* [PATCH v4] net: rose: fix null-ptr-deref caused by rose_kill_by_neigh
@ 2022-06-29 10:49 Duoming Zhou
2022-07-02 2:41 ` Jakub Kicinski
0 siblings, 1 reply; 5+ messages in thread
From: Duoming Zhou @ 2022-06-29 10:49 UTC (permalink / raw)
To: linux-hams
Cc: netdev, linux-kernel, ralf, davem, edumazet, kuba, pabeni, Duoming Zhou
When the link layer connection is broken, the rose->neighbour is
set to null. But rose->neighbour could be used by rose_connection()
and rose_release() later, because there is no synchronization among
them. As a result, the null-ptr-deref bugs will happen.
One of the null-ptr-deref bugs is shown below:
(thread 1) | (thread 2)
| rose_connect
rose_kill_by_neigh | lock_sock(sk)
spin_lock_bh(&rose_list_lock) | if (!rose->neighbour)
rose->neighbour = NULL;//(1) |
| rose->neighbour->use++;//(2)
The rose->neighbour is set to null in position (1) and dereferenced
in position (2).
The KASAN report triggered by POC is shown below:
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
...
RIP: 0010:rose_connect+0x6c2/0xf30
RSP: 0018:ffff88800ab47d60 EFLAGS: 00000206
RAX: 0000000000000005 RBX: 000000000000002a RCX: 0000000000000000
RDX: ffff88800ab38000 RSI: ffff88800ab47e48 RDI: ffff88800ab38309
RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1001567062
R10: dfffe91001567063 R11: 1ffff11001567061 R12: 1ffff11000d17cd0
R13: ffff8880068be680 R14: 0000000000000002 R15: 1ffff11000d17cd0
...
Call Trace:
<TASK>
? __local_bh_enable_ip+0x54/0x80
? selinux_netlbl_socket_connect+0x26/0x30
? rose_bind+0x5b0/0x5b0
__sys_connect+0x216/0x280
__x64_sys_connect+0x71/0x80
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
This patch adds lock_sock() in rose_kill_by_neigh() in order to
synchronize with rose_connect() and rose_release().
Meanwhile, this patch adds sock_hold() protected by rose_list_lock
that could synchronize with rose_remove_socket() in order to mitigate
UAF bug caused by lock_sock() we add.
What's more, there is no need using rose_neigh_list_lock to protect
rose_kill_by_neigh(). Because we have already used rose_neigh_list_lock
to protect the state change of rose_neigh in rose_link_failed(), which
is well synchronized.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
Changes in v4:
- v4: Fix traversing erroneously stop problem.
net/rose/af_rose.c | 8 ++++++++
net/rose/rose_route.c | 2 ++
2 files changed, 10 insertions(+)
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index bf2d986a6bc..24dcbde88fb 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -165,13 +165,21 @@ void rose_kill_by_neigh(struct rose_neigh *neigh)
struct sock *s;
spin_lock_bh(&rose_list_lock);
+again:
sk_for_each(s, &rose_list) {
struct rose_sock *rose = rose_sk(s);
if (rose->neighbour == neigh) {
+ sock_hold(s);
+ spin_unlock_bh(&rose_list_lock);
+ lock_sock(s);
rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
rose->neighbour->use--;
rose->neighbour = NULL;
+ release_sock(s);
+ spin_lock_bh(&rose_list_lock);
+ sock_put(s);
+ goto again;
}
}
spin_unlock_bh(&rose_list_lock);
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index fee6409c2bb..b116828b422 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -827,7 +827,9 @@ void rose_link_failed(ax25_cb *ax25, int reason)
ax25_cb_put(ax25);
rose_del_route_by_neigh(rose_neigh);
+ spin_unlock_bh(&rose_neigh_list_lock);
rose_kill_by_neigh(rose_neigh);
+ return;
}
spin_unlock_bh(&rose_neigh_list_lock);
}
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v4] net: rose: fix null-ptr-deref caused by rose_kill_by_neigh
2022-06-29 10:49 [PATCH v4] net: rose: fix null-ptr-deref caused by rose_kill_by_neigh Duoming Zhou
@ 2022-07-02 2:41 ` Jakub Kicinski
2022-07-02 7:23 ` duoming
0 siblings, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2022-07-02 2:41 UTC (permalink / raw)
To: Duoming Zhou
Cc: linux-hams, netdev, linux-kernel, ralf, davem, edumazet, pabeni
On Wed, 29 Jun 2022 18:49:41 +0800 Duoming Zhou wrote:
> When the link layer connection is broken, the rose->neighbour is
> set to null. But rose->neighbour could be used by rose_connection()
> and rose_release() later, because there is no synchronization among
> them. As a result, the null-ptr-deref bugs will happen.
>
> One of the null-ptr-deref bugs is shown below:
>
> (thread 1) | (thread 2)
> | rose_connect
> rose_kill_by_neigh | lock_sock(sk)
> spin_lock_bh(&rose_list_lock) | if (!rose->neighbour)
> rose->neighbour = NULL;//(1) |
> | rose->neighbour->use++;//(2)
> if (rose->neighbour == neigh) {
Why is it okay to perform this comparison without the socket lock,
if we need a socket lock to clear it? Looks like rose_kill_by_neigh()
is not guaranteed to clear all the uses of a neighbor.
> + sock_hold(s);
> + spin_unlock_bh(&rose_list_lock);
> + lock_sock(s);
> rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
> rose->neighbour->use--;
What protects the use counter?
> rose->neighbour = NULL;
> + release_sock(s);
> + spin_lock_bh(&rose_list_lock);
Don't take the lock here just dump one line further back.
> + sock_put(s);
> + goto again;
> }
> }
> spin_unlock_bh(&rose_list_lock);
> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> index fee6409c2bb..b116828b422 100644
> --- a/net/rose/rose_route.c
> +++ b/net/rose/rose_route.c
> @@ -827,7 +827,9 @@ void rose_link_failed(ax25_cb *ax25, int reason)
> ax25_cb_put(ax25);
>
> rose_del_route_by_neigh(rose_neigh);
> + spin_unlock_bh(&rose_neigh_list_lock);
> rose_kill_by_neigh(rose_neigh);
> + return;
> }
> spin_unlock_bh(&rose_neigh_list_lock);
> }
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v4] net: rose: fix null-ptr-deref caused by rose_kill_by_neigh
2022-07-02 2:41 ` Jakub Kicinski
@ 2022-07-02 7:23 ` duoming
2022-07-02 19:01 ` Jakub Kicinski
0 siblings, 1 reply; 5+ messages in thread
From: duoming @ 2022-07-02 7:23 UTC (permalink / raw)
To: Jakub Kicinski
Cc: linux-hams, netdev, linux-kernel, ralf, davem, edumazet, pabeni
Hello,
On Fri, 1 Jul 2022 19:41:55 -0700 Jakub Kicinski wrote:
> On Wed, 29 Jun 2022 18:49:41 +0800 Duoming Zhou wrote:
> > When the link layer connection is broken, the rose->neighbour is
> > set to null. But rose->neighbour could be used by rose_connection()
> > and rose_release() later, because there is no synchronization among
> > them. As a result, the null-ptr-deref bugs will happen.
> >
> > One of the null-ptr-deref bugs is shown below:
> >
> > (thread 1) | (thread 2)
> > | rose_connect
> > rose_kill_by_neigh | lock_sock(sk)
> > spin_lock_bh(&rose_list_lock) | if (!rose->neighbour)
> > rose->neighbour = NULL;//(1) |
> > | rose->neighbour->use++;//(2)
>
> > if (rose->neighbour == neigh) {
>
> Why is it okay to perform this comparison without the socket lock,
> if we need a socket lock to clear it? Looks like rose_kill_by_neigh()
> is not guaranteed to clear all the uses of a neighbor.
I am sorry, the comparision should also be protected with socket lock.
The rose_kill_by_neigh() only clear the neighbor that is passed as
parameter of rose_kill_by_neigh().
> > + sock_hold(s);
> > + spin_unlock_bh(&rose_list_lock);
> > + lock_sock(s);
> > rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
> > rose->neighbour->use--;
>
> What protects the use counter?
The use coounter is protected by socket lock.
> > rose->neighbour = NULL;
> > + release_sock(s);
> > + spin_lock_bh(&rose_list_lock);
>
> Don't take the lock here just dump one line further back.
Ok, I will dump one line further back.
Best regards,
Duoming Zhou
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v4] net: rose: fix null-ptr-deref caused by rose_kill_by_neigh
2022-07-02 7:23 ` duoming
@ 2022-07-02 19:01 ` Jakub Kicinski
2022-07-03 0:43 ` duoming
0 siblings, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2022-07-02 19:01 UTC (permalink / raw)
To: duoming; +Cc: linux-hams, netdev, linux-kernel, ralf, davem, edumazet, pabeni
On Sat, 2 Jul 2022 15:23:57 +0800 (GMT+08:00) duoming@zju.edu.cn wrote:
> > On Wed, 29 Jun 2022 18:49:41 +0800 Duoming Zhou wrote:
> > > When the link layer connection is broken, the rose->neighbour is
> > > set to null. But rose->neighbour could be used by rose_connection()
> > > and rose_release() later, because there is no synchronization among
> > > them. As a result, the null-ptr-deref bugs will happen.
> > >
> > > One of the null-ptr-deref bugs is shown below:
> > >
> > > (thread 1) | (thread 2)
> > > | rose_connect
> > > rose_kill_by_neigh | lock_sock(sk)
> > > spin_lock_bh(&rose_list_lock) | if (!rose->neighbour)
> > > rose->neighbour = NULL;//(1) |
> > > | rose->neighbour->use++;//(2)
> >
> > > if (rose->neighbour == neigh) {
> >
> > Why is it okay to perform this comparison without the socket lock,
> > if we need a socket lock to clear it? Looks like rose_kill_by_neigh()
> > is not guaranteed to clear all the uses of a neighbor.
>
> I am sorry, the comparision should also be protected with socket lock.
> The rose_kill_by_neigh() only clear the neighbor that is passed as
> parameter of rose_kill_by_neigh().
Don't think that's possible, you'd have to drop the neigh lock every
time.
> > > + sock_hold(s);
> > > + spin_unlock_bh(&rose_list_lock);
> > > + lock_sock(s);
> > > rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
> > > rose->neighbour->use--;
> >
> > What protects the use counter?
>
> The use coounter is protected by socket lock.
Which one, the neigh object can be shared by multiple sockets, no?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v4] net: rose: fix null-ptr-deref caused by rose_kill_by_neigh
2022-07-02 19:01 ` Jakub Kicinski
@ 2022-07-03 0:43 ` duoming
0 siblings, 0 replies; 5+ messages in thread
From: duoming @ 2022-07-03 0:43 UTC (permalink / raw)
To: Jakub Kicinski
Cc: linux-hams, netdev, linux-kernel, ralf, davem, edumazet, pabeni
Hello,
On Sat, 2 Jul 2022 12:01:08 -0700 Jakub Kicinski wrote:
> On Sat, 2 Jul 2022 15:23:57 +0800 (GMT+08:00) duoming@zju.edu.cn wrote:
> > > On Wed, 29 Jun 2022 18:49:41 +0800 Duoming Zhou wrote:
> > > > When the link layer connection is broken, the rose->neighbour is
> > > > set to null. But rose->neighbour could be used by rose_connection()
> > > > and rose_release() later, because there is no synchronization among
> > > > them. As a result, the null-ptr-deref bugs will happen.
> > > >
> > > > One of the null-ptr-deref bugs is shown below:
> > > >
> > > > (thread 1) | (thread 2)
> > > > | rose_connect
> > > > rose_kill_by_neigh | lock_sock(sk)
> > > > spin_lock_bh(&rose_list_lock) | if (!rose->neighbour)
> > > > rose->neighbour = NULL;//(1) |
> > > > | rose->neighbour->use++;//(2)
> > >
> > > > if (rose->neighbour == neigh) {
> > >
> > > Why is it okay to perform this comparison without the socket lock,
> > > if we need a socket lock to clear it? Looks like rose_kill_by_neigh()
> > > is not guaranteed to clear all the uses of a neighbor.
> >
> > I am sorry, the comparision should also be protected with socket lock.
> > The rose_kill_by_neigh() only clear the neighbor that is passed as
> > parameter of rose_kill_by_neigh().
>
> Don't think that's possible, you'd have to drop the neigh lock every
> time.
The neighbour is cleared in two situations.
(1) When the rose device is down, the rose_link_device_down() traverses
the rose_neigh_list and uses the rose_kill_by_neigh() to clear the
neighbors of the device.
void rose_link_device_down(struct net_device *dev)
{
struct rose_neigh *rose_neigh;
for (rose_neigh = rose_neigh_list; rose_neigh != NULL; rose_neigh = rose_neigh->next) {
if (rose_neigh->dev == dev) {
rose_del_route_by_neigh(rose_neigh);
rose_kill_by_neigh(rose_neigh);
}
}
}
https://elixir.bootlin.com/linux/v5.19-rc4/source/net/rose/rose_route.c#L839
(2) When the level 2 link has timed out, the rose_link_failed() calls rose_kill_by_neigh()
to clear the rose_neigh.
https://elixir.bootlin.com/linux/v5.19-rc4/source/net/rose/rose_route.c#L813
> > > > + sock_hold(s);
> > > > + spin_unlock_bh(&rose_list_lock);
> > > > + lock_sock(s);
> > > > rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
> > > > rose->neighbour->use--;
> > >
> > > What protects the use counter?
> >
> > The use counter is protected by socket lock.
>
> Which one, the neigh object can be shared by multiple sockets, no?
The sk_for_each() traverses the rose_list and uses the lock of the socket that is extracted
from the rose_list to protect the use counter.
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index bf2d986a6bc..6d5088b030a 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -165,14 +165,26 @@ void rose_kill_by_neigh(struct rose_neigh *neigh)
struct sock *s;
spin_lock_bh(&rose_list_lock);
+again:
sk_for_each(s, &rose_list) {
struct rose_sock *rose = rose_sk(s);
+ sock_hold(s);
+ spin_unlock_bh(&rose_list_lock);
+ lock_sock(s);
if (rose->neighbour == neigh) {
rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
rose->neighbour->use--;
rose->neighbour = NULL;
+ release_sock(s);
+ sock_put(s);
+ spin_lock_bh(&rose_list_lock);
+ goto again;
}
+ release_sock(s);
+ sock_put(s);
+ spin_lock_bh(&rose_list_lock);
+ goto again;
}
spin_unlock_bh(&rose_list_lock);
}
Best regards,
Duoming Zhou
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-07-03 0:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-29 10:49 [PATCH v4] net: rose: fix null-ptr-deref caused by rose_kill_by_neigh Duoming Zhou
2022-07-02 2:41 ` Jakub Kicinski
2022-07-02 7:23 ` duoming
2022-07-02 19:01 ` Jakub Kicinski
2022-07-03 0:43 ` duoming
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.