* net: use-after-free in recvmmsg @ 2016-01-22 20:39 Dmitry Vyukov 2016-01-22 21:16 ` Arnaldo Carvalho de Melo 0 siblings, 1 reply; 7+ messages in thread From: Dmitry Vyukov @ 2016-01-22 20:39 UTC (permalink / raw) To: David S. Miller, netdev, LKML, Eric Dumazet, Arnaldo Carvalho de Melo Cc: syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin Hello, While running syzkaller fuzzer I've hit the following use-after-free: ================================================================== BUG: KASAN: use-after-free in __sys_recvmmsg+0x6fa/0x7f0 at addr ffff88003b689ce0 Read of size 8 by task syz-executor/11997 ============================================================================= BUG sock_inode_cache (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in sock_alloc_inode+0x1d/0x250 age=125 cpu=1 pid=11960 [< none >] ___slab_alloc+0x4c2/0x500 mm/slub.c:2470 [< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2499 [< inline >] slab_alloc_node mm/slub.c:2562 [< inline >] slab_alloc mm/slub.c:2604 [< none >] kmem_cache_alloc+0x257/0x2d0 mm/slub.c:2609 [< none >] sock_alloc_inode+0x1d/0x250 net/socket.c:250 [< none >] alloc_inode+0x61/0x180 fs/inode.c:198 [< none >] new_inode_pseudo+0x17/0xe0 fs/inode.c:878 [< none >] sock_alloc+0x3d/0x260 net/socket.c:541 [< none >] __sock_create+0xa7/0x640 net/socket.c:1127 [< inline >] sock_create net/socket.c:1203 [< inline >] SYSC_socketpair net/socket.c:1275 [< none >] SyS_socketpair+0x112/0x4e0 net/socket.c:1254 [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 INFO: Freed in sock_destroy_inode+0x56/0x70 age=25 cpu=1 pid=11960 [< none >] __slab_free+0x1fc/0x320 mm/slub.c:2680 [< inline >] slab_free mm/slub.c:2835 [< none >] kmem_cache_free+0x2ec/0x370 mm/slub.c:2844 [< none >] sock_destroy_inode+0x56/0x70 net/socket.c:280 [< none >] destroy_inode+0xc7/0x130 fs/inode.c:255 [< none >] evict+0x329/0x500 fs/inode.c:559 [< inline >] iput_final fs/inode.c:1477 [< none >] iput+0x45f/0x860 fs/inode.c:1504 [< inline >] dentry_iput fs/dcache.c:358 [< none >] __dentry_kill+0x457/0x620 fs/dcache.c:543 [< inline >] dentry_kill fs/dcache.c:587 [< none >] dput+0x65b/0x740 fs/dcache.c:796 [< none >] __fput+0x42f/0x780 fs/file_table.c:226 [< none >] ____fput+0x15/0x20 fs/file_table.c:244 [< none >] task_work_run+0x170/0x210 kernel/task_work.c:115 [< inline >] tracehook_notify_resume include/linux/tracehook.h:191 [< none >] exit_to_usermode_loop+0x1d1/0x210 arch/x86/entry/common.c:251 [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282 [< none >] syscall_return_slowpath+0x2ba/0x340 arch/x86/entry/common.c:344 [< none >] int_ret_from_sys_call+0x25/0x9f arch/x86/entry/entry_64.S:281 INFO: Slab 0xffffea0000eda200 objects=22 used=2 fp=0xffff88003b689cc0 flags=0x1fffc0000004080 INFO: Object 0xffff88003b689cc0 @offset=7360 fp=0xffff88003b68a840 CPU: 3 PID: 11997 Comm: syz-executor Tainted: G B 4.4.0+ #275 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 00000000ffffffff ffff880038fefb68 ffffffff82994c8d ffff88003df06d00 ffff88003b689cc0 ffff88003b688000 ffff880038fefb98 ffffffff81755374 ffff88003df06d00 ffffea0000eda200 ffff88003b689cc0 0000000000000002 Call Trace: [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295 [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261 [< inline >] SYSC_recvmmsg net/socket.c:2281 [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270 [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 ================================================================== I cannot reproduce it, but looking at __sys_recvmmsg code, it seems that sock is not necessary live after fput_light: out_put: fput_light(sock->file, fput_needed); if (err == 0) return datagrams; if (datagrams != 0) { /* * We may return less entries than requested (vlen) if the * sock is non block and there aren't enough datagrams... */ if (err != -EAGAIN) { /* * ... or if recvmsg returns an error after we * received some datagrams, where we record the * error to return on the next call or if the * app asks about it using getsockopt(SO_ERROR). */ sock->sk->sk_err = -err; } return datagrams; } return err; } I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20). Seems to be added in commit a2e2725541fad72416326798c2d7fa4dafb7d337 (Oct 2009). ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: net: use-after-free in recvmmsg 2016-01-22 20:39 net: use-after-free in recvmmsg Dmitry Vyukov @ 2016-01-22 21:16 ` Arnaldo Carvalho de Melo 2016-01-26 19:27 ` Dmitry Vyukov 0 siblings, 1 reply; 7+ messages in thread From: Arnaldo Carvalho de Melo @ 2016-01-22 21:16 UTC (permalink / raw) To: Dmitry Vyukov Cc: David S. Miller, netdev, LKML, Eric Dumazet, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, acme Em Fri, Jan 22, 2016 at 09:39:53PM +0100, Dmitry Vyukov escreveu: > While running syzkaller fuzzer I've hit the following use-after-free: <SNIP> > Call Trace: > [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 > mm/kasan/report.c:295 > [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261 > [< inline >] SYSC_recvmmsg net/socket.c:2281 > [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270 > [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a > arch/x86/entry/entry_64.S:185 > ================================================================== > > I cannot reproduce it, but looking at __sys_recvmmsg code, it seems > that sock is not necessary live after fput_light: > > out_put: > fput_light(sock->file, fput_needed); > > if (err == 0) > return datagrams; > > if (datagrams != 0) { > /* > * We may return less entries than requested (vlen) if the > * sock is non block and there aren't enough datagrams... > */ > if (err != -EAGAIN) { > /* > * ... or if recvmsg returns an error after we > * received some datagrams, where we record the > * error to return on the next call or if the > * app asks about it using getsockopt(SO_ERROR). > */ > sock->sk->sk_err = -err; > } > > return datagrams; > } > > return err; > } > > I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20). > Seems to be added in commit a2e2725541fad72416326798c2d7fa4dafb7d337 > (Oct 2009). Maybe this helps? Compile testing now... diff --git a/net/socket.c b/net/socket.c index 91c2de6f5020..03e57ad7ec9f 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2240,31 +2240,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, cond_resched(); } -out_put: - fput_light(sock->file, fput_needed); - if (err == 0) - return datagrams; + goto out_put; - if (datagrams != 0) { + if (datagrams == 0) { + datagrams = err; + goto out_put; + } + + /* + * We may return less entries than requested (vlen) if the + * sock is non block and there aren't enough datagrams... + */ + if (err != -EAGAIN) { /* - * We may return less entries than requested (vlen) if the - * sock is non block and there aren't enough datagrams... + * ... or if recvmsg returns an error after we + * received some datagrams, where we record the + * error to return on the next call or if the + * app asks about it using getsockopt(SO_ERROR). */ - if (err != -EAGAIN) { - /* - * ... or if recvmsg returns an error after we - * received some datagrams, where we record the - * error to return on the next call or if the - * app asks about it using getsockopt(SO_ERROR). - */ - sock->sk->sk_err = -err; - } - - return datagrams; + sock->sk->sk_err = -err; } +out_put: + fput_light(sock->file, fput_needed); - return err; + return datagrams; } SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: net: use-after-free in recvmmsg 2016-01-22 21:16 ` Arnaldo Carvalho de Melo @ 2016-01-26 19:27 ` Dmitry Vyukov 2016-01-26 19:30 ` Arnaldo Carvalho de Melo 0 siblings, 1 reply; 7+ messages in thread From: Dmitry Vyukov @ 2016-01-26 19:27 UTC (permalink / raw) To: Arnaldo Carvalho de Melo Cc: David S. Miller, netdev, LKML, Eric Dumazet, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Arnaldo Carvalho de Melo On Fri, Jan 22, 2016 at 10:16 PM, Arnaldo Carvalho de Melo <acme@redhat.com> wrote: > Em Fri, Jan 22, 2016 at 09:39:53PM +0100, Dmitry Vyukov escreveu: >> While running syzkaller fuzzer I've hit the following use-after-free: > > <SNIP> > >> Call Trace: >> [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 >> mm/kasan/report.c:295 >> [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261 >> [< inline >] SYSC_recvmmsg net/socket.c:2281 >> [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270 >> [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a >> arch/x86/entry/entry_64.S:185 >> ================================================================== >> >> I cannot reproduce it, but looking at __sys_recvmmsg code, it seems >> that sock is not necessary live after fput_light: >> >> out_put: >> fput_light(sock->file, fput_needed); >> >> if (err == 0) >> return datagrams; >> >> if (datagrams != 0) { >> /* >> * We may return less entries than requested (vlen) if the >> * sock is non block and there aren't enough datagrams... >> */ >> if (err != -EAGAIN) { >> /* >> * ... or if recvmsg returns an error after we >> * received some datagrams, where we record the >> * error to return on the next call or if the >> * app asks about it using getsockopt(SO_ERROR). >> */ >> sock->sk->sk_err = -err; >> } >> >> return datagrams; >> } >> >> return err; >> } >> >> I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20). >> Seems to be added in commit a2e2725541fad72416326798c2d7fa4dafb7d337 >> (Oct 2009). > > Maybe this helps? Compile testing now... I don't have a reliable reproducer, so can't test it per se. I will integrate this patch tomorrow and restart fuzzer with it. > diff --git a/net/socket.c b/net/socket.c > index 91c2de6f5020..03e57ad7ec9f 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -2240,31 +2240,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, > cond_resched(); > } > > -out_put: > - fput_light(sock->file, fput_needed); > - > if (err == 0) > - return datagrams; > + goto out_put; > > - if (datagrams != 0) { > + if (datagrams == 0) { > + datagrams = err; > + goto out_put; > + } > + > + /* > + * We may return less entries than requested (vlen) if the > + * sock is non block and there aren't enough datagrams... > + */ > + if (err != -EAGAIN) { > /* > - * We may return less entries than requested (vlen) if the > - * sock is non block and there aren't enough datagrams... > + * ... or if recvmsg returns an error after we > + * received some datagrams, where we record the > + * error to return on the next call or if the > + * app asks about it using getsockopt(SO_ERROR). > */ > - if (err != -EAGAIN) { > - /* > - * ... or if recvmsg returns an error after we > - * received some datagrams, where we record the > - * error to return on the next call or if the > - * app asks about it using getsockopt(SO_ERROR). > - */ > - sock->sk->sk_err = -err; > - } > - > - return datagrams; > + sock->sk->sk_err = -err; > } > +out_put: > + fput_light(sock->file, fput_needed); > > - return err; > + return datagrams; > } > > SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: net: use-after-free in recvmmsg 2016-01-26 19:27 ` Dmitry Vyukov @ 2016-01-26 19:30 ` Arnaldo Carvalho de Melo 2016-03-10 18:35 ` Dmitry Vyukov 0 siblings, 1 reply; 7+ messages in thread From: Arnaldo Carvalho de Melo @ 2016-01-26 19:30 UTC (permalink / raw) To: Dmitry Vyukov Cc: David S. Miller, netdev, LKML, Eric Dumazet, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Arnaldo Carvalho de Melo Em Tue, Jan 26, 2016 at 08:27:48PM +0100, Dmitry Vyukov escreveu: > On Fri, Jan 22, 2016 at 10:16 PM, Arnaldo Carvalho de Melo <acme@redhat.com> wrote: > > Em Fri, Jan 22, 2016 at 09:39:53PM +0100, Dmitry Vyukov escreveu: > >> I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20). > >> Seems to be added in commit a2e2725541fad72416326798c2d7fa4dafb7d337 > >> (Oct 2009). > > > > Maybe this helps? Compile testing now... > > > I don't have a reliable reproducer, so can't test it per se. > I will integrate this patch tomorrow and restart fuzzer with it. Thanks a lot! - Arnaldo ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: net: use-after-free in recvmmsg 2016-01-26 19:30 ` Arnaldo Carvalho de Melo @ 2016-03-10 18:35 ` Dmitry Vyukov 2016-03-10 19:31 ` Arnaldo Carvalho de Melo 0 siblings, 1 reply; 7+ messages in thread From: Dmitry Vyukov @ 2016-03-10 18:35 UTC (permalink / raw) To: Arnaldo Carvalho de Melo Cc: David S. Miller, netdev, LKML, Eric Dumazet, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Arnaldo Carvalho de Melo On Tue, Jan 26, 2016 at 8:30 PM, Arnaldo Carvalho de Melo <acme@redhat.com> wrote: > Em Tue, Jan 26, 2016 at 08:27:48PM +0100, Dmitry Vyukov escreveu: >> On Fri, Jan 22, 2016 at 10:16 PM, Arnaldo Carvalho de Melo <acme@redhat.com> wrote: >> > Em Fri, Jan 22, 2016 at 09:39:53PM +0100, Dmitry Vyukov escreveu: >> >> I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20). >> >> Seems to be added in commit a2e2725541fad72416326798c2d7fa4dafb7d337 >> >> (Oct 2009). >> > >> > Maybe this helps? Compile testing now... >> >> >> I don't have a reliable reproducer, so can't test it per se. >> I will integrate this patch tomorrow and restart fuzzer with it. > > Thanks a lot! Hi Arnaldo, I am running with that patch since then, and did not see the bug. Please mail it as a proper patch. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: net: use-after-free in recvmmsg 2016-03-10 18:35 ` Dmitry Vyukov @ 2016-03-10 19:31 ` Arnaldo Carvalho de Melo 2016-03-11 16:42 ` Dmitry Vyukov 0 siblings, 1 reply; 7+ messages in thread From: Arnaldo Carvalho de Melo @ 2016-03-10 19:31 UTC (permalink / raw) To: Dmitry Vyukov Cc: David S. Miller, netdev, LKML, Eric Dumazet, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Arnaldo Carvalho de Melo Em Thu, Mar 10, 2016 at 07:35:57PM +0100, Dmitry Vyukov escreveu: > On Tue, Jan 26, 2016 at 8:30 PM, Arnaldo Carvalho de Melo > <acme@redhat.com> wrote: > > Em Tue, Jan 26, 2016 at 08:27:48PM +0100, Dmitry Vyukov escreveu: > >> On Fri, Jan 22, 2016 at 10:16 PM, Arnaldo Carvalho de Melo <acme@redhat.com> wrote: > >> > Em Fri, Jan 22, 2016 at 09:39:53PM +0100, Dmitry Vyukov escreveu: > >> >> I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20). > >> >> Seems to be added in commit a2e2725541fad72416326798c2d7fa4dafb7d337 > >> >> (Oct 2009). > >> > > >> > Maybe this helps? Compile testing now... > >> > >> > >> I don't have a reliable reproducer, so can't test it per se. > >> I will integrate this patch tomorrow and restart fuzzer with it. > > > > Thanks a lot! > > Hi Arnaldo, > > I am running with that patch since then, and did not see the bug. > Please mail it as a proper patch. Thanks, and I'll add a: Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com> Ok? - Arnaldo ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: net: use-after-free in recvmmsg 2016-03-10 19:31 ` Arnaldo Carvalho de Melo @ 2016-03-11 16:42 ` Dmitry Vyukov 0 siblings, 0 replies; 7+ messages in thread From: Dmitry Vyukov @ 2016-03-11 16:42 UTC (permalink / raw) To: Arnaldo Carvalho de Melo Cc: David S. Miller, netdev, LKML, Eric Dumazet, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Arnaldo Carvalho de Melo On Thu, Mar 10, 2016 at 8:31 PM, Arnaldo Carvalho de Melo <acme@redhat.com> wrote: > Em Thu, Mar 10, 2016 at 07:35:57PM +0100, Dmitry Vyukov escreveu: >> On Tue, Jan 26, 2016 at 8:30 PM, Arnaldo Carvalho de Melo >> <acme@redhat.com> wrote: >> > Em Tue, Jan 26, 2016 at 08:27:48PM +0100, Dmitry Vyukov escreveu: >> >> On Fri, Jan 22, 2016 at 10:16 PM, Arnaldo Carvalho de Melo <acme@redhat.com> wrote: >> >> > Em Fri, Jan 22, 2016 at 09:39:53PM +0100, Dmitry Vyukov escreveu: >> >> >> I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20). >> >> >> Seems to be added in commit a2e2725541fad72416326798c2d7fa4dafb7d337 >> >> >> (Oct 2009). >> >> > >> >> > Maybe this helps? Compile testing now... >> >> >> >> >> >> I don't have a reliable reproducer, so can't test it per se. >> >> I will integrate this patch tomorrow and restart fuzzer with it. >> > >> > Thanks a lot! >> >> Hi Arnaldo, >> >> I am running with that patch since then, and did not see the bug. >> Please mail it as a proper patch. > > Thanks, and I'll add a: > > Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com> > > Ok? Ok Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-03-11 16:42 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-01-22 20:39 net: use-after-free in recvmmsg Dmitry Vyukov 2016-01-22 21:16 ` Arnaldo Carvalho de Melo 2016-01-26 19:27 ` Dmitry Vyukov 2016-01-26 19:30 ` Arnaldo Carvalho de Melo 2016-03-10 18:35 ` Dmitry Vyukov 2016-03-10 19:31 ` Arnaldo Carvalho de Melo 2016-03-11 16:42 ` Dmitry Vyukov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).