* [PATCH 0/1] recvmmsg use-after-free fix
@ 2016-03-14 12:56 Arnaldo Carvalho de Melo
2016-03-14 12:56 ` [PATCH 1/1] net: Fix use after free in the recvmmsg exit path Arnaldo Carvalho de Melo
0 siblings, 1 reply; 3+ messages in thread
From: Arnaldo Carvalho de Melo @ 2016-03-14 12:56 UTC (permalink / raw)
To: David S. Miller
Cc: netdev, linux-kernel, Arnaldo Carvalho de Melo,
Alexander Potapenko, Eric Dumazet, Kostya Serebryany,
Sasha Levin
From: Arnaldo Carvalho de Melo <acme@redhat.com>
Hi David,
Please consider applying,
- Arnaldo
Arnaldo Carvalho de Melo (1):
net: Fix use after free in the recvmmsg exit path
net/socket.c | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
--
2.5.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/1] net: Fix use after free in the recvmmsg exit path
2016-03-14 12:56 [PATCH 0/1] recvmmsg use-after-free fix Arnaldo Carvalho de Melo
@ 2016-03-14 12:56 ` Arnaldo Carvalho de Melo
2016-03-14 16:42 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: Arnaldo Carvalho de Melo @ 2016-03-14 12:56 UTC (permalink / raw)
To: David S. Miller
Cc: netdev, linux-kernel, Arnaldo Carvalho de Melo,
Alexander Potapenko, Eric Dumazet, Kostya Serebryany,
Sasha Levin
From: Arnaldo Carvalho de Melo <acme@redhat.com>
The syzkaller fuzzer hit the following use-after-free:
Call Trace:
[<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
[<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
[< inline >] SYSC_recvmmsg net/socket.c:2281
[<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
[<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.
Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
net/socket.c | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/net/socket.c b/net/socket.c
index c044d1e8508c..db13ae893dce 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2240,31 +2240,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
cond_resched();
}
-out_put:
- fput_light(sock->file, fput_needed);
-
if (err == 0)
- return datagrams;
+ goto out_put;
- if (datagrams != 0) {
+ if (datagrams == 0) {
+ datagrams = err;
+ goto out_put;
+ }
+
+ /*
+ * We may return less entries than requested (vlen) if the
+ * sock is non block and there aren't enough datagrams...
+ */
+ if (err != -EAGAIN) {
/*
- * We may return less entries than requested (vlen) if the
- * sock is non block and there aren't enough datagrams...
+ * ... or if recvmsg returns an error after we
+ * received some datagrams, where we record the
+ * error to return on the next call or if the
+ * app asks about it using getsockopt(SO_ERROR).
*/
- if (err != -EAGAIN) {
- /*
- * ... or if recvmsg returns an error after we
- * received some datagrams, where we record the
- * error to return on the next call or if the
- * app asks about it using getsockopt(SO_ERROR).
- */
- sock->sk->sk_err = -err;
- }
-
- return datagrams;
+ sock->sk->sk_err = -err;
}
+out_put:
+ fput_light(sock->file, fput_needed);
- return err;
+ return datagrams;
}
SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
--
2.5.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] net: Fix use after free in the recvmmsg exit path
2016-03-14 12:56 ` [PATCH 1/1] net: Fix use after free in the recvmmsg exit path Arnaldo Carvalho de Melo
@ 2016-03-14 16:42 ` David Miller
0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2016-03-14 16:42 UTC (permalink / raw)
To: acme; +Cc: netdev, linux-kernel, acme, glider, edumazet, kcc, sasha.levin
From: Arnaldo Carvalho de Melo <acme@kernel.org>
Date: Mon, 14 Mar 2016 09:56:35 -0300
> From: Arnaldo Carvalho de Melo <acme@redhat.com>
>
> The syzkaller fuzzer hit the following use-after-free:
>
> Call Trace:
> [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
> [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
> [< inline >] SYSC_recvmmsg net/socket.c:2281
> [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
> [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>
> And, as Dmitry rightly assessed, that is because we can drop the
> reference and then touch it when the underlying recvmsg calls return
> some packets and then hit an error, which will make recvmmsg to set
> sock->sk->sk_err, oops, fix it.
>
> Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: Alexander Potapenko <glider@google.com>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Kostya Serebryany <kcc@google.com>
> Cc: Sasha Levin <sasha.levin@oracle.com>
> Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
> http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Applied and queued up for -stable, thanks Arnaldo!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-03-14 16:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-14 12:56 [PATCH 0/1] recvmmsg use-after-free fix Arnaldo Carvalho de Melo
2016-03-14 12:56 ` [PATCH 1/1] net: Fix use after free in the recvmmsg exit path Arnaldo Carvalho de Melo
2016-03-14 16:42 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).