From: Dmitry Vyukov <dvyukov@google.com>
To: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
James Morris <jmorris@namei.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Patrick McHardy <kaber@trash.net>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
linux-sctp@vger.kernel.org, Eric Dumazet <edumazet@google.com>
Cc: syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Sasha Levin <sasha.levin@oracle.com>
Subject: use-after-free in inet6_destroy_sock
Date: Wed, 9 Dec 2015 15:15:45 +0100 [thread overview]
Message-ID: <CACT4Y+YjXJoh3uGDp=FJkYVnjaMxFSPY252ptbDGZ-LQ9JAEWw@mail.gmail.com> (raw)
Hello,
The following program causes use-after-free in inet6_destroy_sock:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/in6.h>
int cfd = -1;
void *thr(void *arg)
{
cfd = syscall(SYS_socket, PF_INET6, SOCK_STREAM, IPPROTO_SCTP);
struct sockaddr_in6 sa = {};
sa.sin6_family = AF_INET6;
sa.sin6_port = getpid();
sa.sin6_addr.s6_addr[15] = 1;
syscall(SYS_connect, cfd, &sa, sizeof(sa), 0, 0, 0);
return 0;
}
int main()
{
syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
int fd = syscall(SYS_socket, PF_INET6, SOCK_STREAM, IPPROTO_SCTP);
struct sockaddr_in6 sa = {};
sa.sin6_family = AF_INET6;
sa.sin6_port = getpid();
sa.sin6_addr.s6_addr[15] = 1;
syscall(SYS_bind, fd, &sa, sizeof(sa), 0, 0, 0);
syscall(SYS_listen, fd, 0x3ul, 0, 0, 0, 0);
memcpy((void*)0x20002ff6,
"\x10\x48\xe0\xad\x68\xc0\xce\x4c\xd0\xb5", 10);
syscall(SYS_setsockopt, fd, 0x29ul, 0x6ul, 0x20002ff6ul, 0xaul, 0);
pthread_t th;
pthread_create(&th, 0, thr, 0);
pthread_join(th, 0);
int sfd = syscall(SYS_accept4, fd, 0x20003f80ul, 0x20003ab4ul,
0x80800ul, 0, 0);
dup3(fd, -1, 0x80000);
return 0;
}
==================================================================
BUG: KASAN: use-after-free in inet6_destroy_sock+0x177/0x1c0 at addr
ffff8800349179b4
Read of size 4 by task executor/7001
=============================================================================
BUG kmalloc-96 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in sock_kmalloc+0x93/0x100 age=20 cpu=0 pid=7064
[< none >] ___slab_alloc+0x648/0x8c0 mm/slub.c:2468
[< none >] __slab_alloc+0x4c/0x90 mm/slub.c:2497
[< inline >] slab_alloc_node mm/slub.c:2560
[< inline >] slab_alloc mm/slub.c:2602
[< none >] __kmalloc+0x2d9/0x480 mm/slub.c:3562
[< inline >] kmalloc include/linux/slab.h:463
[< none >] sock_kmalloc+0x93/0x100 net/core/sock.c:1771
[< none >] do_ipv6_setsockopt.isra.5+0x1f43/0x2e50
net/ipv6/ipv6_sockglue.c:490
[< none >] ipv6_setsockopt+0x4f/0x150 net/ipv6/ipv6_sockglue.c:895
[< none >] sctp_setsockopt+0x194/0x4020 net/sctp/socket.c:3702
[< none >] sock_common_setsockopt+0xb4/0x140 net/core/sock.c:2641
[< inline >] SYSC_setsockopt net/socket.c:1750
[< none >] SyS_setsockopt+0x161/0x290 net/socket.c:1729
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Freed in rcu_process_callbacks+0x52c/0x19e0 age=16 cpu=0 pid=0
[< none >] __slab_free+0x21e/0x3e0 mm/slub.c:2678
[< inline >] slab_free mm/slub.c:2833
[< none >] kfree+0x26f/0x3e0 mm/slub.c:3662
[< inline >] __rcu_reclaim kernel/rcu/rcu.h:113
[< inline >] rcu_do_batch kernel/rcu/tree.c:2693
[< inline >] invoke_rcu_callbacks kernel/rcu/tree.c:2961
[< inline >] __rcu_process_callbacks kernel/rcu/tree.c:2928
[< none >] rcu_process_callbacks+0x52c/0x19e0 kernel/rcu/tree.c:2945
[< none >] __do_softirq+0x2e5/0xb40 kernel/softirq.c:273
[< inline >] invoke_softirq kernel/softirq.c:350
[< none >] irq_exit+0x165/0x1e0 kernel/softirq.c:391
[< inline >] exiting_irq ./arch/x86/include/asm/apic.h:653
[< none >] smp_apic_timer_interrupt+0x88/0xc0
arch/x86/kernel/apic/apic.c:926
[< none >] apic_timer_interrupt+0x8c/0xa0
arch/x86/entry/entry_64.S:520
[< inline >] arch_safe_halt ./arch/x86/include/asm/paravirt.h:111
[< none >] default_idle+0x22/0x300 arch/x86/kernel/process.c:304
[< none >] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:295
[< none >] default_idle_call+0x4f/0x80 kernel/sched/idle.c:92
[< inline >] cpuidle_idle_call kernel/sched/idle.c:156
[< inline >] cpu_idle_loop kernel/sched/idle.c:251
[< none >] cpu_startup_entry+0x481/0x690 kernel/sched/idle.c:299
[< none >] rest_init+0x1c7/0x1d0 init/main.c:412
[< none >] start_kernel+0x6cd/0x6f3 init/main.c:683
[< none >] x86_64_start_reservations+0x2a/0x2c
arch/x86/kernel/head64.c:195
[< none >] x86_64_start_kernel+0x176/0x185
arch/x86/kernel/head64.c:184
INFO: Slab 0xffffea0000d24500 objects=28 used=26 fp=0xffff8800349179b0
flags=0x1fffc0000004080
INFO: Object 0xffff8800349179b0 @offset=14768 fp=0xffff880034914000
CPU: 1 PID: 7001 Comm: executor Tainted: G B 4.4.0-rc4+ #158
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
0000000000000001 ffff880062eef940 ffffffff82e0f6d8 0000000041b58ab3
ffffffff87aa2c7d ffffffff82e0f626 ffff88006c051740 ffffffff87ac3e19
ffff88003e804900 0000000000000008 ffff8800349179b0 ffff880062eef940
Call Trace:
[<ffffffff818450f4>] __asan_report_load4_noabort+0x54/0x70
mm/kasan/report.c:294
[<ffffffff85d61f17>] inet6_destroy_sock+0x177/0x1c0 net/ipv6/af_inet6.c:433
[<ffffffff864df89d>] sctp_v6_destroy_sock+0x1d/0x20 net/sctp/socket.c:7389
[<ffffffff856cf00d>] sk_common_release+0x7d/0x3e0 net/core/sock.c:2662
[<ffffffff864e58fe>] sctp_close+0x5fe/0x9b0 net/sctp/socket.c:1541
[<ffffffff85bfe691>] inet_release+0x111/0x270 net/ipv4/af_inet.c:413
[<ffffffff85d60ce5>] inet6_release+0x55/0x90 net/ipv6/af_inet6.c:406
[<ffffffff856b3b96>] sock_release+0x96/0x260 net/socket.c:571
[<ffffffff856b3d76>] sock_close+0x16/0x20 net/socket.c:1022
[<ffffffff8189d304>] __fput+0x244/0x860 fs/file_table.c:208
[<ffffffff8189d9b5>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff813e2dc0>] task_work_run+0x130/0x240 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[<ffffffff8137d1e5>] do_exit+0x885/0x3050 kernel/exit.c:750
[<ffffffff8137fb0c>] do_group_exit+0xec/0x390 kernel/exit.c:880
[< inline >] SYSC_exit_group kernel/exit.c:891
[<ffffffff8137fdcd>] SyS_exit_group+0x1d/0x20 kernel/exit.c:889
[<ffffffff86a924f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
==================================================================
On commit aa53685549a2cfb5f175b0c4a20bc9aa1e5a1b85 (Nov 8).
Eric, this now includes your patches that you previously pointed me
to, and also https://patchwork.ozlabs.org/patch/553068/ on top of it.
WARNING: multiple messages have this Message-ID (diff)
From: Dmitry Vyukov <dvyukov@google.com>
To: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
James Morris <jmorris@namei.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Patrick McHardy <kaber@trash.net>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
linux-sctp@vger.kernel.org, Eric Dumazet <edumazet@google.com>
Cc: syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Sasha Levin <sasha.levin@oracle.com>
Subject: use-after-free in inet6_destroy_sock
Date: Wed, 09 Dec 2015 14:15:45 +0000 [thread overview]
Message-ID: <CACT4Y+YjXJoh3uGDp=FJkYVnjaMxFSPY252ptbDGZ-LQ9JAEWw@mail.gmail.com> (raw)
Hello,
The following program causes use-after-free in inet6_destroy_sock:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/in6.h>
int cfd = -1;
void *thr(void *arg)
{
cfd = syscall(SYS_socket, PF_INET6, SOCK_STREAM, IPPROTO_SCTP);
struct sockaddr_in6 sa = {};
sa.sin6_family = AF_INET6;
sa.sin6_port = getpid();
sa.sin6_addr.s6_addr[15] = 1;
syscall(SYS_connect, cfd, &sa, sizeof(sa), 0, 0, 0);
return 0;
}
int main()
{
syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
int fd = syscall(SYS_socket, PF_INET6, SOCK_STREAM, IPPROTO_SCTP);
struct sockaddr_in6 sa = {};
sa.sin6_family = AF_INET6;
sa.sin6_port = getpid();
sa.sin6_addr.s6_addr[15] = 1;
syscall(SYS_bind, fd, &sa, sizeof(sa), 0, 0, 0);
syscall(SYS_listen, fd, 0x3ul, 0, 0, 0, 0);
memcpy((void*)0x20002ff6,
"\x10\x48\xe0\xad\x68\xc0\xce\x4c\xd0\xb5", 10);
syscall(SYS_setsockopt, fd, 0x29ul, 0x6ul, 0x20002ff6ul, 0xaul, 0);
pthread_t th;
pthread_create(&th, 0, thr, 0);
pthread_join(th, 0);
int sfd = syscall(SYS_accept4, fd, 0x20003f80ul, 0x20003ab4ul,
0x80800ul, 0, 0);
dup3(fd, -1, 0x80000);
return 0;
}
=================================
BUG: KASAN: use-after-free in inet6_destroy_sock+0x177/0x1c0 at addr
ffff8800349179b4
Read of size 4 by task executor/7001
======================================BUG kmalloc-96 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in sock_kmalloc+0x93/0x100 age cpu=0 pidp64
[< none >] ___slab_alloc+0x648/0x8c0 mm/slub.c:2468
[< none >] __slab_alloc+0x4c/0x90 mm/slub.c:2497
[< inline >] slab_alloc_node mm/slub.c:2560
[< inline >] slab_alloc mm/slub.c:2602
[< none >] __kmalloc+0x2d9/0x480 mm/slub.c:3562
[< inline >] kmalloc include/linux/slab.h:463
[< none >] sock_kmalloc+0x93/0x100 net/core/sock.c:1771
[< none >] do_ipv6_setsockopt.isra.5+0x1f43/0x2e50
net/ipv6/ipv6_sockglue.c:490
[< none >] ipv6_setsockopt+0x4f/0x150 net/ipv6/ipv6_sockglue.c:895
[< none >] sctp_setsockopt+0x194/0x4020 net/sctp/socket.c:3702
[< none >] sock_common_setsockopt+0xb4/0x140 net/core/sock.c:2641
[< inline >] SYSC_setsockopt net/socket.c:1750
[< none >] SyS_setsockopt+0x161/0x290 net/socket.c:1729
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Freed in rcu_process_callbacks+0x52c/0x19e0 age\x16 cpu=0 pid=0
[< none >] __slab_free+0x21e/0x3e0 mm/slub.c:2678
[< inline >] slab_free mm/slub.c:2833
[< none >] kfree+0x26f/0x3e0 mm/slub.c:3662
[< inline >] __rcu_reclaim kernel/rcu/rcu.h:113
[< inline >] rcu_do_batch kernel/rcu/tree.c:2693
[< inline >] invoke_rcu_callbacks kernel/rcu/tree.c:2961
[< inline >] __rcu_process_callbacks kernel/rcu/tree.c:2928
[< none >] rcu_process_callbacks+0x52c/0x19e0 kernel/rcu/tree.c:2945
[< none >] __do_softirq+0x2e5/0xb40 kernel/softirq.c:273
[< inline >] invoke_softirq kernel/softirq.c:350
[< none >] irq_exit+0x165/0x1e0 kernel/softirq.c:391
[< inline >] exiting_irq ./arch/x86/include/asm/apic.h:653
[< none >] smp_apic_timer_interrupt+0x88/0xc0
arch/x86/kernel/apic/apic.c:926
[< none >] apic_timer_interrupt+0x8c/0xa0
arch/x86/entry/entry_64.S:520
[< inline >] arch_safe_halt ./arch/x86/include/asm/paravirt.h:111
[< none >] default_idle+0x22/0x300 arch/x86/kernel/process.c:304
[< none >] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:295
[< none >] default_idle_call+0x4f/0x80 kernel/sched/idle.c:92
[< inline >] cpuidle_idle_call kernel/sched/idle.c:156
[< inline >] cpu_idle_loop kernel/sched/idle.c:251
[< none >] cpu_startup_entry+0x481/0x690 kernel/sched/idle.c:299
[< none >] rest_init+0x1c7/0x1d0 init/main.c:412
[< none >] start_kernel+0x6cd/0x6f3 init/main.c:683
[< none >] x86_64_start_reservations+0x2a/0x2c
arch/x86/kernel/head64.c:195
[< none >] x86_64_start_kernel+0x176/0x185
arch/x86/kernel/head64.c:184
INFO: Slab 0xffffea0000d24500 objects( used& fp=0xffff8800349179b0
flags=0x1fffc0000004080
INFO: Object 0xffff8800349179b0 @offset\x14768 fp=0xffff880034914000
CPU: 1 PID: 7001 Comm: executor Tainted: G B 4.4.0-rc4+ #158
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
0000000000000001 ffff880062eef940 ffffffff82e0f6d8 0000000041b58ab3
ffffffff87aa2c7d ffffffff82e0f626 ffff88006c051740 ffffffff87ac3e19
ffff88003e804900 0000000000000008 ffff8800349179b0 ffff880062eef940
Call Trace:
[<ffffffff818450f4>] __asan_report_load4_noabort+0x54/0x70
mm/kasan/report.c:294
[<ffffffff85d61f17>] inet6_destroy_sock+0x177/0x1c0 net/ipv6/af_inet6.c:433
[<ffffffff864df89d>] sctp_v6_destroy_sock+0x1d/0x20 net/sctp/socket.c:7389
[<ffffffff856cf00d>] sk_common_release+0x7d/0x3e0 net/core/sock.c:2662
[<ffffffff864e58fe>] sctp_close+0x5fe/0x9b0 net/sctp/socket.c:1541
[<ffffffff85bfe691>] inet_release+0x111/0x270 net/ipv4/af_inet.c:413
[<ffffffff85d60ce5>] inet6_release+0x55/0x90 net/ipv6/af_inet6.c:406
[<ffffffff856b3b96>] sock_release+0x96/0x260 net/socket.c:571
[<ffffffff856b3d76>] sock_close+0x16/0x20 net/socket.c:1022
[<ffffffff8189d304>] __fput+0x244/0x860 fs/file_table.c:208
[<ffffffff8189d9b5>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff813e2dc0>] task_work_run+0x130/0x240 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[<ffffffff8137d1e5>] do_exit+0x885/0x3050 kernel/exit.c:750
[<ffffffff8137fb0c>] do_group_exit+0xec/0x390 kernel/exit.c:880
[< inline >] SYSC_exit_group kernel/exit.c:891
[<ffffffff8137fdcd>] SyS_exit_group+0x1d/0x20 kernel/exit.c:889
[<ffffffff86a924f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
=================================
On commit aa53685549a2cfb5f175b0c4a20bc9aa1e5a1b85 (Nov 8).
Eric, this now includes your patches that you previously pointed me
to, and also https://patchwork.ozlabs.org/patch/553068/ on top of it.
next reply other threads:[~2015-12-09 14:16 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-09 14:15 Dmitry Vyukov [this message]
2015-12-09 14:15 ` use-after-free in inet6_destroy_sock Dmitry Vyukov
2015-12-09 14:43 ` Eric Dumazet
2015-12-09 14:43 ` Eric Dumazet
2015-12-09 14:59 ` Marcelo Ricardo Leitner
2015-12-09 14:59 ` Marcelo Ricardo Leitner
2015-12-09 15:09 ` Eric Dumazet
2015-12-09 15:09 ` Eric Dumazet
2015-12-09 15:25 ` [PATCH net] ipv6: sctp: clone options to avoid use after free Eric Dumazet
2015-12-09 15:25 ` Eric Dumazet
2015-12-09 15:34 ` Vlad Yasevich
2015-12-09 15:34 ` Vlad Yasevich
2015-12-09 15:49 ` David Laight
2015-12-09 15:49 ` David Laight
2015-12-09 15:49 ` David Laight
2015-12-09 15:59 ` Eric Dumazet
2015-12-09 15:59 ` Eric Dumazet
2015-12-09 16:31 ` David Laight
2015-12-09 16:31 ` David Laight
2015-12-09 16:31 ` David Laight
2015-12-09 17:11 ` Marcelo Ricardo Leitner
2015-12-09 17:11 ` Marcelo Ricardo Leitner
2015-12-09 19:19 ` Daniel Borkmann
2015-12-09 19:19 ` Daniel Borkmann
2015-12-10 12:26 ` David Laight
2015-12-10 12:26 ` David Laight
2015-12-10 12:26 ` David Laight
2015-12-10 15:58 ` Eric Dumazet
2015-12-10 15:58 ` Eric Dumazet
2015-12-10 17:27 ` David Laight
2015-12-10 17:27 ` David Laight
2015-12-10 17:27 ` David Laight
2015-12-12 1:19 ` David Miller
2015-12-12 1:19 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+YjXJoh3uGDp=FJkYVnjaMxFSPY252ptbDGZ-LQ9JAEWw@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kcc@google.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=vyasevich@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.