microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/include/net
История
Kuniyuki Iwashima fa6c23fe6d kcm: Serialise kcm_sendmsg() for the same socket. 
[ Upstream commit 807067bf014d4a3ae2cc55bd3de16f22a01eb580 ]

syzkaller reported UAF in kcm_release(). [0]

The scenario is

  1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb.

  2. Thread A resumes building skb from kcm->seq_skb but is blocked
     by sk_stream_wait_memory()

  3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb
     and puts the skb to the write queue

  4. Thread A faces an error and finally frees skb that is already in the
     write queue

  5. kcm_release() does double-free the skb in the write queue

When a thread is building a MSG_MORE skb, another thread must not touch it.

Let's add a per-sk mutex and serialise kcm_sendmsg().

[0]:
BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]
BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]
BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]
BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]
BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691
Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167

CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G    B              6.8.0-rc5-syzkaller-g9abbc24128bc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x178/0x518 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 __skb_unlink include/linux/skbuff.h:2366 [inline]
 __skb_dequeue include/linux/skbuff.h:2385 [inline]
 __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]
 __skb_queue_purge include/linux/skbuff.h:3181 [inline]
 kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691
 __sock_release net/socket.c:659 [inline]
 sock_close+0xa4/0x1e8 net/socket.c:1421
 __fput+0x30c/0x738 fs/file_table.c:376
 ____fput+0x20/0x30 fs/file_table.c:404
 task_work_run+0x230/0x2e0 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x618/0x1f64 kernel/exit.c:871
 do_group_exit+0x194/0x22c kernel/exit.c:1020
 get_signal+0x1500/0x15ec kernel/signal.c:2893
 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249
 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Allocated by task 6166:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626
 unpoison_slab_object mm/kasan/common.c:314 [inline]
 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3813 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903
 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641
 alloc_skb include/linux/skbuff.h:1296 [inline]
 kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 sock_sendmsg+0x220/0x2c0 net/socket.c:768
 splice_to_socket+0x7cc/0xd58 fs/splice.c:889
 do_splice_from fs/splice.c:941 [inline]
 direct_splice_actor+0xec/0x1d8 fs/splice.c:1164
 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x1e4/0x304 fs/splice.c:1233
 do_sendfile+0x460/0xb3c fs/read_write.c:1295
 __do_sys_sendfile64 fs/read_write.c:1362 [inline]
 __se_sys_sendfile64 fs/read_write.c:1348 [inline]
 __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1348
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Freed by task 6167:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x5c/0x74 mm/kasan/generic.c:640
 poison_slab_object+0x124/0x18c mm/kasan/common.c:241
 __kasan_slab_free+0x3c/0x78 mm/kasan/common.c:257
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2121 [inline]
 slab_free mm/slub.c:4299 [inline]
 kmem_cache_free+0x15c/0x3d4 mm/slub.c:4363
 kfree_skbmem+0x10c/0x19c
 __kfree_skb net/core/skbuff.c:1109 [inline]
 kfree_skb_reason+0x240/0x6f4 net/core/skbuff.c:1144
 kfree_skb include/linux/skbuff.h:1244 [inline]
 kcm_release+0x104/0x4c8 net/kcm/kcmsock.c:1685
 __sock_release net/socket.c:659 [inline]
 sock_close+0xa4/0x1e8 net/socket.c:1421
 __fput+0x30c/0x738 fs/file_table.c:376
 ____fput+0x20/0x30 fs/file_table.c:404
 task_work_run+0x230/0x2e0 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x618/0x1f64 kernel/exit.c:871
 do_group_exit+0x194/0x22c kernel/exit.c:1020
 get_signal+0x1500/0x15ec kernel/signal.c:2893
 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249
 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

The buggy address belongs to the object at ffff0000ced0fc80
 which belongs to the cache skbuff_head_cache of size 240
The buggy address is located 0 bytes inside of
 freed 240-byte region [ffff0000ced0fc80, ffff0000ced0fd70)

The buggy address belongs to the physical page:
page:00000000d35f4ae4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ed0f
flags: 0x5ffc00000000800(slab|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000800 ffff0000c1cbf640 fffffdffc3423100 dead000000000004
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000ced0fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000ced0fc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
>ffff0000ced0fc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff0000ced0fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
 ffff0000ced0fd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb

Fixes: ab7ac4eb98 ("kcm: Kernel Connection Multiplexor module")
Reported-by: syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b72d86aa5df17ce74c60
Tested-by: syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240815220437.69511-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-09-04 13:23:32 +02:00
..
9p 9p: Add client parameter to p9_req_put() 2022-08-17 14:24:07 +02:00
bluetooth Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ 2024-07-05 09:14:18 +02:00
caif
iucv
netfilter netfilter: nf_tables: allow clone callbacks to sleep 2024-08-19 05:45:50 +02:00
netns netfilter: nf_flow_table: count pending offload workqueue tasks 2024-04-27 17:05:24 +02:00
nfc NFC: add NCI_UNREG flag to eliminate the race 2021-11-25 09:48:40 +01:00
phonet
sctp sctp: move hlist_node and hashent out of sctp_ep_common 2024-08-19 05:45:35 +02:00
tc_act net/sched: transition act_pedit to rcu and percpu stats 2023-03-11 13:57:29 +01:00
6lowpan.h
Space.h
act_api.h
addrconf.h ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr 2024-04-17 11:15:14 +02:00
af_ieee802154.h
af_rxrpc.h
af_unix.h af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). 2024-05-02 16:24:47 +02:00
af_vsock.h vsock: each transport cycles only on its own sockets 2022-03-23 09:16:41 +01:00
ah.h
arp.h ipv4: Invalidate neighbour for broadcast address upon address addition 2022-04-13 20:59:05 +02:00
atmclip.h
ax25.h ax25: fix reference count leaks of ax25_dev 2022-04-20 09:34:22 +02:00
ax88796.h
bareudp.h
bond_3ad.h net: bonding: Share lacpdu_mcast_addr definition 2022-09-28 11:11:48 +02:00
bond_alb.h bonding (gcc13): synchronize bond_{a,t}lb_xmit() types 2023-06-14 11:13:00 +02:00
bond_options.h Bonding: add arp_missed_max option 2023-06-05 09:21:19 +02:00
bonding.h bonding: fix macvlan over alb bond support 2023-08-30 16:18:15 +02:00
bpf_sk_storage.h
busy_poll.h net: Fix a data-race around sysctl_net_busy_poll. 2022-08-31 17:16:43 +02:00
calipso.h
cfg80211-wext.h
cfg80211.h wifi: cfg80211: fix sband iftype data lookup for AP_VLAN 2023-08-16 18:22:01 +02:00
cfg802154.h mac802154: fix llsec key resources release in mac802154_llsec_key_del 2024-04-10 16:18:39 +02:00
checksum.h net: Force inlining of checksum functions in net/checksum.h 2022-03-02 11:47:58 +01:00
cipso_ipv4.h
cls_cgroup.h
codel.h
codel_impl.h
codel_qdisc.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h
dsa.h net: dsa: introduce preferred_default_local_cpu_port and use on MT7530 2024-04-27 17:05:29 +02:00
dsfield.h
dst.h net: Remove unused inline function dst_hold_and_use() 2023-06-21 15:59:19 +02:00
dst_cache.h wireguard: device: reset peer src endpoint when netns exits 2021-12-08 09:04:46 +01:00
dst_metadata.h net: fix a memleak when uncloning an skb dst and its metadata 2022-02-16 12:56:30 +01:00
dst_ops.h net: fix __dst_negative_advice() race 2024-06-16 13:39:59 +02:00
erspan.h
esp.h esp: limit skb_page_frag_refill use to a single page 2022-04-27 14:38:52 +02:00
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h ipv6: fix memory leak in fib6_rule_suppress 2021-12-08 09:04:43 +01:00
firewire.h
flow.h inet: shrink struct flowi_common 2023-11-20 11:08:28 +01:00
flow_dissector.h net/sched: flower: fix parsing of ethertype following VLAN header 2022-04-20 09:34:09 +02:00
flow_offload.h netfilter: nf_tables: bail out early if hardware offload is not supported 2022-06-14 18:36:17 +02:00
fou.h
fq.h
fq_impl.h
garp.h
gen_stats.h
genetlink.h drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group 2023-12-13 18:36:38 +01:00
geneve.h
gre.h
gro.h
gro_cells.h
gtp.h
gue.h
hwbm.h
icmp.h
ieee80211_radiotap.h
ieee802154_netdev.h net: ieee802154: return -EINVAL for unknown addr type 2022-10-26 12:35:54 +02:00
if_inet6.h net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX 2023-12-20 15:17:34 +01:00
ife.h
ila.h
inet6_connection_sock.h
inet6_hashtables.h net: remove duplicate reuseport_lookup functions 2024-06-16 13:39:21 +02:00
inet_common.h
inet_connection_sock.h Fix race for duplicate reqsk on identical SYN 2024-07-05 09:14:41 +02:00
inet_ecn.h
inet_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
inet_hashtables.h net: remove duplicate reuseport_lookup functions 2024-06-16 13:39:21 +02:00
inet_sock.h net: allow unbound socket for packets in VRF when tcp_l3mdev_accept set 2022-08-17 14:23:36 +02:00
inet_timewait_sock.h
inetpeer.h
ioam6.h
ip.h ipv4: ignore dst hint for multipath routes 2023-09-19 12:22:58 +02:00
ip6_checksum.h
ip6_fib.h net: fib: avoid warn splat in flow dissector 2023-09-19 12:22:58 +02:00
ip6_route.h
ip6_tunnel.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-05-09 09:14:36 +02:00
ip_fib.h ipv4/fib: send notify when delete source address routes 2023-10-25 11:59:00 +02:00
ip_tunnels.h geneve: fix header validation in geneve[6]_xmit_skb 2024-04-17 11:15:14 +02:00
ip_vs.h ipvs: Update width of source for ip_vs_sync_conn_options 2023-05-24 17:36:46 +01:00
ipcomp.h
ipconfig.h
ipv6.h ipv6: fix ip6_sock_set_addr_preferences() typo 2023-09-19 12:23:04 +02:00
ipv6_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
ipv6_stubs.h bpf: Derive source IP addr via bpf_*_fib_lookup() 2024-03-06 14:38:50 +00:00
iw_handler.h
kcm.h kcm: Serialise kcm_sendmsg() for the same socket. 2024-09-04 13:23:32 +02:00
l3mdev.h
lag.h
lapb.h
lib80211.h
llc.h llc: fix out-of-bound array index in llc_sk_dev_hash() 2021-11-18 19:17:10 +01:00
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h llc: Drop support for ETH_P_TR_802_2. 2024-02-23 08:54:27 +01:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
lwtunnel.h lwt: Check LWTUNNEL_XMIT_CONTINUE strictly 2023-09-19 12:22:34 +02:00
mac80211.h
mac802154.h
macsec.h net: macsec: indicate next pn update when offloading 2023-10-19 23:05:34 +02:00
mctp.h mctp: unify sockaddr_mctp types 2021-10-18 13:47:09 +01:00
mctpdevice.h
mip6.h
mld.h
mpls.h
mpls_iptunnel.h
mptcp.h mptcp: remove MPTCP 'ifdef' in TCP SYN cookies 2023-01-12 11:58:52 +01:00
mrp.h mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:14:42 +01:00
ncsi.h
ndisc.h ipv6: fix skb drops in igmp6_event_query() and igmp6_event_report() 2022-03-08 19:12:33 +01:00
neighbour.h neighbour: delete neigh_lookup_nodev as not used 2023-06-21 15:59:19 +02:00
net_failover.h
net_namespace.h netfilter: nf_flow_table: count pending offload workqueue tasks 2024-04-27 17:05:24 +02:00
net_ratelimit.h
netevent.h
netlabel.h
netlink.h
netprio_cgroup.h
netrom.h
nexthop.h
nl802154.h net: ieee802154: handle iftypes as u32 2021-12-01 09:04:46 +01:00
nsh.h
p8022.h
page_pool.h page_pool: fix inconsistency for page_pool_ring_[un]lock() 2023-06-05 09:21:22 +02:00
pie.h
ping.h
pkt_cls.h
pkt_sched.h net/sched: make psched_mtu() RTNL-less safe 2023-07-23 13:47:45 +02:00
pptp.h
protocol.h tcp/udp: Make early_demux back namespacified. 2022-11-10 18:15:38 +01:00
psample.h
psnap.h
raw.h raw: Fix a data-race around sysctl_raw_l3mdev_accept. 2022-07-21 21:24:27 +02:00
rawv6.h
red.h
regulatory.h
request_sock.h tcp: Use BPF timeout setting for SYN ACK RTO 2024-07-05 09:14:41 +02:00
rose.h
route.h ip: Fix data-races around sysctl_ip_default_ttl. 2022-07-29 17:25:09 +02:00
rpl.h ipv6: rpl: Fix Route of Death. 2023-06-14 11:13:02 +02:00
rsi_91x.h
rtnetlink.h net: validate veth and vxcan peer ifindexes 2023-08-30 16:18:14 +02:00
rtnh.h
sch_generic.h net/sched: sch_taprio: fix possible use-after-free 2023-02-01 08:27:09 +01:00
scm.h scm: fix MSG_CTRUNC setting condition for SO_PASSSEC 2023-05-11 23:00:26 +09:00
secure_seq.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-05-18 10:26:53 +02:00
seg6.h udp6: Use Segment Routing Header for dest address if present 2022-01-27 11:05:05 +01:00
seg6_hmac.h
seg6_local.h
selftests.h
slhc_vj.h
smc.h
snmp.h
sock.h net: drop nopreempt requirement on sock_prot_inuse_add() 2024-07-05 09:14:08 +02:00
sock_reuseport.h soreuseport: Fix socket selection for SO_INCOMING_CPU. 2022-12-31 13:14:07 +01:00
stp.h
strparser.h tls: rx: don't store the decryption status in socket context 2024-03-06 14:38:47 +00:00
switchdev.h
tcp.h tcp: add tcp_done_with_error() helper 2024-08-19 05:44:55 +02:00
tcp_states.h
timewait_sock.h
tipc.h
tls.h tls: fix race between async notify and socket close 2024-05-25 16:20:17 +02:00
tls_toe.h
transp_v6.h
tso.h
tun_proto.h
udp.h tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2023-04-26 13:51:54 +02:00
udp_tunnel.h rxrpc: Fix ICMP/ICMP6 error handling 2022-09-15 11:30:05 +02:00
udplite.h tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2023-04-26 13:51:54 +02:00
vsock_addr.h
vxlan.h vxlan: Fix nexthop hash size 2023-08-11 15:13:54 +02:00
wext.h
x25.h
x25device.h
xdp.h xdp: Allow registering memory model without rxq reference 2023-06-05 09:21:21 +02:00
xdp_priv.h
xdp_sock.h
xdp_sock_drv.h i40e: xsk: Move tmp desc array from driver to pool 2022-06-14 18:36:18 +02:00
xfrm.h xfrm: Preserve vlan tags for transport mode software GRO 2024-05-17 11:50:57 +02:00
xsk_buff_pool.h xsk: Fix unaligned descriptor validation 2023-05-11 23:00:27 +09:00