From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Taehee Yoo <ap420073@gmail.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH 4.14 17/78] ip_tunnel: fix use-after-free in ip_tunnel_lookup()
Date: Mon, 29 Jun 2020 11:37:05 -0400 [thread overview]
Message-ID: <20200629153806.2494953-18-sashal@kernel.org> (raw)
In-Reply-To: <20200629153806.2494953-1-sashal@kernel.org>
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit ba61539c6ae57f4146284a5cb4f7b7ed8d42bf45 ]
In the datapath, the ip_tunnel_lookup() is used and it internally uses
fallback tunnel device pointer, which is fb_tunnel_dev.
This pointer variable should be set to NULL when a fb interface is deleted.
But there is no routine to set fb_tunnel_dev pointer to NULL.
So, this pointer will be still used after interface is deleted and
it eventually results in the use-after-free problem.
Test commands:
ip netns add A
ip netns add B
ip link add eth0 type veth peer name eth1
ip link set eth0 netns A
ip link set eth1 netns B
ip netns exec A ip link set lo up
ip netns exec A ip link set eth0 up
ip netns exec A ip link add gre1 type gre local 10.0.0.1 \
remote 10.0.0.2
ip netns exec A ip link set gre1 up
ip netns exec A ip a a 10.0.100.1/24 dev gre1
ip netns exec A ip a a 10.0.0.1/24 dev eth0
ip netns exec B ip link set lo up
ip netns exec B ip link set eth1 up
ip netns exec B ip link add gre1 type gre local 10.0.0.2 \
remote 10.0.0.1
ip netns exec B ip link set gre1 up
ip netns exec B ip a a 10.0.100.2/24 dev gre1
ip netns exec B ip a a 10.0.0.2/24 dev eth1
ip netns exec A hping3 10.0.100.2 -2 --flood -d 60000 &
ip netns del B
Splat looks like:
[ 77.793450][ C3] ==================================================================
[ 77.794702][ C3] BUG: KASAN: use-after-free in ip_tunnel_lookup+0xcc4/0xf30
[ 77.795573][ C3] Read of size 4 at addr ffff888060bd9c84 by task hping3/2905
[ 77.796398][ C3]
[ 77.796664][ C3] CPU: 3 PID: 2905 Comm: hping3 Not tainted 5.8.0-rc1+ #616
[ 77.797474][ C3] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 77.798453][ C3] Call Trace:
[ 77.798815][ C3] <IRQ>
[ 77.799142][ C3] dump_stack+0x9d/0xdb
[ 77.799605][ C3] print_address_description.constprop.7+0x2cc/0x450
[ 77.800365][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.800908][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.801517][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.802145][ C3] kasan_report+0x154/0x190
[ 77.802821][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.803503][ C3] ip_tunnel_lookup+0xcc4/0xf30
[ 77.804165][ C3] __ipgre_rcv+0x1ab/0xaa0 [ip_gre]
[ 77.804862][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 77.805621][ C3] gre_rcv+0x304/0x1910 [ip_gre]
[ 77.806293][ C3] ? lock_acquire+0x1a9/0x870
[ 77.806925][ C3] ? gre_rcv+0xfe/0x354 [gre]
[ 77.807559][ C3] ? erspan_xmit+0x2e60/0x2e60 [ip_gre]
[ 77.808305][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 77.809032][ C3] ? rcu_read_lock_held+0x90/0xa0
[ 77.809713][ C3] gre_rcv+0x1b8/0x354 [gre]
[ ... ]
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_tunnel.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index f6793017a20d9..44cc17c43a6b5 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -98,9 +98,10 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
__be32 remote, __be32 local,
__be32 key)
{
- unsigned int hash;
struct ip_tunnel *t, *cand = NULL;
struct hlist_head *head;
+ struct net_device *ndev;
+ unsigned int hash;
hash = ip_tunnel_hash(key, remote);
head = &itn->tunnels[hash];
@@ -175,8 +176,9 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
if (t && t->dev->flags & IFF_UP)
return t;
- if (itn->fb_tunnel_dev && itn->fb_tunnel_dev->flags & IFF_UP)
- return netdev_priv(itn->fb_tunnel_dev);
+ ndev = READ_ONCE(itn->fb_tunnel_dev);
+ if (ndev && ndev->flags & IFF_UP)
+ return netdev_priv(ndev);
return NULL;
}
@@ -1211,9 +1213,9 @@ void ip_tunnel_uninit(struct net_device *dev)
struct ip_tunnel_net *itn;
itn = net_generic(net, tunnel->ip_tnl_net_id);
- /* fb_tunnel_dev will be unregisted in net-exit call. */
- if (itn->fb_tunnel_dev != dev)
- ip_tunnel_del(itn, netdev_priv(dev));
+ ip_tunnel_del(itn, netdev_priv(dev));
+ if (itn->fb_tunnel_dev == dev)
+ WRITE_ONCE(itn->fb_tunnel_dev, NULL);
dst_cache_reset(&tunnel->dst_cache);
}
--
2.25.1
next prev parent reply other threads:[~2020-06-29 20:16 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-29 15:36 [PATCH 4.14 00/78] 4.14.186-rc1 review Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 01/78] scsi: scsi_devinfo: handle non-terminated strings Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 02/78] net: be more gentle about silly gso requests coming from user Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 03/78] block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 04/78] net: sched: export __netdev_watchdog_up() Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 05/78] fix a braino in "sparc32: fix register window handling in genregs32_[gs]et()" Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 06/78] apparmor: don't try to replace stale label in ptraceme check Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 07/78] ibmveth: Fix max MTU limit Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 08/78] mld: fix memory leak in ipv6_mc_destroy_dev() Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 09/78] net: bridge: enfore alignment for ethernet address Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 10/78] net: fix memleak in register_netdevice() Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 11/78] net: usb: ax88179_178a: fix packet alignment padding Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 12/78] rocker: fix incorrect error handling in dma_rings_init Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 13/78] rxrpc: Fix notification call on completion of discarded calls Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 14/78] sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 15/78] tcp: grow window for OOO packets only for SACK flows Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 16/78] tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes Sasha Levin
2020-06-29 15:37 ` Sasha Levin [this message]
2020-06-29 15:37 ` [PATCH 4.14 18/78] tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 19/78] ip6_gre: fix use-after-free in ip6gre_tunnel_lookup() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 20/78] net: Fix the arp error in some cases Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 21/78] net: Do not clear the sock TX queue in sk_set_socket() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 22/78] net: core: reduce recursion limit value Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 23/78] USB: ohci-sm501: Add missed iounmap() in remove Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 24/78] usb: dwc2: Postponed gadget registration to the udc class driver Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 25/78] usb: add USB_QUIRK_DELAY_INIT for Logitech C922 Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 26/78] USB: ehci: reopen solution for Synopsys HC bug Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 27/78] usb: host: xhci-mtk: avoid runtime suspend when removing hcd Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 28/78] usb: host: ehci-exynos: Fix error check in exynos_ehci_probe() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 29/78] ALSA: usb-audio: add quirk for Denon DCD-1500RE Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 30/78] xhci: Fix incorrect EP_STATE_MASK Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 31/78] xhci: Fix enumeration issue when setting max packet size for FS devices Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 32/78] cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 33/78] loop: replace kill_bdev with invalidate_bdev Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 34/78] ALSA: usb-audio: uac1: Invalidate ctl on interrupt Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 35/78] ALSA: usb-audio: Clean up mixer element list traverse Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 36/78] ALSA: usb-audio: Fix OOB access of mixer element list Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 37/78] xhci: Poll for U0 after disabling USB2 LPM Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 38/78] cifs/smb3: Fix data inconsistent when punch hole Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 39/78] cifs/smb3: Fix data inconsistent when zero file range Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 40/78] efi/esrt: Fix reference count leak in esre_create_sysfs_entry Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 41/78] ARM: dts: NSP: Correct FA2 mailbox node Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 42/78] rxrpc: Fix handling of rwind from an ACK packet Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 43/78] RDMA/cma: Protect bind_list and listen_list while finding matching cm id Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 44/78] ASoC: rockchip: Fix a reference count leak Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 45/78] RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 46/78] net: qed: fix left elements count calculation Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 47/78] net: qed: fix NVMe login fails over VFs Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 48/78] net: qed: fix excessive QM ILT lines consumption Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 49/78] ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 50/78] usb: gadget: udc: Potential Oops in error handling code Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 51/78] netfilter: ipset: fix unaligned atomic access Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 52/78] net: bcmgenet: use hardware padding of runt frames Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 53/78] sched/core: Fix PI boosting between RT and DEADLINE tasks Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 54/78] ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 55/78] net: alx: fix race condition in alx_remove Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 56/78] s390/ptrace: fix setting syscall number Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 57/78] kbuild: improve cc-option to clean up all temporary files Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 58/78] blktrace: break out of blktrace setup on concurrent calls Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 59/78] ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 60/78] ACPI: sysfs: Fix pm_profile_attr type Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 61/78] KVM: X86: Fix MSR range of APIC registers in X2APIC mode Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 62/78] KVM: nVMX: Plumb L2 GPA through to PML emulation Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 63/78] btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 64/78] mm/slab: use memzero_explicit() in kzfree() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 65/78] ocfs2: load global_inode_alloc Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 66/78] ocfs2: fix value of OCFS2_INVALID_SLOT Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 67/78] ocfs2: fix panic on nfs server over ocfs2 Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 68/78] arm64: perf: Report the PC value in REGS_ABI_32 mode Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 69/78] tracing: Fix event trigger to accept redundant spaces Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 70/78] drm/radeon: fix fb_div check in ni_init_smc_spll_table() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 71/78] Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate() Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 72/78] sunrpc: fixed rollback in rpc_gssd_dummy_populate() Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 73/78] SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 74/78] pNFS/flexfiles: Fix list corruption if the mirror count changes Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 75/78] NFSv4 fix CLOSE not waiting for direct IO compeletion Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 76/78] ALSA: usb-audio: Fix invalid NULL check in snd_emuusb_set_samplerate() Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 77/78] xfs: add agf freeblocks verify in xfs_agf_verify Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 78/78] Linux 4.14.186-rc1 Sasha Levin
2020-06-30 7:19 ` [PATCH 4.14 00/78] 4.14.186-rc1 review Naresh Kamboju
2020-06-30 9:20 ` Jon Hunter
2020-06-30 13:08 ` Sebastian Gottschall
2020-06-30 17:21 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200629153806.2494953-18-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).