From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+5c74af81c547738e1684@syzkaller.appspotmail.com,
syzbot+709f2810a6a05f11d4d3@syzkaller.appspotmail.com,
Daniel Borkmann <daniel@iogearbox.net>,
Dave Watson <davejwatson@fb.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.16 12/64] tls: fix use-after-free in tls_push_record
Date: Sun, 24 Jun 2018 23:21:53 +0800 [thread overview]
Message-ID: <20180624142744.413455239@linuxfoundation.org> (raw)
In-Reply-To: <20180624142743.613370789@linuxfoundation.org>
4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit a447da7d00410278c90d3576782a43f8b675d7be ]
syzkaller managed to trigger a use-after-free in tls like the
following:
BUG: KASAN: use-after-free in tls_push_record.constprop.15+0x6a2/0x810 [tls]
Write of size 1 at addr ffff88037aa08000 by task a.out/2317
CPU: 3 PID: 2317 Comm: a.out Not tainted 4.17.0+ #144
Hardware name: LENOVO 20FBCTO1WW/20FBCTO1WW, BIOS N1FET47W (1.21 ) 11/28/2016
Call Trace:
dump_stack+0x71/0xab
print_address_description+0x6a/0x280
kasan_report+0x258/0x380
? tls_push_record.constprop.15+0x6a2/0x810 [tls]
tls_push_record.constprop.15+0x6a2/0x810 [tls]
tls_sw_push_pending_record+0x2e/0x40 [tls]
tls_sk_proto_close+0x3fe/0x710 [tls]
? tcp_check_oom+0x4c0/0x4c0
? tls_write_space+0x260/0x260 [tls]
? kmem_cache_free+0x88/0x1f0
inet_release+0xd6/0x1b0
__sock_release+0xc0/0x240
sock_close+0x11/0x20
__fput+0x22d/0x660
task_work_run+0x114/0x1a0
do_exit+0x71a/0x2780
? mm_update_next_owner+0x650/0x650
? handle_mm_fault+0x2f5/0x5f0
? __do_page_fault+0x44f/0xa50
? mm_fault_error+0x2d0/0x2d0
do_group_exit+0xde/0x300
__x64_sys_exit_group+0x3a/0x50
do_syscall_64+0x9a/0x300
? page_fault+0x8/0x30
entry_SYSCALL_64_after_hwframe+0x44/0xa9
This happened through fault injection where aead_req allocation in
tls_do_encryption() eventually failed and we returned -ENOMEM from
the function. Turns out that the use-after-free is triggered from
tls_sw_sendmsg() in the second tls_push_record(). The error then
triggers a jump to waiting for memory in sk_stream_wait_memory()
resp. returning immediately in case of MSG_DONTWAIT. What follows is
the trim_both_sgl(sk, orig_size), which drops elements from the sg
list added via tls_sw_sendmsg(). Now the use-after-free gets triggered
when the socket is being closed, where tls_sk_proto_close() callback
is invoked. The tls_complete_pending_work() will figure that there's
a pending closed tls record to be flushed and thus calls into the
tls_push_pending_closed_record() from there. ctx->push_pending_record()
is called from the latter, which is the tls_sw_push_pending_record()
from sw path. This again calls into tls_push_record(). And here the
tls_fill_prepend() will panic since the buffer address has been freed
earlier via trim_both_sgl(). One way to fix it is to move the aead
request allocation out of tls_do_encryption() early into tls_push_record().
This means we don't prep the tls header and advance state to the
TLS_PENDING_CLOSED_RECORD before allocation which could potentially
fail happened. That fixes the issue on my side.
Fixes: 3c4d7559159b ("tls: kernel TLS support")
Reported-by: syzbot+5c74af81c547738e1684@syzkaller.appspotmail.com
Reported-by: syzbot+709f2810a6a05f11d4d3@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tls/tls_sw.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -195,18 +195,12 @@ static void tls_free_both_sg(struct sock
}
static int tls_do_encryption(struct tls_context *tls_ctx,
- struct tls_sw_context *ctx, size_t data_len,
- gfp_t flags)
+ struct tls_sw_context *ctx,
+ struct aead_request *aead_req,
+ size_t data_len)
{
- unsigned int req_size = sizeof(struct aead_request) +
- crypto_aead_reqsize(ctx->aead_send);
- struct aead_request *aead_req;
int rc;
- aead_req = kzalloc(req_size, flags);
- if (!aead_req)
- return -ENOMEM;
-
ctx->sg_encrypted_data[0].offset += tls_ctx->prepend_size;
ctx->sg_encrypted_data[0].length -= tls_ctx->prepend_size;
@@ -223,7 +217,6 @@ static int tls_do_encryption(struct tls_
ctx->sg_encrypted_data[0].offset -= tls_ctx->prepend_size;
ctx->sg_encrypted_data[0].length += tls_ctx->prepend_size;
- kfree(aead_req);
return rc;
}
@@ -232,8 +225,14 @@ static int tls_push_record(struct sock *
{
struct tls_context *tls_ctx = tls_get_ctx(sk);
struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx);
+ struct aead_request *req;
int rc;
+ req = kzalloc(sizeof(struct aead_request) +
+ crypto_aead_reqsize(ctx->aead_send), sk->sk_allocation);
+ if (!req)
+ return -ENOMEM;
+
sg_mark_end(ctx->sg_plaintext_data + ctx->sg_plaintext_num_elem - 1);
sg_mark_end(ctx->sg_encrypted_data + ctx->sg_encrypted_num_elem - 1);
@@ -249,15 +248,14 @@ static int tls_push_record(struct sock *
tls_ctx->pending_open_record_frags = 0;
set_bit(TLS_PENDING_CLOSED_RECORD, &tls_ctx->flags);
- rc = tls_do_encryption(tls_ctx, ctx, ctx->sg_plaintext_size,
- sk->sk_allocation);
+ rc = tls_do_encryption(tls_ctx, ctx, req, ctx->sg_plaintext_size);
if (rc < 0) {
/* If we are called from write_space and
* we fail, we need to set this SOCK_NOSPACE
* to trigger another write_space in the future.
*/
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
- return rc;
+ goto out_req;
}
free_sg(sk, ctx->sg_plaintext_data, &ctx->sg_plaintext_num_elem,
@@ -272,6 +270,8 @@ static int tls_push_record(struct sock *
tls_err_abort(sk);
tls_advance_record_sn(sk, tls_ctx);
+out_req:
+ kfree(req);
return rc;
}
next prev parent reply other threads:[~2018-06-24 15:32 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-24 15:21 [PATCH 4.16 00/64] 4.16.18-stable review Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 01/64] bonding: re-evaluate force_primary when the primary slave name changes Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 03/64] ipv6: allow PMTU exceptions to local routes Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 04/64] net: dsa: add error handling for pskb_trim_rcsum Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 05/64] net: phy: dp83822: use BMCR_ANENABLE instead of BMSR_ANEGCAPABLE for DP83620 Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 06/64] net/sched: act_simple: fix parsing of TCA_DEF_DATA Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 07/64] tcp: verify the checksum of the first data segment in a new connection Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 08/64] socket: close race condition between sock_close() and sockfs_setattr() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 09/64] udp: fix rx queue len reported by diag and proc interface Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 10/64] net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds vlan Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 11/64] hv_netvsc: Fix a network regression after ifdown/ifup Greg Kroah-Hartman
2018-06-24 15:21 ` Greg Kroah-Hartman [this message]
2018-06-24 15:21 ` [PATCH 4.16 13/64] ext4: fix hole length detection in ext4_ind_map_blocks() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 14/64] ext4: update mtime in ext4_punch_hole even if no blocks are released Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 15/64] ext4: do not allow external inodes for inline data Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 16/64] ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 17/64] ext4: correctly handle a zero-length xattr with a non-zero e_value_offs Greg Kroah-Hartman
2018-06-24 15:21 ` [PATCH 4.16 18/64] ext4: fix fencepost error in check for inode count overflow during resize Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 19/64] driver core: Dont ignore class_dir_create_and_add() failure Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 20/64] Btrfs: fix clone vs chattr NODATASUM race Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 21/64] Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 22/64] btrfs: return error value if create_io_em failed in cow_file_range Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 23/64] btrfs: scrub: Dont use inode pages for device replace Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 24/64] ALSA: usb-audio: Disable the quirk for Nura headset Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 25/64] ALSA: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 26/64] ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 27/64] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 28/64] ALSA: hda: add dock and led support for HP EliteBook 830 G5 Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 29/64] ALSA: hda: add dock and led support for HP ProBook 640 G4 Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 30/64] x86/MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read() Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 31/64] smb3: fix various xid leaks Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 32/64] smb3: on reconnect set PreviousSessionId field Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 33/64] CIFS: 511c54a2f69195b28afb9dd119f03787b1625bb4 adds a check for session expiry Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 34/64] cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 35/64] nbd: fix nbd device deletion Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 36/64] nbd: update size when connected Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 37/64] nbd: use bd_set_size when updating disk size Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 38/64] blk-mq: reinit q->tag_set_list entry only after grace period Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 39/64] bdi: Move cgroup bdi_writeback to a dedicated low concurrency workqueue Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 40/64] cpufreq: Fix new policy initialization during limits updates via sysfs Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 41/64] cpufreq: ti-cpufreq: Fix an incorrect error return value Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 42/64] cpufreq: governors: Fix long idle detection logic in load calculation Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 43/64] libata: zpodd: small read overflow in eject_tray() Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 44/64] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 45/64] nvme/pci: Sync controller reset for AER slot_reset Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 46/64] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 47/64] x86/vector: Fix the args of vector_alloc tracepoint Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 48/64] x86/apic/vector: Prevent hlist corruption and leaks Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 49/64] x86/apic: Provide apic_ack_irq() Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 50/64] x86/ioapic: Use apic_ack_irq() Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 51/64] x86/platform/uv: " Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 52/64] irq_remapping: " Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 53/64] genirq/generic_pending: Do not lose pending affinity update Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 54/64] genirq/affinity: Defer affinity setting if irq chip is busy Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 55/64] genirq/migration: Avoid out of line call if pending is not set Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 56/64] x86/intel_rdt: Enable CMT and MBM on new Skylake stepping Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 57/64] iwlwifi: fw: harden page loading code Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 58/64] orangefs: set i_size on new symlink Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 59/64] orangefs: report attributes_mask and attributes for statx Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 60/64] HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 61/64] HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 62/64] vhost: fix info leak due to uninitialized memory Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 63/64] fs/binfmt_misc.c: do not allow offset overflow Greg Kroah-Hartman
2018-06-24 15:22 ` [PATCH 4.16 64/64] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset Greg Kroah-Hartman
2018-06-25 6:40 ` [PATCH 4.16 00/64] 4.16.18-stable review Naresh Kamboju
2018-06-25 17:20 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180624142744.413455239@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel@iogearbox.net \
--cc=davejwatson@fb.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+5c74af81c547738e1684@syzkaller.appspotmail.com \
--cc=syzbot+709f2810a6a05f11d4d3@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).