* BUG: KASAN: use-after-free in udp_lib_get_port
@ 2016-10-16 13:46 Baozeng Ding
2016-10-16 19:53 ` Cong Wang
0 siblings, 1 reply; 10+ messages in thread
From: Baozeng Ding @ 2016-10-16 13:46 UTC (permalink / raw)
To: network dev
Hello all,
While running syzkaller fuzzer I have got the following use-after-free
bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a reproducer for it.
BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr ffff88000804cb60
Write of size 8 by task syz-executor/31190
CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
ffff880015ac7a48 ffffffff829f835b ffff880032b531c0 ffff88000804cb40
ffff88000804d250 ffff880017415a4a ffff880015ac7a70 ffffffff8174d3cc
ffff880015ac7b00 ffff88000804cb00 ffff880032b531c0 ffff880015ac7af0
Call Trace:
[<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
[<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
[< inline >] print_address_description mm/kasan/report.c:194
[<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
[< inline >] kasan_report mm/kasan/report.c:303
[<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
[< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487
[<ffffffff850866e3>] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345
[<ffffffff8525cc27>] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106
[<ffffffff851df52c>] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384
[<ffffffff84c492fa>] SYSC_bind+0x1ea/0x250 net/socket.c:1367
[<ffffffff84c4ba34>] SyS_bind+0x24/0x30 net/socket.c:1353
[<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff88000804cb40, in cache UDPv6 size: 1496
Allocated:
PID = 30789
[ 378.305168] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 378.305168] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 378.305168] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
[ 378.305168] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
[ 378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417
[ 378.305168] [< inline >] slab_alloc_node mm/slub.c:2708
[ 378.305168] [< inline >] slab_alloc mm/slub.c:2716
[ 378.305168] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
[ 378.305168] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
[ 378.305168] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
[ 378.305168] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
[ 378.305168] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
[ 378.305168] [< inline >] sock_create net/socket.c:1193
[ 378.305168] [< inline >] SYSC_socket net/socket.c:1223
[ 378.305168] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
[ 378.305168] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 30789
[ 378.305168] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 378.305168] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 378.305168] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
[ 378.305168] [< inline >] slab_free_hook mm/slub.c:1352
[ 378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374
[ 378.305168] [< inline >] slab_free mm/slub.c:2951
[ 378.305168] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
[ 378.305168] [< inline >] sk_prot_free net/core/sock.c:1369
[ 378.305168] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
[ 378.305168] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
[ 378.305168] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
[ 378.305168] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
[ 378.305168] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
[ 378.305168] [<ffffffff852569e5>] udp_lib_close+0x15/0x20 ./include/net/udp.h:203
[ 378.305168] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
[ 378.305168] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
[ 378.305168] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
[ 378.305168] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
[ 378.305168] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
[ 378.305168] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
[ 378.305168] [<ffffffff813774f9>] task_work_run+0xf9/0x170
[ 378.305168] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
[ 378.305168] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
[ 378.376437] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
[ 378.376437] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
[ 378.376437] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
[ 378.376437] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[ 378.376437] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
[ 378.376437] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
ffff88000804ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88000804ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88000804cb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff88000804cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88000804cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Thanks && Best Regards,
Baozeng Ding
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: BUG: KASAN: use-after-free in udp_lib_get_port
2016-10-16 13:46 BUG: KASAN: use-after-free in udp_lib_get_port Baozeng Ding
@ 2016-10-16 19:53 ` Cong Wang
2016-10-19 7:36 ` Baozeng Ding
2016-10-19 15:01 ` Baozeng Ding
0 siblings, 2 replies; 10+ messages in thread
From: Cong Wang @ 2016-10-16 19:53 UTC (permalink / raw)
To: Baozeng Ding; +Cc: network dev
On Sun, Oct 16, 2016 at 6:46 AM, Baozeng Ding <sploving1@gmail.com> wrote:
> Hello all,
> While running syzkaller fuzzer I have got the following use-after-free
> bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a reproducer for it.
>
> BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr ffff88000804cb60
> Write of size 8 by task syz-executor/31190
> CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
> ffff880015ac7a48 ffffffff829f835b ffff880032b531c0 ffff88000804cb40
> ffff88000804d250 ffff880017415a4a ffff880015ac7a70 ffffffff8174d3cc
> ffff880015ac7b00 ffff88000804cb00 ffff880032b531c0 ffff880015ac7af0
> Call Trace:
> [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
> [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
> [< inline >] print_address_description mm/kasan/report.c:194
> [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
> [< inline >] kasan_report mm/kasan/report.c:303
> [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
> [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487
> [<ffffffff850866e3>] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345
> [<ffffffff8525cc27>] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106
> [<ffffffff851df52c>] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384
> [<ffffffff84c492fa>] SYSC_bind+0x1ea/0x250 net/socket.c:1367
> [<ffffffff84c4ba34>] SyS_bind+0x24/0x30 net/socket.c:1353
> [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
We should have a reference to this sock via fd and its sock->sk too,
so I fail to see why it could be freed while we holding this reference.
Maybe a VFS layer bug?
> Object at ffff88000804cb40, in cache UDPv6 size: 1496
> Allocated:
> PID = 30789
> [ 378.305168] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
> [ 378.305168] [<ffffffff8174c736>] save_stack+0x46/0xd0
> [ 378.305168] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
> [ 378.305168] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
> [ 378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417
> [ 378.305168] [< inline >] slab_alloc_node mm/slub.c:2708
> [ 378.305168] [< inline >] slab_alloc mm/slub.c:2716
> [ 378.305168] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
> [ 378.305168] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
> [ 378.305168] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
> [ 378.305168] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
> [ 378.305168] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
> [ 378.305168] [< inline >] sock_create net/socket.c:1193
> [ 378.305168] [< inline >] SYSC_socket net/socket.c:1223
> [ 378.305168] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
> [ 378.305168] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
> Freed:
> PID = 30789
> [ 378.305168] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
> [ 378.305168] [<ffffffff8174c736>] save_stack+0x46/0xd0
> [ 378.305168] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
> [ 378.305168] [< inline >] slab_free_hook mm/slub.c:1352
> [ 378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374
> [ 378.305168] [< inline >] slab_free mm/slub.c:2951
> [ 378.305168] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
> [ 378.305168] [< inline >] sk_prot_free net/core/sock.c:1369
> [ 378.305168] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
> [ 378.305168] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
> [ 378.305168] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
> [ 378.305168] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
> [ 378.305168] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
> [ 378.305168] [<ffffffff852569e5>] udp_lib_close+0x15/0x20 ./include/net/udp.h:203
> [ 378.305168] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
> [ 378.305168] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
> [ 378.305168] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
> [ 378.305168] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
> [ 378.305168] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
> [ 378.305168] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
> [ 378.305168] [<ffffffff813774f9>] task_work_run+0xf9/0x170
> [ 378.305168] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
> [ 378.305168] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
> [ 378.376437] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
> [ 378.376437] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
> [ 378.376437] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
> [ 378.376437] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
> [ 378.376437] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
> [ 378.376437] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
> Memory state around the buggy address:
> ffff88000804ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88000804ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>ffff88000804cb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ^
> ffff88000804cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88000804cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
> Thanks && Best Regards,
> Baozeng Ding
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: BUG: KASAN: use-after-free in udp_lib_get_port
2016-10-16 19:53 ` Cong Wang
@ 2016-10-19 7:36 ` Baozeng Ding
2016-10-19 15:01 ` Baozeng Ding
1 sibling, 0 replies; 10+ messages in thread
From: Baozeng Ding @ 2016-10-19 7:36 UTC (permalink / raw)
To: Cong Wang; +Cc: network dev
Hello all,
I hit some similiar bugs again:
BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr ffff88002f163c60
Write of size 8 by task syz-executor/13510
CPU: 2 PID: 13510 Comm: syz-executor Not tainted 4.8.0+ #41
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
ffff880034ea7a68 ffffffff829f835b ffff88002f488b40 ffff88002f163c40
ffff88002f164350 ffff88003178154a ffff880034ea7a90 ffffffff8174d3cc
ffff880034ea7b20 ffff88002f163c00 ffff88002f488b40 ffff880034ea7b10
Call Trace:
[<ffffffff829f835b>] dump_stack+0xb3/0x118 /lib/dump_stack.c:15
[<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 /mm/kasan/report.c:156
[< inline >] print_address_description /mm/kasan/report.c:194
[<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 /mm/kasan/report.c:283
[< inline >] kasan_report /mm/kasan/report.c:303
[<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 /mm/kasan/report.c:329
[< inline >] hlist_add_head_rcu /./include/linux/rculist.h:487
[<ffffffff850866e3>] udp_lib_get_port+0x1573/0x1860 /net/ipv4/udp.c:345
[<ffffffff8508b4f9>] udp_v4_get_port+0x139/0x180 /net/ipv4/udp.c:392
[<ffffffff850b2f7a>] inet_autobind+0xaa/0x180 /net/ipv4/af_inet.c:181
[<ffffffff850b3181>] inet_dgram_connect+0x131/0x1f0 /net/ipv4/af_inet.c:528
[<ffffffff84c4959e>] SYSC_connect+0x23e/0x2e0 /net/socket.c:1533
[<ffffffff84c4bd14>] SyS_connect+0x24/0x30 /net/socket.c:1514
[<ffffffff85e4d6c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff88002f163c40, in cache UDPv6 size: 1496
Allocated:
PID = 13255
[ 1773.470431] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1773.470431] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1773.470431] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
[ 1773.470431] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
[ 1773.470431] [< inline >] slab_post_alloc_hook /mm/slab.h:417
[ 1773.470431] [< inline >] slab_alloc_node /mm/slub.c:2708
[ 1773.470431] [< inline >] slab_alloc /mm/slub.c:2716
[ 1773.470431] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 /mm/slub.c:2721
[ 1773.470431] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 /net/core/sock.c:1326
[ 1773.470431] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 /net/core/sock.c:1388
[ 1773.470431] [<ffffffff851ddf77>] inet6_create+0x2d7/0x1000 /net/ipv6/af_inet6.c:182
[ 1773.470431] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 /net/socket.c:1153
[ 1773.470431] [< inline >] sock_create /net/socket.c:1193
[ 1773.470431] [< inline >] SYSC_socket /net/socket.c:1223
[ 1773.470431] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 /net/socket.c:1203
[ 1773.470431] [<ffffffff85e4d6c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 13261
[ 1773.470431] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1773.470431] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1773.470431] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
[ 1773.470431] [< inline >] slab_free_hook /mm/slub.c:1352
[ 1773.470431] [< inline >] slab_free_freelist_hook /mm/slub.c:1374
[ 1773.470431] [< inline >] slab_free /mm/slub.c:2951
[ 1773.470431] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 /mm/slub.c:2973
[ 1773.470431] [< inline >] sk_prot_free /net/core/sock.c:1369
[ 1773.470431] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 /net/core/sock.c:1444
[ 1773.470431] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 /net/core/sock.c:1452
[ 1773.470431] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 /net/core/sock.c:1460
[ 1773.470431] [<ffffffff84c5af23>] sk_free+0x23/0x30 /net/core/sock.c:1471
[ 1773.470431] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 /./include/net/sock.h:1589
[ 1773.470431] [<ffffffff852569f5>] udp_lib_close+0x15/0x20 /./include/net/udp.h:203
[ 1773.470431] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 /net/ipv4/af_inet.c:415
[ 1773.470431] [<ffffffff851dc5aa>] inet6_release+0x5a/0x80 /net/ipv6/af_inet6.c:424
[ 1773.470431] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 /net/socket.c:570
[ 1773.470431] [<ffffffff84c45976>] sock_close+0x16/0x20 /net/socket.c:1017
[ 1773.470431] [<ffffffff817a108c>] __fput+0x28c/0x780 /fs/file_table.c:208
[ 1773.470431] [<ffffffff817a1605>] ____fput+0x15/0x20 /fs/file_table.c:244
[ 1773.470431] [<ffffffff813774f9>] task_work_run+0xf9/0x170
[ 1773.470431] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
[ 1773.470431] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
[ 1773.470431] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 /kernel/signal.c:2307
[ 1773.470431] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
[ 1773.470431] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 /arch/x86/entry/common.c:156
[ 1773.470431] [< inline >] prepare_exit_to_usermode /arch/x86/entry/common.c:190
[ 1773.470431] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 /arch/x86/entry/common.c:259
[ 1773.470431] [<ffffffff85e4d766>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
ffff88002f163b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88002f163b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88002f163c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff88002f163c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88002f163d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
==================================================================
BUG: KASAN: use-after-free in udp_lib_unhash+0x593/0x660 at addr ffff88002f163c60
Write of size 8 by task syz-executor/13522
CPU: 1 PID: 13522 Comm: syz-executor Tainted: G B 4.8.0+ #41
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
ffff88002e4e77e0 ffffffff829f835b ffff88002f488b40 ffff88002f163c40
ffff88002f164350 ffff880031781540 ffff88002e4e7808 ffffffff8174d3cc
ffff88002e4e7898 ffff88002f163c00 ffff88002f488b40 ffff88002e4e7888
Call Trace:
[<ffffffff829f835b>] dump_stack+0xb3/0x118 /lib/dump_stack.c:15
[<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 /mm/kasan/report.c:156
[< inline >] print_address_description /mm/kasan/report.c:194
[<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 /mm/kasan/report.c:283
[< inline >] kasan_report /mm/kasan/report.c:303
[<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 /mm/kasan/report.c:329
[< inline >] hlist_del_init_rcu /./include/linux/list.h:624
[<ffffffff85082c83>] udp_lib_unhash+0x593/0x660 /net/ipv4/udp.c:1391
[<ffffffff84c5c99d>] sk_common_release+0xbd/0x3e0 /net/core/sock.c:2719
[<ffffffff85083f05>] udp_lib_close+0x15/0x20 /./include/net/udp.h:203
[<ffffffff850b2dfd>] inet_release+0xed/0x1c0 /net/ipv4/af_inet.c:415
[<ffffffff84c4581d>] sock_release+0x8d/0x1d0 /net/socket.c:570
[<ffffffff84c45976>] sock_close+0x16/0x20 /net/socket.c:1017
[<ffffffff817a108c>] __fput+0x28c/0x780 /fs/file_table.c:208
[<ffffffff817a1605>] ____fput+0x15/0x20 /fs/file_table.c:244
[<ffffffff813774f9>] task_work_run+0xf9/0x170
[<ffffffff81324aae>] do_exit+0x85e/0x2a00
[<ffffffff81326dc8>] do_group_exit+0x108/0x330
[<ffffffff81348cf7>] get_signal+0x617/0x17a0 /kernel/signal.c:2307
[<ffffffff811b49af>] do_signal+0x7f/0x18f0
[<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 /arch/x86/entry/common.c:156
[< inline >] prepare_exit_to_usermode /arch/x86/entry/common.c:190
[<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 /arch/x86/entry/common.c:259
[<ffffffff85e4d766>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff88002f163c40, in cache UDPv6 size: 1496
Allocated:
PID = 13255
[ 1773.617936] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1773.617936] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1773.617936] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
[ 1773.617936] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
[ 1773.617936] [< inline >] slab_post_alloc_hook /mm/slab.h:417
[ 1773.617936] [< inline >] slab_alloc_node /mm/slub.c:2708
[ 1773.617936] [< inline >] slab_alloc /mm/slub.c:2716
[ 1773.617936] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 /mm/slub.c:2721
[ 1773.617936] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 /net/core/sock.c:1326
[ 1773.617936] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 /net/core/sock.c:1388
[ 1773.617936] [<ffffffff851ddf77>] inet6_create+0x2d7/0x1000 /net/ipv6/af_inet6.c:182
[ 1773.617936] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 /net/socket.c:1153
[ 1773.617936] [< inline >] sock_create /net/socket.c:1193
[ 1773.617936] [< inline >] SYSC_socket /net/socket.c:1223
[ 1773.617936] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 /net/socket.c:1203
[ 1773.617936] [<ffffffff85e4d6c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 13261
[ 1773.617936] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1773.617936] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1773.617936] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
[ 1773.617936] [< inline >] slab_free_hook /mm/slub.c:1352
[ 1773.617936] [< inline >] slab_free_freelist_hook /mm/slub.c:1374
[ 1773.617936] [< inline >] slab_free /mm/slub.c:2951
[ 1773.617936] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 /mm/slub.c:2973
[ 1773.617936] [< inline >] sk_prot_free /net/core/sock.c:1369
[ 1773.617936] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 /net/core/sock.c:1444
[ 1773.617936] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 /net/core/sock.c:1452
[ 1773.617936] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 /net/core/sock.c:1460
[ 1773.617936] [<ffffffff84c5af23>] sk_free+0x23/0x30 /net/core/sock.c:1471
[ 1773.617936] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 /./include/net/sock.h:1589
[ 1773.617936] [<ffffffff852569f5>] udp_lib_close+0x15/0x20 /./include/net/udp.h:203
[ 1773.617936] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 /net/ipv4/af_inet.c:415
[ 1773.617936] [<ffffffff851dc5aa>] inet6_release+0x5a/0x80 /net/ipv6/af_inet6.c:424
[ 1773.617936] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 /net/socket.c:570
[ 1773.617936] [<ffffffff84c45976>] sock_close+0x16/0x20 /net/socket.c:1017
[ 1773.617936] [<ffffffff817a108c>] __fput+0x28c/0x780 /fs/file_table.c:208
[ 1773.617936] [<ffffffff817a1605>] ____fput+0x15/0x20 /fs/file_table.c:244
[ 1773.617936] [<ffffffff813774f9>] task_work_run+0xf9/0x170
[ 1773.617936] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
[ 1773.617936] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
[ 1773.617936] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 /kernel/signal.c:2307
[ 1773.617936] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
[ 1773.617936] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 /arch/x86/entry/common.c:156
[ 1773.617936] [< inline >] prepare_exit_to_usermode /arch/x86/entry/common.c:190
[ 1773.617936] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 /arch/x86/entry/common.c:259
[ 1773.617936] [<ffffffff85e4d766>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
ffff88002f163b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88002f163b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88002f163c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff88002f163c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88002f163d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Best Regards,
Baozeng Ding
On 2016/10/17 3:53, Cong Wang wrote:
> On Sun, Oct 16, 2016 at 6:46 AM, Baozeng Ding <sploving1@gmail.com> wrote:
>> Hello all,
>> While running syzkaller fuzzer I have got the following use-after-free
>> bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a reproducer for it.
>>
>> BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr ffff88000804cb60
>> Write of size 8 by task syz-executor/31190
>> CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
>> ffff880015ac7a48 ffffffff829f835b ffff880032b531c0 ffff88000804cb40
>> ffff88000804d250 ffff880017415a4a ffff880015ac7a70 ffffffff8174d3cc
>> ffff880015ac7b00 ffff88000804cb00 ffff880032b531c0 ffff880015ac7af0
>> Call Trace:
>> [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
>> [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
>> [< inline >] print_address_description mm/kasan/report.c:194
>> [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
>> [< inline >] kasan_report mm/kasan/report.c:303
>> [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
>> [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487
>> [<ffffffff850866e3>] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345
>> [<ffffffff8525cc27>] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106
>> [<ffffffff851df52c>] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384
>> [<ffffffff84c492fa>] SYSC_bind+0x1ea/0x250 net/socket.c:1367
>> [<ffffffff84c4ba34>] SyS_bind+0x24/0x30 net/socket.c:1353
>> [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
>
>
> We should have a reference to this sock via fd and its sock->sk too,
> so I fail to see why it could be freed while we holding this reference.
> Maybe a VFS layer bug?
>
I am not sure. should I cc linux kernel dev mailing list?
>> Object at ffff88000804cb40, in cache UDPv6 size: 1496
>> Allocated:
>> PID = 30789
>> [ 378.305168] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
>> [ 378.305168] [<ffffffff8174c736>] save_stack+0x46/0xd0
>> [ 378.305168] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
>> [ 378.305168] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
>> [ 378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417
>> [ 378.305168] [< inline >] slab_alloc_node mm/slub.c:2708
>> [ 378.305168] [< inline >] slab_alloc mm/slub.c:2716
>> [ 378.305168] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
>> [ 378.305168] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
>> [ 378.305168] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
>> [ 378.305168] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
>> [ 378.305168] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
>> [ 378.305168] [< inline >] sock_create net/socket.c:1193
>> [ 378.305168] [< inline >] SYSC_socket net/socket.c:1223
>> [ 378.305168] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
>> [ 378.305168] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
>> Freed:
>> PID = 30789
>> [ 378.305168] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
>> [ 378.305168] [<ffffffff8174c736>] save_stack+0x46/0xd0
>> [ 378.305168] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
>> [ 378.305168] [< inline >] slab_free_hook mm/slub.c:1352
>> [ 378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374
>> [ 378.305168] [< inline >] slab_free mm/slub.c:2951
>> [ 378.305168] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
>> [ 378.305168] [< inline >] sk_prot_free net/core/sock.c:1369
>> [ 378.305168] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
>> [ 378.305168] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
>> [ 378.305168] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
>> [ 378.305168] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
>> [ 378.305168] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
>> [ 378.305168] [<ffffffff852569e5>] udp_lib_close+0x15/0x20 ./include/net/udp.h:203
>> [ 378.305168] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
>> [ 378.305168] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
>> [ 378.305168] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
>> [ 378.305168] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
>> [ 378.305168] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
>> [ 378.305168] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
>> [ 378.305168] [<ffffffff813774f9>] task_work_run+0xf9/0x170
>> [ 378.305168] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
>> [ 378.305168] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
>> [ 378.376437] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
>> [ 378.376437] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
>> [ 378.376437] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
>> [ 378.376437] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
>> [ 378.376437] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
>> [ 378.376437] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
>> Memory state around the buggy address:
>> ffff88000804ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff88000804ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ffff88000804cb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>> ^
>> ffff88000804cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff88000804cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>> Thanks && Best Regards,
>> Baozeng Ding
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: BUG: KASAN: use-after-free in udp_lib_get_port
2016-10-16 19:53 ` Cong Wang
2016-10-19 7:36 ` Baozeng Ding
@ 2016-10-19 15:01 ` Baozeng Ding
2016-10-20 6:25 ` Eric Dumazet
1 sibling, 1 reply; 10+ messages in thread
From: Baozeng Ding @ 2016-10-19 15:01 UTC (permalink / raw)
To: Cong Wang; +Cc: network dev, linux-kernel
Hello all,
I have got some similar bugs again((on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0):
BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr ffff88002f163c60
Write of size 8 by task syz-executor/13510
CPU: 2 PID: 13510 Comm: syz-executor Not tainted 4.8.0+ #41
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
ffff880034ea7a68 ffffffff829f835b ffff88002f488b40 ffff88002f163c40
ffff88002f164350 ffff88003178154a ffff880034ea7a90 ffffffff8174d3cc
ffff880034ea7b20 ffff88002f163c00 ffff88002f488b40 ffff880034ea7b10
Call Trace:
[<ffffffff829f835b>] dump_stack+0xb3/0x118 /lib/dump_stack.c:15
[<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 /mm/kasan/report.c:156
[< inline >] print_address_description /mm/kasan/report.c:194
[<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 /mm/kasan/report.c:283
[< inline >] kasan_report /mm/kasan/report.c:303
[<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 /mm/kasan/report.c:329
[< inline >] hlist_add_head_rcu /./include/linux/rculist.h:487
[<ffffffff850866e3>] udp_lib_get_port+0x1573/0x1860 /net/ipv4/udp.c:345
[<ffffffff8508b4f9>] udp_v4_get_port+0x139/0x180 /net/ipv4/udp.c:392
[<ffffffff850b2f7a>] inet_autobind+0xaa/0x180 /net/ipv4/af_inet.c:181
[<ffffffff850b3181>] inet_dgram_connect+0x131/0x1f0 /net/ipv4/af_inet.c:528
[<ffffffff84c4959e>] SYSC_connect+0x23e/0x2e0 /net/socket.c:1533
[<ffffffff84c4bd14>] SyS_connect+0x24/0x30 /net/socket.c:1514
[<ffffffff85e4d6c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff88002f163c40, in cache UDPv6 size: 1496
Allocated:
PID = 13255
[ 1773.470431] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1773.470431] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1773.470431] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
[ 1773.470431] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
[ 1773.470431] [< inline >] slab_post_alloc_hook /mm/slab.h:417
[ 1773.470431] [< inline >] slab_alloc_node /mm/slub.c:2708
[ 1773.470431] [< inline >] slab_alloc /mm/slub.c:2716
[ 1773.470431] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 /mm/slub.c:2721
[ 1773.470431] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 /net/core/sock.c:1326
[ 1773.470431] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 /net/core/sock.c:1388
[ 1773.470431] [<ffffffff851ddf77>] inet6_create+0x2d7/0x1000 /net/ipv6/af_inet6.c:182
[ 1773.470431] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 /net/socket.c:1153
[ 1773.470431] [< inline >] sock_create /net/socket.c:1193
[ 1773.470431] [< inline >] SYSC_socket /net/socket.c:1223
[ 1773.470431] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 /net/socket.c:1203
[ 1773.470431] [<ffffffff85e4d6c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 13261
[ 1773.470431] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1773.470431] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1773.470431] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
[ 1773.470431] [< inline >] slab_free_hook /mm/slub.c:1352
[ 1773.470431] [< inline >] slab_free_freelist_hook /mm/slub.c:1374
[ 1773.470431] [< inline >] slab_free /mm/slub.c:2951
[ 1773.470431] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 /mm/slub.c:2973
[ 1773.470431] [< inline >] sk_prot_free /net/core/sock.c:1369
[ 1773.470431] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 /net/core/sock.c:1444
[ 1773.470431] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 /net/core/sock.c:1452
[ 1773.470431] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 /net/core/sock.c:1460
[ 1773.470431] [<ffffffff84c5af23>] sk_free+0x23/0x30 /net/core/sock.c:1471
[ 1773.470431] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 /./include/net/sock.h:1589
[ 1773.470431] [<ffffffff852569f5>] udp_lib_close+0x15/0x20 /./include/net/udp.h:203
[ 1773.470431] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 /net/ipv4/af_inet.c:415
[ 1773.470431] [<ffffffff851dc5aa>] inet6_release+0x5a/0x80 /net/ipv6/af_inet6.c:424
[ 1773.470431] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 /net/socket.c:570
[ 1773.470431] [<ffffffff84c45976>] sock_close+0x16/0x20 /net/socket.c:1017
[ 1773.470431] [<ffffffff817a108c>] __fput+0x28c/0x780 /fs/file_table.c:208
[ 1773.470431] [<ffffffff817a1605>] ____fput+0x15/0x20 /fs/file_table.c:244
[ 1773.470431] [<ffffffff813774f9>] task_work_run+0xf9/0x170
[ 1773.470431] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
[ 1773.470431] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
[ 1773.470431] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 /kernel/signal.c:2307
[ 1773.470431] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
[ 1773.470431] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 /arch/x86/entry/common.c:156
[ 1773.470431] [< inline >] prepare_exit_to_usermode /arch/x86/entry/common.c:190
[ 1773.470431] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 /arch/x86/entry/common.c:259
[ 1773.470431] [<ffffffff85e4d766>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
ffff88002f163b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88002f163b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88002f163c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff88002f163c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88002f163d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
==================================================================
BUG: KASAN: use-after-free in udp_lib_unhash+0x593/0x660 at addr ffff88002f163c60
Write of size 8 by task syz-executor/13522
CPU: 1 PID: 13522 Comm: syz-executor Tainted: G B 4.8.0+ #41
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
ffff88002e4e77e0 ffffffff829f835b ffff88002f488b40 ffff88002f163c40
ffff88002f164350 ffff880031781540 ffff88002e4e7808 ffffffff8174d3cc
ffff88002e4e7898 ffff88002f163c00 ffff88002f488b40 ffff88002e4e7888
Call Trace:
[<ffffffff829f835b>] dump_stack+0xb3/0x118 /lib/dump_stack.c:15
[<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 /mm/kasan/report.c:156
[< inline >] print_address_description /mm/kasan/report.c:194
[<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 /mm/kasan/report.c:283
[< inline >] kasan_report /mm/kasan/report.c:303
[<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 /mm/kasan/report.c:329
[< inline >] hlist_del_init_rcu /./include/linux/list.h:624
[<ffffffff85082c83>] udp_lib_unhash+0x593/0x660 /net/ipv4/udp.c:1391
[<ffffffff84c5c99d>] sk_common_release+0xbd/0x3e0 /net/core/sock.c:2719
[<ffffffff85083f05>] udp_lib_close+0x15/0x20 /./include/net/udp.h:203
[<ffffffff850b2dfd>] inet_release+0xed/0x1c0 /net/ipv4/af_inet.c:415
[<ffffffff84c4581d>] sock_release+0x8d/0x1d0 /net/socket.c:570
[<ffffffff84c45976>] sock_close+0x16/0x20 /net/socket.c:1017
[<ffffffff817a108c>] __fput+0x28c/0x780 /fs/file_table.c:208
[<ffffffff817a1605>] ____fput+0x15/0x20 /fs/file_table.c:244
[<ffffffff813774f9>] task_work_run+0xf9/0x170
[<ffffffff81324aae>] do_exit+0x85e/0x2a00
[<ffffffff81326dc8>] do_group_exit+0x108/0x330
[<ffffffff81348cf7>] get_signal+0x617/0x17a0 /kernel/signal.c:2307
[<ffffffff811b49af>] do_signal+0x7f/0x18f0
[<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 /arch/x86/entry/common.c:156
[< inline >] prepare_exit_to_usermode /arch/x86/entry/common.c:190
[<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 /arch/x86/entry/common.c:259
[<ffffffff85e4d766>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff88002f163c40, in cache UDPv6 size: 1496
Allocated:
PID = 13255
[ 1773.617936] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1773.617936] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1773.617936] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
[ 1773.617936] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
[ 1773.617936] [< inline >] slab_post_alloc_hook /mm/slab.h:417
[ 1773.617936] [< inline >] slab_alloc_node /mm/slub.c:2708
[ 1773.617936] [< inline >] slab_alloc /mm/slub.c:2716
[ 1773.617936] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 /mm/slub.c:2721
[ 1773.617936] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 /net/core/sock.c:1326
[ 1773.617936] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 /net/core/sock.c:1388
[ 1773.617936] [<ffffffff851ddf77>] inet6_create+0x2d7/0x1000 /net/ipv6/af_inet6.c:182
[ 1773.617936] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 /net/socket.c:1153
[ 1773.617936] [< inline >] sock_create /net/socket.c:1193
[ 1773.617936] [< inline >] SYSC_socket /net/socket.c:1223
[ 1773.617936] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 /net/socket.c:1203
[ 1773.617936] [<ffffffff85e4d6c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 13261
[ 1773.617936] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1773.617936] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1773.617936] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
[ 1773.617936] [< inline >] slab_free_hook /mm/slub.c:1352
[ 1773.617936] [< inline >] slab_free_freelist_hook /mm/slub.c:1374
[ 1773.617936] [< inline >] slab_free /mm/slub.c:2951
[ 1773.617936] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 /mm/slub.c:2973
[ 1773.617936] [< inline >] sk_prot_free /net/core/sock.c:1369
[ 1773.617936] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 /net/core/sock.c:1444
[ 1773.617936] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 /net/core/sock.c:1452
[ 1773.617936] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 /net/core/sock.c:1460
[ 1773.617936] [<ffffffff84c5af23>] sk_free+0x23/0x30 /net/core/sock.c:1471
[ 1773.617936] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 /./include/net/sock.h:1589
[ 1773.617936] [<ffffffff852569f5>] udp_lib_close+0x15/0x20 /./include/net/udp.h:203
[ 1773.617936] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 /net/ipv4/af_inet.c:415
[ 1773.617936] [<ffffffff851dc5aa>] inet6_release+0x5a/0x80 /net/ipv6/af_inet6.c:424
[ 1773.617936] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 /net/socket.c:570
[ 1773.617936] [<ffffffff84c45976>] sock_close+0x16/0x20 /net/socket.c:1017
[ 1773.617936] [<ffffffff817a108c>] __fput+0x28c/0x780 /fs/file_table.c:208
[ 1773.617936] [<ffffffff817a1605>] ____fput+0x15/0x20 /fs/file_table.c:244
[ 1773.617936] [<ffffffff813774f9>] task_work_run+0xf9/0x170
[ 1773.617936] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
[ 1773.617936] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
[ 1773.617936] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 /kernel/signal.c:2307
[ 1773.617936] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
[ 1773.617936] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 /arch/x86/entry/common.c:156
[ 1773.617936] [< inline >] prepare_exit_to_usermode /arch/x86/entry/common.c:190
[ 1773.617936] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 /arch/x86/entry/common.c:259
[ 1773.617936] [<ffffffff85e4d766>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
ffff88002f163b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88002f163b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88002f163c00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff88002f163c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88002f163d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Best Regards,
Baozeng Ding
On 2016/10/17 3:53, Cong Wang wrote:
> On Sun, Oct 16, 2016 at 6:46 AM, Baozeng Ding <sploving1@gmail.com> wrote:
>> Hello all,
>> While running syzkaller fuzzer I have got the following use-after-free
>> bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a reproducer for it.
>>
>> BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr ffff88000804cb60
>> Write of size 8 by task syz-executor/31190
>> CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
>> ffff880015ac7a48 ffffffff829f835b ffff880032b531c0 ffff88000804cb40
>> ffff88000804d250 ffff880017415a4a ffff880015ac7a70 ffffffff8174d3cc
>> ffff880015ac7b00 ffff88000804cb00 ffff880032b531c0 ffff880015ac7af0
>> Call Trace:
>> [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
>> [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
>> [< inline >] print_address_description mm/kasan/report.c:194
>> [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
>> [< inline >] kasan_report mm/kasan/report.c:303
>> [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
>> [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487
>> [<ffffffff850866e3>] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345
>> [<ffffffff8525cc27>] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106
>> [<ffffffff851df52c>] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384
>> [<ffffffff84c492fa>] SYSC_bind+0x1ea/0x250 net/socket.c:1367
>> [<ffffffff84c4ba34>] SyS_bind+0x24/0x30 net/socket.c:1353
>> [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
>
>
> We should have a reference to this sock via fd and its sock->sk too,
> so I fail to see why it could be freed while we holding this reference.
> Maybe a VFS layer bug?
>
>> Object at ffff88000804cb40, in cache UDPv6 size: 1496
>> Allocated:
>> PID = 30789
>> [ 378.305168] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
>> [ 378.305168] [<ffffffff8174c736>] save_stack+0x46/0xd0
>> [ 378.305168] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
>> [ 378.305168] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
>> [ 378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417
>> [ 378.305168] [< inline >] slab_alloc_node mm/slub.c:2708
>> [ 378.305168] [< inline >] slab_alloc mm/slub.c:2716
>> [ 378.305168] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
>> [ 378.305168] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
>> [ 378.305168] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
>> [ 378.305168] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
>> [ 378.305168] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
>> [ 378.305168] [< inline >] sock_create net/socket.c:1193
>> [ 378.305168] [< inline >] SYSC_socket net/socket.c:1223
>> [ 378.305168] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
>> [ 378.305168] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
>> Freed:
>> PID = 30789
>> [ 378.305168] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
>> [ 378.305168] [<ffffffff8174c736>] save_stack+0x46/0xd0
>> [ 378.305168] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
>> [ 378.305168] [< inline >] slab_free_hook mm/slub.c:1352
>> [ 378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374
>> [ 378.305168] [< inline >] slab_free mm/slub.c:2951
>> [ 378.305168] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
>> [ 378.305168] [< inline >] sk_prot_free net/core/sock.c:1369
>> [ 378.305168] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
>> [ 378.305168] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
>> [ 378.305168] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
>> [ 378.305168] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
>> [ 378.305168] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
>> [ 378.305168] [<ffffffff852569e5>] udp_lib_close+0x15/0x20 ./include/net/udp.h:203
>> [ 378.305168] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
>> [ 378.305168] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
>> [ 378.305168] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
>> [ 378.305168] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
>> [ 378.305168] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
>> [ 378.305168] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
>> [ 378.305168] [<ffffffff813774f9>] task_work_run+0xf9/0x170
>> [ 378.305168] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
>> [ 378.305168] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
>> [ 378.376437] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
>> [ 378.376437] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
>> [ 378.376437] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
>> [ 378.376437] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
>> [ 378.376437] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
>> [ 378.376437] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
>> Memory state around the buggy address:
>> ffff88000804ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff88000804ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ffff88000804cb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>> ^
>> ffff88000804cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff88000804cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>> Thanks && Best Regards,
>> Baozeng Ding
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: BUG: KASAN: use-after-free in udp_lib_get_port
2016-10-19 15:01 ` Baozeng Ding
@ 2016-10-20 6:25 ` Eric Dumazet
2016-10-20 16:39 ` [PATCH net] udp: must lock the socket in udp_disconnect() Eric Dumazet
0 siblings, 1 reply; 10+ messages in thread
From: Eric Dumazet @ 2016-10-20 6:25 UTC (permalink / raw)
To: Baozeng Ding; +Cc: Cong Wang, network dev, linux-kernel
On Wed, 2016-10-19 at 23:01 +0800, Baozeng Ding wrote:
> Hello all,
> I have got some similar bugs again((on Oct 7 commit d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0):
Thanks for the reports, but please there is no need to send duplicates.
I have an idea of the problem, will send a patch asap, after a bit of
sleep.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH net] udp: must lock the socket in udp_disconnect()
2016-10-20 6:25 ` Eric Dumazet
@ 2016-10-20 16:39 ` Eric Dumazet
2016-10-20 18:46 ` David Miller
2016-10-21 1:12 ` Cong Wang
0 siblings, 2 replies; 10+ messages in thread
From: Eric Dumazet @ 2016-10-20 16:39 UTC (permalink / raw)
To: Baozeng Ding, David Miller; +Cc: network dev
From: Eric Dumazet <edumazet@google.com>
Baozeng Ding reported KASAN traces showing uses after free in
udp_lib_get_port() and other related UDP functions.
A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash.
I could write a reproducer with two threads doing :
static int sock_fd;
static void *thr1(void *arg)
{
for (;;) {
connect(sock_fd, (const struct sockaddr *)arg,
sizeof(struct sockaddr_in));
}
}
static void *thr2(void *arg)
{
struct sockaddr_in unspec;
for (;;) {
memset(&unspec, 0, sizeof(unspec));
connect(sock_fd, (const struct sockaddr *)&unspec,
sizeof(unspec));
}
}
Problem is that udp_disconnect() could run without holding socket lock,
and this was causing list corruptions.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Baozeng Ding <sploving1@gmail.com>
---
include/net/udp.h | 1 +
net/ipv4/ping.c | 2 +-
net/ipv4/raw.c | 2 +-
net/ipv4/udp.c | 13 +++++++++++--
net/ipv6/ping.c | 2 +-
net/ipv6/raw.c | 2 +-
net/l2tp/l2tp_ip.c | 2 +-
net/l2tp/l2tp_ip6.c | 2 +-
8 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/include/net/udp.h b/include/net/udp.h
index ea53a87d880f..4948790d393d 100644
--- a/include/net/udp.h
+++ b/include/net/udp.h
@@ -258,6 +258,7 @@ void udp_flush_pending_frames(struct sock *sk);
void udp4_hwcsum(struct sk_buff *skb, __be32 src, __be32 dst);
int udp_rcv(struct sk_buff *skb);
int udp_ioctl(struct sock *sk, int cmd, unsigned long arg);
+int __udp_disconnect(struct sock *sk, int flags);
int udp_disconnect(struct sock *sk, int flags);
unsigned int udp_poll(struct file *file, struct socket *sock, poll_table *wait);
struct sk_buff *skb_udp_tunnel_segment(struct sk_buff *skb,
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 7cf7d6e380c2..205e2000d395 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -994,7 +994,7 @@ struct proto ping_prot = {
.init = ping_init_sock,
.close = ping_close,
.connect = ip4_datagram_connect,
- .disconnect = udp_disconnect,
+ .disconnect = __udp_disconnect,
.setsockopt = ip_setsockopt,
.getsockopt = ip_getsockopt,
.sendmsg = ping_v4_sendmsg,
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 90a85c955872..ecbe5a7c2d6d 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -918,7 +918,7 @@ struct proto raw_prot = {
.close = raw_close,
.destroy = raw_destroy,
.connect = ip4_datagram_connect,
- .disconnect = udp_disconnect,
+ .disconnect = __udp_disconnect,
.ioctl = raw_ioctl,
.init = raw_init,
.setsockopt = raw_setsockopt,
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 7d96dc2d3d08..311613e413cb 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1345,7 +1345,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
goto try_again;
}
-int udp_disconnect(struct sock *sk, int flags)
+int __udp_disconnect(struct sock *sk, int flags)
{
struct inet_sock *inet = inet_sk(sk);
/*
@@ -1367,6 +1367,15 @@ int udp_disconnect(struct sock *sk, int flags)
sk_dst_reset(sk);
return 0;
}
+EXPORT_SYMBOL(__udp_disconnect);
+
+int udp_disconnect(struct sock *sk, int flags)
+{
+ lock_sock(sk);
+ __udp_disconnect(sk, flags);
+ release_sock(sk);
+ return 0;
+}
EXPORT_SYMBOL(udp_disconnect);
void udp_lib_unhash(struct sock *sk)
@@ -2193,7 +2202,7 @@ int udp_abort(struct sock *sk, int err)
sk->sk_err = err;
sk->sk_error_report(sk);
- udp_disconnect(sk, 0);
+ __udp_disconnect(sk, 0);
release_sock(sk);
diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
index 0e983b694ee8..66e2d9dfc43a 100644
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -180,7 +180,7 @@ struct proto pingv6_prot = {
.init = ping_init_sock,
.close = ping_close,
.connect = ip6_datagram_connect_v6_only,
- .disconnect = udp_disconnect,
+ .disconnect = __udp_disconnect,
.setsockopt = ipv6_setsockopt,
.getsockopt = ipv6_getsockopt,
.sendmsg = ping_v6_sendmsg,
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 54404f08efcc..054a1d84fc5e 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -1241,7 +1241,7 @@ struct proto rawv6_prot = {
.close = rawv6_close,
.destroy = raw6_destroy,
.connect = ip6_datagram_connect_v6_only,
- .disconnect = udp_disconnect,
+ .disconnect = __udp_disconnect,
.ioctl = rawv6_ioctl,
.init = rawv6_init_sk,
.setsockopt = rawv6_setsockopt,
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 42de4ccd159f..fce25afb652a 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -338,7 +338,7 @@ static int l2tp_ip_disconnect(struct sock *sk, int flags)
if (sock_flag(sk, SOCK_ZAPPED))
return 0;
- return udp_disconnect(sk, flags);
+ return __udp_disconnect(sk, flags);
}
static int l2tp_ip_getname(struct socket *sock, struct sockaddr *uaddr,
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index ea2ae6664cc8..ad3468c32b53 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -410,7 +410,7 @@ static int l2tp_ip6_disconnect(struct sock *sk, int flags)
if (sock_flag(sk, SOCK_ZAPPED))
return 0;
- return udp_disconnect(sk, flags);
+ return __udp_disconnect(sk, flags);
}
static int l2tp_ip6_getname(struct socket *sock, struct sockaddr *uaddr,
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH net] udp: must lock the socket in udp_disconnect()
2016-10-20 16:39 ` [PATCH net] udp: must lock the socket in udp_disconnect() Eric Dumazet
@ 2016-10-20 18:46 ` David Miller
2016-10-20 20:44 ` Eric Dumazet
2016-10-21 1:12 ` Cong Wang
1 sibling, 1 reply; 10+ messages in thread
From: David Miller @ 2016-10-20 18:46 UTC (permalink / raw)
To: eric.dumazet; +Cc: sploving1, netdev
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu, 20 Oct 2016 09:39:40 -0700
> From: Eric Dumazet <edumazet@google.com>
>
> Baozeng Ding reported KASAN traces showing uses after free in
> udp_lib_get_port() and other related UDP functions.
>
> A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash.
>
> I could write a reproducer with two threads doing :
>
> static int sock_fd;
> static void *thr1(void *arg)
> {
> for (;;) {
> connect(sock_fd, (const struct sockaddr *)arg,
> sizeof(struct sockaddr_in));
> }
> }
>
> static void *thr2(void *arg)
> {
> struct sockaddr_in unspec;
>
> for (;;) {
> memset(&unspec, 0, sizeof(unspec));
> connect(sock_fd, (const struct sockaddr *)&unspec,
> sizeof(unspec));
> }
> }
>
> Problem is that udp_disconnect() could run without holding socket lock,
> and this was causing list corruptions.
>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Baozeng Ding <sploving1@gmail.com>
Applied, sounds like I should queue this up for -stable too right?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] udp: must lock the socket in udp_disconnect()
2016-10-20 18:46 ` David Miller
@ 2016-10-20 20:44 ` Eric Dumazet
0 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2016-10-20 20:44 UTC (permalink / raw)
To: David Miller; +Cc: sploving1, netdev
On Thu, 2016-10-20 at 14:46 -0400, David Miller wrote:
>
> Applied, sounds like I should queue this up for -stable too right?
Yes, I believe all stable versions have this bug.
Thanks.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] udp: must lock the socket in udp_disconnect()
2016-10-20 16:39 ` [PATCH net] udp: must lock the socket in udp_disconnect() Eric Dumazet
2016-10-20 18:46 ` David Miller
@ 2016-10-21 1:12 ` Cong Wang
2016-10-21 2:09 ` Eric Dumazet
1 sibling, 1 reply; 10+ messages in thread
From: Cong Wang @ 2016-10-21 1:12 UTC (permalink / raw)
To: Eric Dumazet; +Cc: Baozeng Ding, David Miller, network dev
On Thu, Oct 20, 2016 at 9:39 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> Baozeng Ding reported KASAN traces showing uses after free in
> udp_lib_get_port() and other related UDP functions.
>
> A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash.
>
> I could write a reproducer with two threads doing :
>
> static int sock_fd;
> static void *thr1(void *arg)
> {
> for (;;) {
> connect(sock_fd, (const struct sockaddr *)arg,
> sizeof(struct sockaddr_in));
> }
> }
>
> static void *thr2(void *arg)
> {
> struct sockaddr_in unspec;
>
> for (;;) {
> memset(&unspec, 0, sizeof(unspec));
> connect(sock_fd, (const struct sockaddr *)&unspec,
> sizeof(unspec));
> }
> }
>
> Problem is that udp_disconnect() could run without holding socket lock,
> and this was causing list corruptions.
If this is the cause of the hashlist corruption (I am still unsure about this),
then why only UDP? Don't all of those using ip4_datagram_connect()
as ->connect() and using udp_disconnect() as ->disconnect() need this fix?
For example, after your patch,
.connect = ip4_datagram_connect,
- .disconnect = udp_disconnect,
+ .disconnect = __udp_disconnect,
Ping socket still doesn't have sock lock for ->disconnect() but has it for
->connect()? I must miss something...
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] udp: must lock the socket in udp_disconnect()
2016-10-21 1:12 ` Cong Wang
@ 2016-10-21 2:09 ` Eric Dumazet
0 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2016-10-21 2:09 UTC (permalink / raw)
To: Cong Wang; +Cc: Baozeng Ding, David Miller, network dev
On Thu, 2016-10-20 at 18:12 -0700, Cong Wang wrote:
> If this is the cause of the hashlist corruption (I am still unsure about this),
> then why only UDP? Don't all of those using ip4_datagram_connect()
> as ->connect() and using udp_disconnect() as ->disconnect() need this fix?
>
> For example, after your patch,
>
> .connect = ip4_datagram_connect,
> - .disconnect = udp_disconnect,
> + .disconnect = __udp_disconnect,
>
> Ping socket still doesn't have sock lock for ->disconnect() but has it for
> ->connect()? I must miss something...
ping is less complex, it is protected by a single ping_table.lock
While UDP has to maintain two hash chains with may locks, and has to
handle rehash(), because autobind happens before full 4-tuple is setup.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-10-21 2:09 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-16 13:46 BUG: KASAN: use-after-free in udp_lib_get_port Baozeng Ding
2016-10-16 19:53 ` Cong Wang
2016-10-19 7:36 ` Baozeng Ding
2016-10-19 15:01 ` Baozeng Ding
2016-10-20 6:25 ` Eric Dumazet
2016-10-20 16:39 ` [PATCH net] udp: must lock the socket in udp_disconnect() Eric Dumazet
2016-10-20 18:46 ` David Miller
2016-10-20 20:44 ` Eric Dumazet
2016-10-21 1:12 ` Cong Wang
2016-10-21 2:09 ` Eric Dumazet
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.