_link_info link_info;
 
-   nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
+   if (!attrs[TIPC_NLA_LINK])
+   return -EINVAL;
+
+   err = nla_parse_nested(link, TIPC_NLA_LINK_MAX,
+  attrs[TIPC_NLA_LINK], NULL);
+   if (err)
+   return err;
 
link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
@@ -751,6 +781,7 @@ static int tipc_nl_compat_name_table_dump_header(struct 
tipc_nl_compat_msg *msg)
 static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg,
  struct nlattr **attrs)
 {
+   int err;
char port_str[27];
struct tipc_name_table_query *ntq;
struct nlattr *nt[TIPC_NLA_NAME_TABLE_MAX + 1];
@@ -759,11 +790,21 @@ static int tipc_nl_compat_name_table_dump(struct 
tipc_nl_compat_msg *msg,
static const char * const scope_str[] = {"", " zone", " cluster",
 " node"};
 
-   nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
-attrs[TIPC_NLA_NAME_TABLE], NULL);
+   if (!attrs[TIPC_NLA_NAME_TABLE])
+   return -EINVAL;
 
-   nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, nt[TIPC_NLA_NAME_TABLE_PUBL],
-NULL);
+   err = nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
+  attrs[TIPC_NLA_NAME_TABLE], NULL);
+   if (err)
+   return err;
+
+   if (!nt[TIPC_NLA_NAME_TABLE_PUBL])
+   return -EINVAL;
+
+   err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX,
+  nt[TIPC_NLA_NAME_TABLE_PUBL], NULL

[PATCH net] tipc: fix potential null pointer dereference in some compat, functions

[Baozeng Ding]

Before calling the nla_parse_nested function, make sure the pointer to
the attribute is not null. This patch fixes several potential null
pointer dereference vulnerabilities in the tipc netlink functions.

Signed-off-by: Baozeng Ding 
---
 net/tipc/netlink_compat.c | 111 ++
 1 file changed, 93 insertions(+), 18 deletions(-)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 4dfc5c1..1e18b78 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -345,10 +345,16 @@ static int tipc_nl_compat_doit(struct 
tipc_nl_compat_cmd_doit *cmd,
 static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg,
  struct nlattr **attrs)
 {
+   int err;
struct nlattr *bearer[TIPC_NLA_BEARER_MAX + 1];
 
-   nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, attrs[TIPC_NLA_BEARER],
-NULL);
+   if (!attrs[TIPC_NLA_BEARER])
+   return -EINVAL;
+
+   err = nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX,
+  attrs[TIPC_NLA_BEARER], NULL);
+   if (err)
+   return err;
 
return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME,
nla_data(bearer[TIPC_NLA_BEARER_NAME]),
@@ -456,18 +462,35 @@ static void __fill_bc_link_stat(struct tipc_nl_compat_msg 
*msg,
 static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
 struct nlattr **attrs)
 {
+   int err;
char *name;
struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];
 
-   nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
+   if (!attrs[TIPC_NLA_LINK])
+   return -EINVAL;
 
-   nla_parse_nested(prop, TIPC_NLA_PROP_MAX, link[TIPC_NLA_LINK_PROP],
-NULL);
+   err = nla_parse_nested(link, TIPC_NLA_LINK_MAX,
+  attrs[TIPC_NLA_LINK], NULL);
+   if (err)
+   return err;
+
+   if (!link[TIPC_NLA_LINK_PROP])
+   return -EINVAL;
 
-   nla_parse_nested(stats, TIPC_NLA_STATS_MAX, link[TIPC_NLA_LINK_STATS],
-NULL);
+   err = nla_parse_nested(prop, TIPC_NLA_PROP_MAX,
+  link[TIPC_NLA_LINK_PROP], NULL);
+   if (err)
+   return err;
+
+   if (!link[TIPC_NLA_LINK_STATS])
+   return -EINVAL;
+
+   err = nla_parse_nested(stats, TIPC_NLA_STATS_MAX,
+  link[TIPC_NLA_LINK_STATS], NULL);
+   if (err)
+   return err;
 
name = (char *)TLV_DATA(msg->req);
if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
@@ -567,10 +590,17 @@ static int tipc_nl_compat_link_stat_dump(struct 
tipc_nl_compat_msg *msg,
 static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
struct nlattr **attrs)
 {
+   int err;
struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
struct tipc_link_info link_info;
 
-   nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
+   if (!attrs[TIPC_NLA_LINK])
+   return -EINVAL;
+
+   err = nla_parse_nested(link, TIPC_NLA_LINK_MAX,
+  attrs[TIPC_NLA_LINK], NULL);
+   if (err)
+   return err;
 
link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
@@ -751,6 +781,7 @@ static int tipc_nl_compat_name_table_dump_header(struct 
tipc_nl_compat_msg *msg)
 static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg,
  struct nlattr **attrs)
 {
+   int err;
char port_str[27];
struct tipc_name_table_query *ntq;
struct nlattr *nt[TIPC_NLA_NAME_TABLE_MAX + 1];
@@ -759,11 +790,21 @@ static int tipc_nl_compat_name_table_dump(struct 
tipc_nl_compat_msg *msg,
static const char * const scope_str[] = {"", " zone", " cluster",
 " node"};
 
-   nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
-attrs[TIPC_NLA_NAME_TABLE], NULL);
+   if (!attrs[TIPC_NLA_NAME_TABLE])
+   return -EINVAL;
 
-   nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, nt[TIPC_NLA_NAME_TABLE_PUBL],
-NULL);
+   err = nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
+  attrs[TIPC_NLA_NAME_TABLE], NULL);
+   if (err)
+   return err;
+
+   if (!nt[TIPC_NLA_NAME_TABLE_PUBL])
+   return -EINVAL;
+
+   err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX,
+  nt[TIPC_NLA_NAME_TABLE_PUBL], NULL);
+   if (

[PATCH] net/tipc: fix potential null pointer dereference in several tipc netlink compat functions

[Baozeng Ding]

Before calling the nla_parse_nested funciton, its third argument should be
checked to make sure it is not null. This patch fixes several potential
null pointer dereference vulnerability in the tipc netlink functions.

Signed-off-by: Baozeng Ding 
---
 net/tipc/netlink_compat.c | 111 
++

 1 file changed, 93 insertions(+), 18 deletions(-)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 4dfc5c1..959e989 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -345,10 +345,16 @@ static int tipc_nl_compat_doit(struct 
tipc_nl_compat_cmd_doit *cmd,

 static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg,
   struct nlattr **attrs)
 {
+int err;
 struct nlattr *bearer[TIPC_NLA_BEARER_MAX + 1];

-nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, attrs[TIPC_NLA_BEARER],
- NULL);
+if (!attrs[TIPC_NLA_BEARER])
+return -EINVAL;
+
+err = nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX,
+   attrs[TIPC_NLA_BEARER], NULL);
+if (err)
+return err;

 return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME,
 nla_data(bearer[TIPC_NLA_BEARER_NAME]),
@@ -456,18 +462,35 @@ static void __fill_bc_link_stat(struct 
tipc_nl_compat_msg *msg,

 static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
  struct nlattr **attrs)
 {
+int err;
 char *name;
 struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
 struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
 struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];

-nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
+if (!attrs[TIPC_NLA_LINK])
+return -EINVAL;

-nla_parse_nested(prop, TIPC_NLA_PROP_MAX, link[TIPC_NLA_LINK_PROP],
- NULL);
+err = nla_parse_nested(link, TIPC_NLA_LINK_MAX,
+   attrs[TIPC_NLA_LINK], NULL);
+if (err)
+return err;
+
+if (!link[TIPC_NLA_LINK_PROP])
+return -EINVAL;

-nla_parse_nested(stats, TIPC_NLA_STATS_MAX, link[TIPC_NLA_LINK_STATS],
- NULL);
+err = nla_parse_nested(prop, TIPC_NLA_PROP_MAX,
+   link[TIPC_NLA_LINK_PROP], NULL);
+if (err)
+return err;
+
+if (!link[TIPC_NLA_LINK_STATS])
+return -EINVAL;
+
+err = nla_parse_nested(stats, TIPC_NLA_STATS_MAX,
+   link[TIPC_NLA_LINK_STATS], NULL);
+if (err)
+return err;

 name = (char *)TLV_DATA(msg->req);
 if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
@@ -567,10 +590,17 @@ static int tipc_nl_compat_link_stat_dump(struct 
tipc_nl_compat_msg *msg,

 static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
 struct nlattr **attrs)
 {
+int err;
 struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
 struct tipc_link_info link_info;

-nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
+if (!attrs[TIPC_NLA_LINK])
+return -EINVAL;
+
+err = nla_parse_nested(link, TIPC_NLA_LINK_MAX,
+   attrs[TIPC_NLA_LINK], NULL);
+if (err)
+return err;

 link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
 link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
@@ -751,6 +781,7 @@ static int 
tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg)

 static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg,
   struct nlattr **attrs)
 {
+int err;
 char port_str[27];
 struct tipc_name_table_query *ntq;
 struct nlattr *nt[TIPC_NLA_NAME_TABLE_MAX + 1];
@@ -759,11 +790,21 @@ static int tipc_nl_compat_name_table_dump(struct 
tipc_nl_compat_msg *msg,

 static const char * const scope_str[] = {"", " zone", " cluster",
  " node"};

-nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
- attrs[TIPC_NLA_NAME_TABLE], NULL);
+if (!attrs[TIPC_NLA_NAME_TABLE])
+return -EINVAL;

-nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, nt[TIPC_NLA_NAME_TABLE_PUBL],
- NULL);
+err = nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
+   attrs[TIPC_NLA_NAME_TABLE], NULL);
+if (err)
+return err;
+
+if (!attrs[TIPC_NLA_NAME_TABLE])
+return -EINVAL;
+
+err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX,
+   nt[TIPC_NLA_NAME_TABLE_PUBL], NULL);
+if (err)
+return err;

 ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req);

@@ -813,10 +854,17 @@ out:
 static int __tipc_nl_compat_publ_dump(struct tipc_nl_compat_msg *msg,
   struct nlattr **attrs)
 {
+int err;
 u32 type, lower, upper;
 struct nlattr *publ[TIPC_NLA_PUBL_MAX + 1];

-nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, attrs[TIPC_NLA_PUBL], NULL);
+if (!attrs[TIPC_NLA_PUBL])
+r

BUG: net/ipv4: KASAN: use-after-free in tcp_sendmsg

[Baozeng Ding]

 around the buggy address:
 880038027880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 880038027900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>880038027980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
       ^
 880038027a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 880038027a80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==


Best Regards,
Baozeng Ding

BUG: net/ipv4: KASAN: use-after-free in tcp_v4_rcv

[Baozeng Ding]

nal+0x1b5/0x390 
net/core/dev.c:4226

 [< inline >] ? __net_timestamp include/linux/skbuff.h:3099
 [] ? netif_receive_skb_internal+0x14a/0x390 
net/core/dev.c:4207

 [] ? dev_cpu_callback+0x690/0x690 net/core/dev.c:7755
 [] ? dev_gro_receive+0x1d9/0x16f0 net/core/dev.c:4514
 [< inline >] ? skb_is_gso include/linux/skbuff.h:3648
 [] ? dev_gro_receive+0x665/0x16f0 net/core/dev.c:4426
 [] ? kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:482
 [< inline >] ? trace_kmem_cache_alloc 
include/trace/events/kmem.h:53

 [] ? kmem_cache_alloc+0x1f9/0x2f0 mm/slub.c:2587
 [] ? eth_type_trans+0x2a0/0x5b0 net/ethernet/eth.c:186
 [< inline >] napi_skb_finish net/core/dev.c:4553
 [] napi_gro_receive+0x2c2/0x480 net/core/dev.c:4585
 [< inline >] e1000_receive_skb 
drivers/net/ethernet/intel/e1000/e1000_main.c:4035
 [] e1000_clean_rx_irq+0x440/0x1110 
drivers/net/ethernet/intel/e1000/e1000_main.c:4491
 [] ? e1000_enter_82542_rst+0x260/0x260 
drivers/net/ethernet/intel/e1000/e1000_main.c:2148
 [] e1000_clean+0xa08/0x24a0 
drivers/net/ethernet/intel/e1000/e1000_main.c:3836
 [] ? check_preempt_wakeup+0x3c9/0xa70 
kernel/sched/fair.c:5411
 [] ? 
e1000_unmap_and_free_tx_resource.isra.46+0x3e0/0x3e0 
drivers/net/ethernet/intel/e1000/e1000_main.c:1972
 [] ? trace_hardirqs_off+0xd/0x10 
kernel/locking/lockdep.c:2772
 [] ? debug_check_no_locks_freed+0x290/0x290 
kernel/locking/lockdep.c:4212

 [< inline >] napi_poll net/core/dev.c:5087
 [] net_rx_action+0x751/0xd80 net/core/dev.c:5152
 [] ? add_interrupt_randomness+0x2bc/0x570 
drivers/char/random.c:922
 [] ? sk_busy_loop+0x1130/0x1130 
include/trace/events/napi.h:13

 [] ? handle_irq_event+0xb2/0x140 kernel/irq/handle.c:194
 [< inline >] ? apic_eoi ./arch/x86/include/asm/apic.h:402
 [< inline >] ? ack_APIC_irq ./arch/x86/include/asm/apic.h:446
 [] ? ioapic_ack_level+0x165/0x450 
arch/x86/kernel/apic/io_apic.c:1814

 [< inline >] ? invoke_softirq kernel/softirq.c:350
 [] ? irq_exit+0x15d/0x190 kernel/softirq.c:391
 [] __do_softirq+0x22b/0x8da kernel/softirq.c:273
 [< inline >] invoke_softirq kernel/softirq.c:350
 [] irq_exit+0x15d/0x190 kernel/softirq.c:391
 [< inline >] exiting_irq ./arch/x86/include/asm/apic.h:658
 [] do_IRQ+0x86/0x1a0 arch/x86/kernel/irq.c:252
 [] common_interrupt+0x8c/0x8c 
arch/x86/entry/entry_64.S:454

 [< inline >] ? copy_pte_range mm/memory.c:945
 [< inline >] ? copy_pmd_range mm/memory.c:1003
 [< inline >] ? copy_pud_range mm/memory.c:1025
 [] ? copy_page_range+0xa69/0x19d0 mm/memory.c:1087
 [< inline >] ? copy_pte_range mm/memory.c:945
 [< inline >] ? copy_pmd_range mm/memory.c:1003
 [< inline >] ? copy_pud_range mm/memory.c:1025
 [] ? copy_page_range+0xa4a/0x19d0 mm/memory.c:1087
 [< inline >] ? rb_insert_augmented 
include/linux/rbtree_augmented.h:60
 [< inline >] ? __anon_vma_interval_tree_insert 
mm/interval_tree.c:72
 [] ? anon_vma_interval_tree_insert+0x233/0x2d0 
mm/interval_tree.c:83

 [] ? vm_iomap_memory+0x130/0x130 mm/memory.c:1836
 [< inline >] ? vma_rb_insert include/linux/rbtree_augmented.h:60
 [] ? __vma_link_rb+0x445/0x5d0 mm/mmap.c:531
 [< inline >] dup_mmap kernel/fork.c:513
 [< inline >] dup_mm kernel/fork.c:937
 [< inline >] copy_mm kernel/fork.c:991
 [] copy_process.part.37+0x468d/0x5a50 kernel/fork.c:1456
 [] ? __cleanup_sighand+0x50/0x50 kernel/fork.c:1105
 [< inline >] copy_process kernel/fork.c:1282
 [] _do_fork+0x1a9/0xcd0 kernel/fork.c:1731
 [] ? fork_idle+0x110/0x110 include/linux/list.h:601
 [] ? __fsnotify_parent+0x5e/0x2b0 
fs/notify/fsnotify.c:98

 [< inline >] ? inc_syscr include/linux/sched.h:3178
 [] ? vfs_read+0x223/0x310 fs/read_write.c:499
 [< inline >] SYSC_clone kernel/fork.c:1840
 [] SyS_clone+0x37/0x50 kernel/fork.c:1834
 [] ? ptregs_sys_rt_sigreturn+0x10/0x10 
arch/x86/include/generated/asm/syscalls_64.h:16

 [] do_syscall_64+0x1ad/0x4b0 arch/x86/entry/common.c:350
 [] ? sys_vfork+0x30/0x30 kernel/fork.c:1813
 [] entry_SYSCALL64_slow_path+0x25/0x25 
arch/x86/entry/entry_64.S:248

Memory state around the buggy address:
 880038027880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 880038027900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

880038027980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb

   ^
 880038027a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 880038027a80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==


Best Regards,
Baozeng Ding

BUG: use-after-free in netlink_dump

[Baozeng Ding]

sg_nosec net/socket.c:612
 [] ? ___sys_sendmsg+0x860/0x860 net/socket.c:1943
 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:922
 [] ? __fget+0x20c/0x3b0 fs/file.c:712
 [< inline >] ? rcu_lock_release include/linux/rcupdate.h:491
 [< inline >] ? rcu_read_unlock include/linux/rcupdate.h:926
 [] ? __fget+0x235/0x3b0 fs/file.c:712
 [] ? __fget+0x47/0x3b0 fs/file.c:696
 [] ? __fget_light+0xa1/0x1f0 fs/file.c:759
 [] ? __fdget+0x18/0x20 fs/file.c:764
 [] ? sockfd_lookup_light+0xf8/0x1f0 net/socket.c:463
 [] __sys_recvmsg+0xce/0x170 net/socket.c:2150
 [] ? SyS_sendmmsg+0x60/0x60 net/socket.c:2064
 [< inline >] SYSC_recvmsg net/socket.c:2162
 [] SyS_recvmsg+0x2d/0x50 net/socket.c:2157
 [] entry_SYSCALL_64_fastpath+0x23/0xc1 
arch/x86/entry/entry_64.S:207

Memory state around the buggy address:
 880036ae7880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 880036ae7900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>880036ae7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ^
 880036ae7a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 880036ae7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==

Best Regards,
Baozeng Ding

Re: BUG: net/tipc: NULL-ptr dereference in tipc_nl_publ_dump

[Baozeng Ding]

On 2016/5/15 1:13, Eric Dumazet wrote:

On Sat, 2016-05-14 at 23:22 +0800, Baozeng Ding wrote:

Hello all,
The following program triggers NULL-ptr dereference in
tipc_nl_publ_dump. The kernel version is 4.6.0-rc7+ (on May 13 commit
1410b74e4061e05a5d2bffb1f99829efce27c8a9). Thanks.
--
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor'.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory
accessgeneral protection fault:  [#1] SMP KASAN
Modules linked in:
CPU: 2 PID: 1346 Comm: syz-executor Not tainted 4.6.0-rc7+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: 88001eb1dd40 ti: 88001bd98000 task.ti: 88001bd98000
RIP: 0010:[]  []
tipc_nl_publ_dump+0xa39/0xdf0
RSP: 0018:88001bd9f428  EFLAGS: 00010246
RAX: dc00 RBX: 88003562efc0 RCX: c900012c7000
RDX:  RSI: 880036215d98 RDI: 8800196fda98
RBP: 88001bd9f678 R08: 0001 R09: 
R10: ed00032dfb5a R11: 11131255 R12: 
R13: 88002d0f8040 R14:  R15: 88002ea220a8
FS:  7f0b7c70f700() GS:88003620() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 20b5d7f2 CR3: 301fe000 CR4: 06e0
Stack:
    88002ea22100 88002ea220f8 88002ea220f0
   1bd9f520 1100037b3e92 88002ea220b0 88001bd9f498
   815bcc6e 880036223e40 88002fd60008 
Call Trace:
   [] genl_lock_dumpit+0x68/0x90
net/netlink/genetlink.c:517
   [] netlink_dump+0x36a/0xa40
net/netlink/af_netlink.c:2108
   [] __netlink_dump_start+0x4e9/0x760
net/netlink/af_netlink.c:2196
   [] genl_family_rcv_msg+0xa91/0xc30
net/netlink/genetlink.c:584
   [] genl_rcv_msg+0x1ab/0x260 net/netlink/genetlink.c:658
   [] netlink_rcv_skb+0x29c/0x390
net/netlink/af_netlink.c:2277
   [] genl_rcv+0x28/0x40 net/netlink/genetlink.c:669
   [< inline >] netlink_unicast_kernel net/netlink/af_netlink.c:1214
   [] netlink_unicast+0x5a2/0x890
net/netlink/af_netlink.c:1240
   [] netlink_sendmsg+0x981/0xcb0
net/netlink/af_netlink.c:1786
   [< inline >] sock_sendmsg_nosec net/socket.c:612
   [] sock_sendmsg+0xca/0x110 net/socket.c:622
   [] ___sys_sendmsg+0x728/0x860 net/socket.c:1946
   [] __sys_sendmsg+0xd1/0x170 net/socket.c:1980
   [< inline >] SYSC_sendmsg net/socket.c:1991
   [] SyS_sendmsg+0x2d/0x50 net/socket.c:1987
   [] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
Code: df 49 8d 7e 10 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 df 01 00 00
4d 8b 76 10 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6
14 02 4c 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85
RIP  [] tipc_nl_publ_dump+0xa39/0xdf0
net/tipc/socket.c:2810
   RSP 
---[ end trace e8355fded2057a4f ]---

Probable fix :

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 3eeb50a27b89..5f80d3fa9c85 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2807,6 +2807,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct 
netlink_callback *cb)
if (err)
return err;
  
+		if (!attrs[TIPC_NLA_SOCK])

+   return -EINVAL;
+
err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
   attrs[TIPC_NLA_SOCK],
   tipc_nl_sock_policy);


Yes. I tested with the patch. It works. Thanks.

BUG: net/tipc: NULL-ptr dereference in tipc_nl_publ_dump

[Baozeng Ding]

Hello all,
The following program triggers NULL-ptr dereference in 
tipc_nl_publ_dump. The kernel version is 4.6.0-rc7+ (on May 13 commit

1410b74e4061e05a5d2bffb1f99829efce27c8a9). Thanks.
--
netlink: 1 bytes leftover after parsing attributes in process 
`syz-executor'.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory 
accessgeneral protection fault:  [#1] SMP KASAN

Modules linked in:
CPU: 2 PID: 1346 Comm: syz-executor Not tainted 4.6.0-rc7+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
Ubuntu-1.8.2-1ubuntu1 04/01/2014

task: 88001eb1dd40 ti: 88001bd98000 task.ti: 88001bd98000
RIP: 0010:[]  [] 
tipc_nl_publ_dump+0xa39/0xdf0

RSP: 0018:88001bd9f428  EFLAGS: 00010246
RAX: dc00 RBX: 88003562efc0 RCX: c900012c7000
RDX:  RSI: 880036215d98 RDI: 8800196fda98
RBP: 88001bd9f678 R08: 0001 R09: 
R10: ed00032dfb5a R11: 11131255 R12: 
R13: 88002d0f8040 R14:  R15: 88002ea220a8
FS:  7f0b7c70f700() GS:88003620() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 20b5d7f2 CR3: 301fe000 CR4: 06e0
Stack:
  88002ea22100 88002ea220f8 88002ea220f0
 1bd9f520 1100037b3e92 88002ea220b0 88001bd9f498
 815bcc6e 880036223e40 88002fd60008 
Call Trace:
 [] genl_lock_dumpit+0x68/0x90 
net/netlink/genetlink.c:517
 [] netlink_dump+0x36a/0xa40 
net/netlink/af_netlink.c:2108
 [] __netlink_dump_start+0x4e9/0x760 
net/netlink/af_netlink.c:2196
 [] genl_family_rcv_msg+0xa91/0xc30 
net/netlink/genetlink.c:584

 [] genl_rcv_msg+0x1ab/0x260 net/netlink/genetlink.c:658
 [] netlink_rcv_skb+0x29c/0x390 
net/netlink/af_netlink.c:2277

 [] genl_rcv+0x28/0x40 net/netlink/genetlink.c:669
 [< inline >] netlink_unicast_kernel net/netlink/af_netlink.c:1214
 [] netlink_unicast+0x5a2/0x890 
net/netlink/af_netlink.c:1240
 [] netlink_sendmsg+0x981/0xcb0 
net/netlink/af_netlink.c:1786

 [< inline >] sock_sendmsg_nosec net/socket.c:612
 [] sock_sendmsg+0xca/0x110 net/socket.c:622
 [] ___sys_sendmsg+0x728/0x860 net/socket.c:1946
 [] __sys_sendmsg+0xd1/0x170 net/socket.c:1980
 [< inline >] SYSC_sendmsg net/socket.c:1991
 [] SyS_sendmsg+0x2d/0x50 net/socket.c:1987
 [] entry_SYSCALL_64_fastpath+0x23/0xc1 
arch/x86/entry/entry_64.S:207
Code: df 49 8d 7e 10 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 df 01 00 00 
4d 8b 76 10 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 
14 02 4c 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85
RIP  [] tipc_nl_publ_dump+0xa39/0xdf0 
net/tipc/socket.c:2810

 RSP 
---[ end trace e8355fded2057a4f ]---

#include 
#include 
#include 
#include 
#include 
#include 

int main()
{
mmap((void *)0x2000ul, 0xd7f000ul, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0);

int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
*(uint64_t*)0x2363 = (uint64_t)0x0;
*(uint32_t*)0x236b = (uint32_t)0x0;
*(uint64_t*)0x2373 = (uint64_t)0x20001ff0;
*(uint64_t*)0x237b = (uint64_t)0x1;
*(uint64_t*)0x2383 = (uint64_t)0x20aab000;
*(uint64_t*)0x238b = (uint64_t)0x5;
*(uint32_t*)0x2393 = (uint32_t)0x81;
*(uint64_t*)0x20001ff0 = (uint64_t)0x20001000;
*(uint64_t*)0x20001ff8 = (uint64_t)0x3e;
*(uint32_t*)0x20001000 = (uint32_t)0x15;
*(uint16_t*)0x20001004 = (uint16_t)0x22;
*(uint16_t*)0x20001006 = (uint16_t)0x71b;
*(uint32_t*)0x20001008 = (uint32_t)0x2;
*(uint32_t*)0x2000100c = (uint32_t)0x2;
*(uint8_t*)0x20001010 = (uint8_t)0x7;
*(uint8_t*)0x20001011 = (uint8_t)0x8;
*(uint8_t*)0x20001012 = (uint8_t)0xa0ad8f89e1b1651f;
*(uint8_t*)0x20001013 = (uint8_t)0x44;
   *(uint8_t*)0x20001014 = (uint8_t)0x1;
*(uint32_t*)0x20001015 = (uint32_t)0x15;
*(uint16_t*)0x20001019 = (uint16_t)0xfffa;
*(uint16_t*)0x2000101b = (uint16_t)0x100;
*(uint32_t*)0x2000101d = (uint32_t)0x1ff;
*(uint32_t*)0x20001021 = (uint32_t)0x4;
*(uint8_t*)0x20001025 = (uint8_t)0x3;
*(uint8_t*)0x20001026 = (uint8_t)0x7;
*(uint8_t*)0x20001027 = (uint8_t)0x4;
*(uint8_t*)0x20001028 = (uint8_t)0x2;
*(uint8_t*)0x20001029 = (uint8_t)0x9;
*(uint32_t*)0x2000102a = (uint32_t)0x14;
*(uint16_t*)0x2000102e = (uint16_t)0x1;
*(uint16_t*)0x20001030 = (uint16_t)0x400;
*(uint32_t*)0x20001032 = (uint32_t)0x8000;
*(uint32_t*)0x20001036 = (uint32_t)0x60;
*(uint8_t*)0x2000103a = (uint8_t)0x1;
*(uint8_t*)0x2000103b = (uint8_t)0x1ff;
*(uint8_t*)0x2000103c = (uint8_t)0x3ff;
*(uint8_t

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

[Baozeng Ding]

On 2016/3/28 10:35, Baozeng Ding wrote:



On 2016/3/28 6:25, Jozsef Kadlecsik wrote:

On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote:


On Sun, 27 Mar 2016, Baozeng Ding wrote:


The following program triggers stack-out-of-bounds in tcp_packet. The
kernel version is 4.5 (on Mar 16 commit
09fd671ccb2475436bd5f597f751ca4a7d177aea).
Uncovered with syzkaller. Thanks.

==
BUG: KASAN: stack-out-of-bounds in tcp_packet+0x4b77/0x51c0 at addr
8800a45df3c8
Read of size 1 by task 0327/11132
page:ea00029177c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffc00()
page dumped because: kasan: bad access detected
CPU: 1 PID: 11132 Comm: 0327 Tainted: GB 4.5.0+ #12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
  0001 8800a45df148 82945051 8800a45df1d8
  8800a45df3c8 0027 0001 8800a45df1c8
  81709f88 8800b4f7e3d0 0028 0286
Call Trace:
[< inline >] __dump_stack /kernel/lib/dump_stack.c:15
[] dump_stack+0xb3/0x112 /kernel/lib/dump_stack.c:51
[< inline >] print_address_description 
/kernel/mm/kasan/report.c:150

[] kasan_report_error+0x4f8/0x530
/kernel/mm/kasan/report.c:236
[] ? skb_copy_bits+0x49d/0x6d0
/kernel/net/core/skbuff.c:1675
[< inline >] ? spin_lock_bh 
/kernel/include/linux/spinlock.h:307

[] ? tcp_packet+0x1c9/0x51c0
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:833
[< inline >] kasan_report /kernel/mm/kasan/report.c:259
[] __asan_report_load1_noabort+0x3e/0x40
/kernel/mm/kasan/report.c:277
[< inline >] ? tcp_sack
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
[< inline >] ? tcp_in_window
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
[] ? tcp_packet+0x4b77/0x51c0
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
[< inline >] tcp_sack
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
[< inline >] tcp_in_window
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
[] tcp_packet+0x4b77/0x51c0
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
[] ? memset+0x28/0x30 /kernel/mm/kasan/kasan.c:302
[] ? tcp_new+0x1a4/0xc20
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:1122
[< inline >] ? build_report /kernel/include/net/netlink.h:499
[] ? xfrm_send_report+0x426/0x450
/kernel/net/xfrm/xfrm_user.c:3039
[] ? tcp_new+0xc20/0xc20
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:1169
[] ? init_conntrack+0xca/0x9e0
/kernel/net/netfilter/nf_conntrack_core.c:972
[] ? nf_conntrack_alloc+0x40/0x40
/kernel/net/netfilter/nf_conntrack_core.c:903
[] ? tcp_init_net+0x6e0/0x6e0
/kernel/include/net/netfilter/nf_conntrack_l4proto.h:137
[] ? ipv4_get_l4proto+0x262/0x390
/kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:89
[] ? nf_ct_get_tuple+0xaf/0x190
/kernel/net/netfilter/nf_conntrack_core.c:197
[] nf_conntrack_in+0x8ee/0x1170
/kernel/net/netfilter/nf_conntrack_core.c:1177
[] ? init_conntrack+0x9e0/0x9e0
/kernel/net/netfilter/nf_conntrack_core.c:287
[] ? ipt_do_table+0xa16/0x1260
/kernel/net/ipv4/netfilter/ip_tables.c:423
[] ? trace_hardirqs_on+0xd/0x10
/kernel/kernel/locking/lockdep.c:2635
[] ? __local_bh_enable_ip+0x6b/0xc0
/kernel/kernel/softirq.c:175
[] ? check_entry.isra.4+0x190/0x190
/kernel/net/ipv6/netfilter/ip6_tables.c:594
[] ? ip_reply_glue_bits+0xc0/0xc0
/kernel/net/ipv4/ip_output.c:1530
[] ipv4_conntrack_local+0x14e/0x1a0
/kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:161
[] ? iptable_raw_hook+0x9d/0x1e0
/kernel/net/ipv4/netfilter/iptable_raw.c:32
[] nf_iterate+0x15d/0x230 
/kernel/net/netfilter/core.c:274
[] ? nf_iterate+0x230/0x230 
/kernel/net/netfilter/core.c:268
[] nf_hook_slow+0x1ad/0x310 
/kernel/net/netfilter/core.c:306
[] ? nf_iterate+0x230/0x230 
/kernel/net/netfilter/core.c:268
[] ? nf_iterate+0x230/0x230 
/kernel/net/netfilter/core.c:268

[] ? prandom_u32+0x24/0x30 /kernel/lib/random32.c:83
[] ? ip_idents_reserve+0x9f/0xf0
/kernel/net/ipv4/route.c:484
[< inline >] nf_hook_thresh 
/kernel/include/linux/netfilter.h:187

[< inline >] nf_hook /kernel/include/linux/netfilter.h:197
[] __ip_local_out+0x263/0x3c0
/kernel/net/ipv4/ip_output.c:104
[] ? ip_finish_output+0xd00/0xd00
/kernel/include/net/ip.h:322
[] ? __ip_flush_pending_frames.isra.45+0x2e0/0x2e0
/kernel/net/ipv4/ip_output.c:1337
[] ? __ip_make_skb+0xfe6/0x1610
/kernel/net/ipv4/ip_output.c:1436
[] ip_local_out+0x2d/0x1c0 
/kernel/net/ipv4/ip_output.c:113
[] ip_send_skb+0x3c/0xc0 
/kernel/net/ipv4/ip_output.c:1443

[] ip_push_pending_frames+0x64/0x80
/kernel/net/ipv4/ip_output.c:1463
[< inline >] rcu_read_unlock 
/kernel/include/linux/rcupdate.h:922

[] raw_sendmsg+0x17bb/0x25c0
/kernel/net/ieee802154/socket.c:53
[] ? dst_output+0x190/0x190 
/kernel/include/net/dst.h:492

[< inline >] ? trace_mm_page_alloc
/k

BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

[Baozeng Ding]

0x290/0x290 
/kernel/kernel/locking/lockdep.c:4104
[] ? is_module_text_address+0x10/0x20 
/kernel/kernel/module.c:4057
[] ? __kernel_text_address+0x73/0xa0 
/kernel/kernel/extable.c:103
[] ? debug_check_no_locks_freed+0x290/0x290 
/kernel/kernel/locking/lockdep.c:4104
[] ? debug_check_no_locks_freed+0x290/0x290 
/kernel/kernel/locking/lockdep.c:4104
[] ? trace_hardirqs_on+0xd/0x10 
/kernel/kernel/locking/lockdep.c:2635
[] ? debug_check_no_locks_freed+0x290/0x290 
/kernel/kernel/locking/lockdep.c:4104
[< inline >] ? sock_rps_record_flow /kernel/include/net/sock.h:874
[] ? inet_sendmsg+0x73/0x4c0 /kernel/net/ipv4/af_inet.c:729
[< inline >] ? rcu_read_unlock /kernel/include/linux/rcupdate.h:922
[< inline >] ? sock_rps_record_flow_hash /kernel/include/net/sock.h:867
[< inline >] ? sock_rps_record_flow /kernel/include/net/sock.h:874
[] ? inet_sendmsg+0x1fa/0x4c0 /kernel/net/ipv4/af_inet.c:729
[] inet_sendmsg+0x2f5/0x4c0 /kernel/net/ipv4/af_inet.c:736
[< inline >] ? sock_rps_record_flow /kernel/include/net/sock.h:874
[] ? inet_sendmsg+0x73/0x4c0 /kernel/net/ipv4/af_inet.c:729
[] ? inet_recvmsg+0x4a0/0x4a0 
/kernel/include/linux/compiler.h:222
[< inline >] sock_sendmsg_nosec /kernel/net/socket.c:611
[] sock_sendmsg+0xca/0x110 /kernel/net/socket.c:621
[] SYSC_sendto+0x208/0x350 /kernel/net/socket.c:1651
[] ? SYSC_connect+0x2e0/0x2e0 /kernel/net/socket.c:1543
[] ? __pmd_alloc+0x350/0x350 /kernel/mm/memory.c:3928
[] ? __do_page_fault+0x2ab/0x8e0 
/kernel/arch/x86/mm/fault.c:1184
[] ? __do_page_fault+0x3a0/0x8e0 
/kernel/arch/x86/mm/fault.c:1271
[] ? up_read+0x1a/0x40 /kernel/kernel/locking/rwsem.c:79
[] ? __do_page_fault+0x199/0x8e0 
/kernel/arch/x86/mm/fault.c:1187
[] SyS_sendto+0x40/0x50 /kernel/net/socket.c:1619
[] entry_SYSCALL_64_fastpath+0x23/0xc1 
/kernel/arch/x86/entry/entry_64.S:207
Memory state around the buggy address:
 8800a45df280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 8800a45df300: f1 f1 f1 f1 00 00 04 f4 f2 f2 f2 f2 00 00 04 f4

8800a45df380: f2 f2 f2 f2 00 00 00 00 00 f4 f4 f4 f3 f3 f3 f3

  ^
 8800a45df400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 8800a45df480: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 01 f4 f4 f4
==

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
int main()
{
mmap((void *)0x2000ul, 0x19000ul, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0);
int sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
int sock_dup = dup(sock);
memcpy((void*)0x2000b000, 
"\x11\xaf\x7d\x99\x91\x3c\x87\x34\x85\x18\xc4\xd6\xf2\x30\x0a", 15);
*(uint16_t*)0x20002fec = (uint16_t)0x2;
*(uint16_t*)0x20002fee = (uint16_t)0x11ab;
*(uint32_t*)0x20002ff0 = (uint32_t)0x17f;
sendto(sock_dup, (void *)0x2000b000ul, 0xful, 0x8800ul, (struct 
sockaddr *)0x20002fe4ul, 0x1cul);
memcpy((void*)0x2001504f, 
"\x7e\xb1\x52\x5b\x78\x85\x27\xe7\xcc\x3d\xf5\x18\x1b\xba\xda\x97\x6c\x18\x72\x0c\xd2\x0a\xa6\x77\xb7\x8b\xa2\xd2\x1d\xf0\x6b\xf6\x1a\x27\x6b\x98\x3e\x0b\x49\x8d\x54\x6e\x9e\xbb\x21\x4a\x72\x79\x1f\x82\xaf\x89\x2c\xf6\xd3\xc9\xd7\xed\x18\x29\x4d\x2e\x03\x15\xe2\x03\x14\xd0\xac\xa5\x81\x37\x73\x88\xa9\xf5\x08\xe5\xef\x5b\x56\xb7\x18\x8f\xe6\x19\xea\x91\x82\x23\xdd\x2c\x5c\xa5\xf0\xfc\xd8\xe2\x8b\x91\x48\x70\x24\xed\xae\xf9\x06\xac\xc4\x53\x01\xc3\xf5\xa3\x10\xef\xf1\xa6\x2b\xae\x72\xc7\x1a\x02\xee\x78\xcd\xd1\x7e\x8c\x9c\x1a\x36\xc7\xd4\x7c\x82\x64\xf7\x8b\x5a\xb0\x72\xa8\x87\x3c\xdc\xd0\xba\xfe\x70\x7d\x8c\x23\x78\xad\x7c\x31\x04\xec\xab\x1e\x4c\xee\xae\x84\xd8\x1a\x1d\x85\xa5\x57\xa8\x24\x53\x08\x1c\x4f\xda\x49\xe5\x3a\x99\x8c\x29\xa1\xed\x4b\x42\x7a\x15\x48\x2a\x22\x3b\x81\xfe\x47\x74\xc1\x2f\x64\xcf\x10\xd4\x71\x72\x50\x71\xd7\xf6\xb0\xca\x41\x9a\x5e\x3e\xe4\x31\x19\xd1\x19\x46\x20\x66\x4c\x2f\xea\x76\x17\x2d\x94",
 232);
*(uint16_t*)0x2001501c = (uint16_t)0xa;
*(uint16_t*)0x2001501e = (uint16_t)0x11ab;
*(uint32_t*)0x20015020 = (uint32_t)0xbdc;
*(uint32_t*)0x20015024 = (uint32_t)0x0;
*(uint32_t*)0x20015028 = (uint32_t)0x0;
*(uint32_t*)0x2001502c = (uint32_t)0x0;
*(uint32_t*)0x20015030 = (uint32_t)0x100;
*(uint32_t*)0x20015034 = (uint32_t)0x3;
sendto(sock_dup, (void *)0x2001504ful, 0xe8ul, 0x880ul, (struct 
sockaddr *)0x20015000ul, 0x1cul);
return 0;
}

Best Regards,
Baozeng Ding

net/sctp: stack-out-of-bounds in sctp_getsockopt

[Baozeng Ding]

d4\x3a\x64\x51\x68\x13\x2d\x25\xba\x6d\x3f\x74\x68\x84\x89\x04\xd1\xa6\xe2\x7d\xaf\xfa\xd9\xce\x52\xbe\x6f\xb6\xe3\xff\x92\x35\xa1\x88\x4a\x68\x27\xaa\x25\xf8\xc1\xd5\x3b\xe5\x69\x11\x4f\x75\x4c\xe9\xff\x8b\x86\x53\x20\xb7\x10\xa2\x62\xcc\xc3\x06\x85\xde\x3e\x1c\x5a\x62\x3a\x2d\x0d\x0b\x0c\xb2\xac\x75\x42\x4d\x82\x3f\x7b\xf7\x28\xea\x2d\xff\x42\xa8\xdf\xb3\x49\x1a\xfd\xae\x2c\xd4\x35\x8e\x96\xb3\xe1\x0a\x92\x56\xb7\xde\xe8\x9e\xc3\x9e\x88\x79\xc4\x71\x46\x27\xf4\x9e\x85\xf4\x8f\x1f\x9a\xe5\x7e\x02\x09\x34\x80\x1e\x87\xa8\x9a\xce\xac\xfb\x43\x07\xdf\x15\xe8\x71\x9a\xa3\x80\x18\x1b\x15\xbd\x57\xb6\xc1\x73\x6e\xb1\x28\x3a\x01\xd5\x8e\x15\x85\xbd\x52\xdf\xfa\x64\xaa\x13\x0e\x2f\x64\x05\x11\xce\x79\x8b\xa8\x02\x29\x7f\x72\x0f\x37\x89\xb4\x54\x0b\x09\x02\x75\xc2\x8e\xd7\xcd\x7e\xfb\x4f\x72\xf1\x47\xea\xa2\x2a\xc3\xc4\xe9\x70\xfe\xa5\x80\x88\x21\x33\xcf\x13\x66\x98\x23\x10\x5c\xa4\xbd\xee\xc0\xb4\xdd\xfb\xff\xf2\x38\xab\xca\x36\x62\x35\x84\xe4\x73\x5c\xc7\x3e\x72\x2e\x17\x43\x6f\x85\x45\x4f\x82\x62\x0d\x77\xae\xcb\xe1\x8f\xe8\xf0\x84\x3e\x62\x8b\x70\x2b\x55\xb5\xa7\x13\xcf\xa1\x78\x77\x82\xe2\xb7\x1c\x65\x7f\xb5\x79\x73\x01\x07\xd1\x9f\x45\x6a\xbb\x3d\xbf\xc8\x71\x5b\x9f\x30\xc7\xb9\xb8\x53\x9f\xe1\xba\xb6\x78\x9e\x05\x75\xa3\x55\xb1\x26\x96\xa9\xb2\x82\xce\x81\x5c\x8a\x18\xb3\x4b\x0c\x18\x8c\xf2\x7c\x09\xde\xcb\xcf\x78\x22\x58\xf6\x15\xf6\xf7\x48\xda\x08\x75\xd4\xc1\x20\xc3\x18\x2e\x89\xe8\x5b\x48\xd9\xbc\x1f\xbb\xed\x31\xaf\x12\x4d\xcd\x46\x60\xa0\xef\x0e\x2e\x21\x1d\x2b\x68\x75\xb9\x42\x5e\xd7\xae\x35\x46\xe9\x06\x63\x1d\x3c\xd6\x9c\x14\x3b\x09\x29\x49\x70\xb9\xe1\xe0\x09\x45\x41\x62\x0c\xff\x5a\x77\xbe\x31\xa6\x03\x94\x92\xde\x41\x99\xfa\x68\x99\x74\xbb\x0a\x3d\xac\x9c\x7e\x00\x6b\xcd\xc1\x83\xa7\xc5\x63\xdd\x10\xea\x59\x27\xdc\x02\x98\xd6\x43\x20\x24\x4e\xc0\xdc\xa2\x98\xdf\x3e\xaf\x61\x35\xa0\x95\x3f\x9a\xaa\x7d\xe9\xe9\x0d\xe5\x97\x66\x1a\x9f\xbf\x56\xc8\x37\x84\x18\x2b\xd2\xcd\xd6\xb3\x19\xd8\x4a\x30\x6e\xcb\x99\x1c\xe9\x0f\xdb\xca\x30\xe1\xe2\x90\xba\xb9\x61\x00\xbf\xeb\xad\x6a\xc8\x52\xea\x1a\x92\x05\x0c\x3b\x78\x82\x01\xac\xfd\x88\x6c\xca\xe2\xfb\xe7\x0f\xcc\x75\x9c\x98\x12\x26\xcf\xa6\x80\x02\x35\xdf\x6e\xe1\x11\x1d\xa7\x30\x17\x38\x41\xd9\x81\x55\x1a\x1e\xd1\xfe\x60\xbf\xef\x09\x25\xc0\xdb\x9f\xc4\xc6\x54\x1a\x85\x36\x85\x05\xb3\x9f\x2c\xc5\xcd\x12\x51\xef\xbe\x10\x79\xbf\x11\x00\x47\x0d\x9c\x14\x43\x1a\x46\xea\xd1\x34\x2e\x10\x6b\xa4\x3c\x25\x21\xe3\xb9\x15\x78\x6c\x40\x87\x90\xf7\x93\x5a\x66\x5f\x0a\x76\xff\xc2\xe2\x14\x35\x88\x47\xa1\x33\x5b\x8f\x3d\xc5\x89\xb7\xf9\x8a\x40\xf0\x1e\xc9\x30\xcd\xd8\x96\x41\x78\x58\x97\x49\xc8\x50\x61\x36\x8f\x7e\x44\x41\xc0\x84\xbb\x35\xf0\x63\xa9\xc2\x2a\xbd\xcc\x4b\xab\x8b\x16\x33\xc0\x66\xbf\x47\x62\x9b\xc4\x47\x2d\x68\x83\xca\xe3\x52\x79\xd7\xe0\x61\x80\x15\xf1\x90\x83\xa2\xbb\x4c\xe5\x8b\x50\xc8\x1b\x68\x7b\xee\x57\xdc\x54\xfa\x90\xf1\xf5\xec\x7d\x93\xe0\x80\x74\x06\xbe\xac\xc8\x85\x4d\xe8\xbf\xd3\xdd\x34\x55\xc4\xbf\x2f\x24\x19\xad\x86\x1e\x69\x2b\x6c\x3f\x00\xe8\x4b\xbb\x99\xcf\x17\x99\x00\x9d\x6c\x70\x57\xcc\x35\xee\x07\x87\x25\x8c\x0c\x8b\x9b\x38\x15\xcc\x05\x6f\xf8\x16\x78\x0b\x41\xfa\x23\x96\xc0\x79\xf8\xb7\xf0\x2b\x60\x7e\x98\xe3\x7b\xab\x80\x1f\x0d\xbf\xf6\x7e\x37\x06\xf1\x11\x42\x38\x2a\x70\xdf\xa4\xca\xf5\xf3\xf4\x7d\xca\x10\x0c\xd5\xe2\x90\xa0\x15\xde\xc2\x61\xa2\x88\xea\x32\x37\x97\x83\xd0\x4c\xad\xe2\xae\x9b\x53\xa2\xc2\x54\x0c\xbd\xe1\x50\x3b\x15\xd4\xb1\xa9\x41\x6e\x18\x2e\x30\x3f\x91\x03\x81\x86\x8c\x5c\x1f\x76\x51\x92\xf5\xb5\xb2\xc3\x16\x01\xef\xe3\x9e\xb1\x92\x0e\x0e\xcb\x20\x7f\x10\x29\x08\x6e\x15\x3d\x1e\x7c\x70\xf5\xb5\x3c\x56\x15\x3c\x59\xe6\xe7\x9e\x16\xcd\xfc\x8e\xfa\x12\x99\xbb\x07\xaa\xd7\x1c\xd0\xae\x93\x4c\xba\x16\x5d\x0c\xed\x1d\x02\x87\xcd\x38\x31\xc6\x10\x42\xe1\x46\x4e\xa3\xae\xb6\xda\xb6\xb0\x49\x55\x89\x57\xe6\xac\xe3\xbf\xb5\x5c\x59\x93\x0d\x21\x35\xdd\x57\x8c\x04\x15\x91\x05\x69\x4a\xdb\x5e\xcb\x4d\xa3\x5d\xa8\x7e\x95\x9e\x9d\x95\x61\xc9\x1c\xdd\x66\x0a\x76\x18\xbb\x59\x6a\xa5\xc0\xf2\xb8\x2f\xa9\x4c\xa8\xb3\x2b\xa3\x8a\xbf\x5c\xe8\x18\x3d\x7f\x0e\x2f\xe9\x06\xf9\xb6\xcc\x60\xcc\x38\x6c\x9a\x78\xa7\x7c\x61",
1037);
getsockopt(sock_dup, IPPROTO_IP, 0x81,  (void *)0x2bf3ul,
(socklen_t *)0x20003000ul);
return 0;
}

Best Regards,

Baozeng Ding

net/ppp: use-after-free in ppp_unregister_channel

[Baozeng Ding]

kernel/kernel/task_work.c:115
 [< inline >] exit_task_work kernel/include/linux/task_work.h:21
 [] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
 [] ? debug_check_no_locks_freed+0x290/0x290 
kernel/kernel/locking/lockdep.c:4123
 [] ? mm_update_next_owner+0x6f0/0x6f0 
kernel/kernel/exit.c:357
 [] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
 [] ? recalc_sigpending_tsk+0x13b/0x180 
kernel/kernel/signal.c:145
 [] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
 [] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
 [< inline >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
 [] ? kprobe_flush_task+0xb5/0x450 
kernel/kernel/kprobes.c:1158
 [] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
 [] ? recycle_rp_inst+0x310/0x310 
kernel/include/linux/list.h:655
 [] ? setup_sigcontext+0x780/0x780 
kernel/arch/x86/kernel/signal.c:165
 [] ? finish_task_switch+0x424/0x5f0 
kernel/kernel/sched/core.c:2692
 [< inline >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
 [] ? finish_task_switch+0x120/0x5f0 
kernel/kernel/sched/core.c:2678
 [< inline >] ? context_switch kernel/kernel/sched/core.c:2807
 [] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
 [] exit_to_usermode_loop+0xf1/0x1a0 
kernel/arch/x86/entry/common.c:247
 [< inline >] prepare_exit_to_usermode 
kernel/arch/x86/entry/common.c:282
 [] syscall_return_slowpath+0x19f/0x210 
kernel/arch/x86/entry/common.c:344
 [] int_ret_from_sys_call+0x25/0x9f 
kernel/arch/x86/entry/entry_64.S:281
Memory state around the buggy address:
 880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ^
 880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==

Best Regards,

Baozeng Ding

net/bluetooth: use-after-free in hci_event_packet

[Baozeng Ding]

ernel/fs/read_write.c:530
[<  none  >] vfs_write+0x167/0x4a0 kernel/fs/read_write.c:577
[< inline >] SYSC_write kernel/fs/read_write.c:624
[<  none  >] SyS_write+0x111/0x220 kernel/fs/read_write.c:616
INFO: Slab 0xea0010fbdb00 objects=20 used=19 fp=0x88043ef6e310
flags=0x2fffc004080
INFO: Object 0x88043ef6e310 @offset=8976 fp=0x  (null)

CPU: 1 PID: 9348 Comm: kworker/u17:11 Tainted: GB   4.4.0+
#5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
Workqueue: hci4 hci_rx_work
  880433b8f6b0 8292049d 88048a004b40
 88043ef6e310 88043ef6c000 880433b8f6e0 816f2054
 88048a004b40 ea0010fbdb00 88043ef6e310 88043ef6e318
Call Trace:
 [< inline >] __dump_stack kernel/lib/dump_stack.c:15
 [] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
 [] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
 [] object_err+0x2f/0x40 kernel/mm/slub.c:661
 [< inline >] print_address_description kernel/mm/kasan/report.c:138
 [] kasan_report_error+0x215/0x530 
kernel/mm/kasan/report.c:236
 [< inline >] kasan_report kernel/mm/kasan/report.c:259
 [] __asan_report_load1_noabort+0x3e/0x40 
kernel/mm/kasan/report.c:277
 [< inline >] ? hci_inquiry_result_with_rssi_evt 
kernel/net/bluetooth/hci_event.c:3616
 [] ? hci_event_packet+0x8d45/0x9f90 
kernel/net/bluetooth/hci_event.c:5323
 [< inline >] hci_inquiry_result_with_rssi_evt 
kernel/net/bluetooth/hci_event.c:3616
 [] hci_event_packet+0x8d45/0x9f90 
kernel/net/bluetooth/hci_event.c:5323
 [< inline >] ? spin_lock kernel/include/linux/spinlock.h:302
 [] ? deactivate_slab+0x212/0x710 kernel/mm/slub.c:1949
 [< inline >] ? hci_cc_read_local_amp_info 
kernel/net/bluetooth/hci_event.c:833
 [] ? hci_cmd_complete_evt+0xcfb0/0xcfb0 
kernel/net/bluetooth/hci_event.c:2905
 [< inline >] ? spin_unlock kernel/include/linux/spinlock.h:347
 [] ? deactivate_slab+0x408/0x710 kernel/mm/slub.c:1995
 [] ? debug_check_no_locks_freed+0x290/0x290 
kernel/kernel/locking/lockdep.c:4123
 [] ? debug_check_no_locks_freed+0x290/0x290 
kernel/kernel/locking/lockdep.c:4123
 [< inline >] ? rcu_read_unlock kernel/include/linux/rcupdate.h:926
 [] ? cpuacct_charge+0x1a7/0x380 
kernel/kernel/sched/cpuacct.c:255
 [< inline >] ? rcu_lock_release kernel/include/linux/rcupdate.h:495
 [< inline >] ? rcu_read_unlock kernel/include/linux/rcupdate.h:930
 [] ? cpuacct_charge+0x1c6/0x380 
kernel/kernel/sched/cpuacct.c:255
 [< inline >] ? task_cpu kernel/include/linux/sched.h:3111
 [] ? cpuacct_charge+0x60/0x380 
kernel/kernel/sched/cpuacct.c:240
 [] ? rcu_read_unlock+0x16/0x70 
kernel/include/linux/rcupdate.h:926
 [] ? debug_check_no_locks_freed+0x290/0x290 
kernel/kernel/locking/lockdep.c:4123
 [] ? __compute_runnable_contrib+0x54/0x70 
kernel/kernel/sched/fair.c:2549
 [< inline >] ? __update_load_avg kernel/kernel/sched/fair.c:2668
 [] ? update_cfs_rq_load_avg+0x513/0x1160 
kernel/kernel/sched/fair.c:2795
 [] ? skb_dequeue+0x22/0x180 kernel/net/core/skbuff.c:2333
 [] ? trace_hardirqs_on+0xd/0x10 
kernel/kernel/locking/lockdep.c:2619
 [] ? hci_send_to_monitor+0x296/0x3e0 
kernel/net/bluetooth/hci_sock.c:305
 [] hci_rx_work+0x6f2/0xc00 
kernel/net/bluetooth/hci_core.c:4157
 [] ? process_one_work+0x6ca/0x1440 
kernel/kernel/workqueue.c:2033
 [] process_one_work+0x794/0x1440 
kernel/kernel/workqueue.c:2036
 [] ? process_one_work+0x6ca/0x1440 
kernel/kernel/workqueue.c:2033
 [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 
kernel/include/linux/compiler.h:218
 [] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
 [< inline >] ? context_switch kernel/kernel/sched/core.c:2807
 [] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
 [] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
 [] ? process_one_work+0x1440/0x1440 
kernel/include/linux/list.h:655
 [] ? kthread_create_on_node+0x3b0/0x3b0 
kernel/kernel/kthread.c:285
 [] ? kthread_create_on_node+0x3b0/0x3b0 
kernel/kernel/kthread.c:285
 [] ret_from_fork+0x3f/0x70 
kernel/arch/x86/entry/entry_64.S:468
 [] ? kthread_create_on_node+0x3b0/0x3b0 
kernel/kernel/kthread.c:285

Memory state around the buggy address:
 88043ef6e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 88043ef6e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>88043ef6e300: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ^
 88043ef6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 88043ef6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb


Best Regards,

Baozeng Ding