From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Ntjy=HS=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9F5CFC433DB
	for <linux-arm-kernel@archiver.kernel.org>; Tue, 16 Feb 2021 17:49:15 +0000 (UTC)
Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 57EE264E08
	for <linux-arm-kernel@archiver.kernel.org>; Tue, 16 Feb 2021 17:49:15 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 57EE264E08
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=zx2c4.com
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
	Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:To:Subject:Message-ID:Date:From:In-Reply-To:
	References:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	 bh=H/YNCu27v77XKxF90fEXVTACbcKyp9uOAxGW735UEsQ=; b=NL9h+VGHhNE3/FNWxkQcGdFNX
	BbaSSIQZFo/PtGNVUmztzkEwVMVXMYYuMkdM2PcHeugy4/S+h4VaxeykixbDPq8zjy/pmGkquB1dA
	K1eWOXPhwQhiAId14W05FIh/EPtfPKS8+nCbs/WhPfiDuXXg72LrP+FWMY4TnI1nkc8ZLs6iT+412
	85RE0R3wRVEs2ycRLDtEKDE0BkohJfPHHaLILTgSOm5OJMGYeh2A5hsKPrHtQwlWfJDhZSTtvPdJM
	fIAquxT68A5GTjQtQkarDwJSjMgOVtZoQfhHB2X+KHFd5rNNI8+RkrqoT+0a3QS527fTPH1YNM44G
	HhPM7XsvQ==;
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
	id 1lC4R9-0002ff-3a; Tue, 16 Feb 2021 17:46:59 +0000
Received: from mail.zx2c4.com ([104.131.123.232])
 by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux))
 id 1lC4R6-0002eh-3V
 for linux-arm-kernel@lists.infradead.org; Tue, 16 Feb 2021 17:46:56 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; 
 t=1613497605;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=EeUD0/Hrmkha1vgSjrxHXQGMMGTIAxd3b5RgI7gY5e4=;
 b=oZiyL2tQab3A8opF7a6It9JZmogP61MnHXpshzk9DbY2ZqpuiDyQEj29KqppKP44N2SC0G
 xSOLZdCzTQm8iQwScAlQcPkjhbiuNLspVQ53CK5gGp3Q2K3qwIKdWGL5NYzRS6elCsbNdI
 8o58enQv+nFaefRb8sSVmhGjkRVG6sU=
Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id cc00998f
 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO)
 for <linux-arm-kernel@lists.infradead.org>;
 Tue, 16 Feb 2021 17:46:45 +0000 (UTC)
Received: by mail-yb1-f171.google.com with SMTP id b10so11269713ybn.3
 for <linux-arm-kernel@lists.infradead.org>;
 Tue, 16 Feb 2021 09:46:45 -0800 (PST)
X-Gm-Message-State: AOAM5335vR4Oa5FGjtumSrnwTuy3wNgkaNw2TuKjiaZxKR4htTb1I24H
 vCFZ1F/2qfUgca//w2TpHroYSYmwHn0h2v0OyB8=
X-Google-Smtp-Source: ABdhPJwhVsAUHKbqej3N09bli7Ip3Grj1LPSZWD38TPvdzb+CintSD1ow5bBZyachx1edPauzqXd/cvVVNds1A+cBKQ=
X-Received: by 2002:a25:80c9:: with SMTP id c9mr31610024ybm.279.1613497604734; 
 Tue, 16 Feb 2021 09:46:44 -0800 (PST)
MIME-Version: 1.0
References: <0000000000000be4d705bb68dfa7@google.com>
 <20210216172817.GA14978@arm.com>
In-Reply-To: <20210216172817.GA14978@arm.com>
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Tue, 16 Feb 2021 18:46:34 +0100
X-Gmail-Original-Message-ID: <CAHmME9q2-wbRmE-VgSoW5fxjGQ9kkafYH-X5gSVvgWESo5rm4Q@mail.gmail.com>
Message-ID: <CAHmME9q2-wbRmE-VgSoW5fxjGQ9kkafYH-X5gSVvgWESo5rm4Q@mail.gmail.com>
Subject: Re: KASAN: invalid-access Write in enqueue_timer
To: Netdev <netdev@vger.kernel.org>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210216_124656_222952_6F20FA07 
X-CRM114-Status: GOOD (  13.69  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Mark Rutland <mark.rutland@arm.com>, Kees Cook <keescook@chromium.org>,
 Catalin Marinas <catalin.marinas@arm.com>,
 syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
 LKML <linux-kernel@vger.kernel.org>, Mark Brown <broonie@kernel.org>,
 syzbot <syzbot+95c862be69e37145543f@syzkaller.appspotmail.com>, mbenes@suse.cz,
 Will Deacon <will@kernel.org>, Ard Biesheuvel <ardb@kernel.org>,
 linux-arm-kernel <linux-arm-kernel@lists.infradead.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Hi Catalin,

On Tue, Feb 16, 2021 at 6:28 PM Catalin Marinas <catalin.marinas@arm.com> wrote:
> Adding Jason and Ard. It may be a use-after-free in the wireguard
> driver.

Thanks for sending this my way. Note: to my knowledge, Ard doesn't
work on wireguard.

> >  hlist_add_head include/linux/list.h:883 [inline]
> >  enqueue_timer+0x18/0xc0 kernel/time/timer.c:581
> >  mod_timer+0x14/0x20 kernel/time/timer.c:1106
> >  mod_peer_timer drivers/net/wireguard/timers.c:37 [inline]
> >  wg_timers_any_authenticated_packet_traversal+0x68/0x90 drivers/net/wireguard/timers.c:215

The line of hlist_add_head that it's hitting is:

static inline void hlist_add_head(struct hlist_node *n, struct hlist_head *h)
{
       struct hlist_node *first = h->first;
       WRITE_ONCE(n->next, first);
       if (first)

So that means it's the dereferencing of h that's a problem. That comes from:

static void enqueue_timer(struct timer_base *base, struct timer_list *timer,
                         unsigned int idx, unsigned long bucket_expiry)
{

       hlist_add_head(&timer->entry, base->vectors + idx);

That means it concerns base->vectors + idx, not the timer_list object
that wireguard manages. That's confusing. Could that imply that the
bug is in freeing a previous timer without removing it from the timer
lists, so that it winds up being in base->vectors?

The allocation and deallocation backtrace is confusing

> >  alloc_netdev_mqs+0x5c/0x3bc net/core/dev.c:10546
> >  rtnl_create_link+0xc8/0x2b0 net/core/rtnetlink.c:3171
> >  __rtnl_newlink+0x5bc/0x800 net/core/rtnetlink.c:3433

This suggests it's part of the `ip link add wg0 type wireguard` nelink
call, during it's allocation of the netdevice's private area. For
this, the wg_device struct is used. It has no timer_list structures in
it!

Similarly,

> >  netdev_freemem+0x18/0x2c net/core/dev.c:10500
> >  netdev_release+0x30/0x44 net/core/net-sysfs.c:1828
> >  device_release+0x34/0x90 drivers/base/core.c:1980

That smells like `ip link del wg0 type wireguard`. But again,
wg_device doesn't have any timer_lists in it.

So what's happening here exactly? I'm not really sure yet...

It'd be nice to have a reproducer.


Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel