linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: duoming@zju.edu.cn
To: "Eric Dumazet" <edumazet@google.com>
Cc: linux-hams@vger.kernel.org, netdev <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	"Paolo Abeni" <pabeni@redhat.com>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"David Miller" <davem@davemloft.net>,
	"Ralf Baechle" <ralf@linux-mips.org>
Subject: Re: [PATCH net] net: rose: fix UAF bug caused by rose_t0timer_expiry
Date: Thu, 30 Jun 2022 23:51:21 +0800 (GMT+08:00)	[thread overview]
Message-ID: <55ffc892.1ea21.181b54f4b2f.Coremail.duoming@zju.edu.cn> (raw)
In-Reply-To: <CANn89iKo-uuF-iQWrfL=pgMu7bEakWHPDAVuLvT-TZ4AujiD=w@mail.gmail.com>

Hello,

On Thu, 30 Jun 2022 17:17:10 +0200 Eric Dumazet wrote:

> > > > There are UAF bugs caused by rose_t0timer_expiry(). The
> > > > root cause is that del_timer() could not stop the timer
> > > > handler that is running and there is no synchronization.
> > > > One of the race conditions is shown below:
> > > >
> > > >     (thread 1)             |        (thread 2)
> > > >                            | rose_device_event
> > > >                            |   rose_rt_device_down
> > > >                            |     rose_remove_neigh
> > > > rose_t0timer_expiry        |       rose_stop_t0timer(rose_neigh)
> > > >   ...                      |         del_timer(&neigh->t0timer)
> > > >                            |         kfree(rose_neigh) //[1]FREE
> > > >   neigh->dce_mode //[2]USE |
> > > >
> > > > The rose_neigh is deallocated in position [1] and use in
> > > > position [2].
> > > >
> > > > The crash trace triggered by POC is like below:
> > > >
> > > > BUG: KASAN: use-after-free in expire_timers+0x144/0x320
> > > > Write of size 8 at addr ffff888009b19658 by task swapper/0/0
> > > > ...
> > > > Call Trace:
> > > >  <IRQ>
> > > >  dump_stack_lvl+0xbf/0xee
> > > >  print_address_description+0x7b/0x440
> > > >  print_report+0x101/0x230
> > > >  ? expire_timers+0x144/0x320
> > > >  kasan_report+0xed/0x120
> > > >  ? expire_timers+0x144/0x320
> > > >  expire_timers+0x144/0x320
> > > >  __run_timers+0x3ff/0x4d0
> > > >  run_timer_softirq+0x41/0x80
> > > >  __do_softirq+0x233/0x544
> > > >  ...
> > > >
> > > > This patch changes del_timer() in rose_stop_t0timer() and
> > > > rose_stop_ftimer() to del_timer_sync() in order that the
> > > > timer handler could be finished before the resources such as
> > > > rose_neigh and so on are deallocated. As a result, the UAF
> > > > bugs could be mitigated.
> > > >
> > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > > > Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> > > > ---
> > > >  net/rose/rose_link.c | 4 ++--
> > > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c
> > > > index 8b96a56d3a4..9734d1264de 100644
> > > > --- a/net/rose/rose_link.c
> > > > +++ b/net/rose/rose_link.c
> > > > @@ -54,12 +54,12 @@ static void rose_start_t0timer(struct rose_neigh *neigh)
> > > >
> > > >  void rose_stop_ftimer(struct rose_neigh *neigh)
> > > >  {
> > > > -       del_timer(&neigh->ftimer);
> > > > +       del_timer_sync(&neigh->ftimer);
> > > >  }
> > >
> > > Are you sure this is safe ?
> > >
> > > del_timer_sync() could hang if the caller holds a lock that the timer
> > > function would need to acquire.
> >
> > I think this is safe. The rose_ftimer_expiry() is an empty function that is
> > shown below:
> >
> > static void rose_ftimer_expiry(struct timer_list *t)
> > {
> > }
> >
> > > >
> > > >  void rose_stop_t0timer(struct rose_neigh *neigh)
> > > >  {
> > > > -       del_timer(&neigh->t0timer);
> > > > +       del_timer_sync(&neigh->t0timer);
> > > >  }
> > >
> > > Same here, please explain why it is safe.
> >
> > The rose_stop_t0timer() may hold "rose_node_list_lock" and "rose_neigh_list_lock",
> > but the timer handler rose_t0timer_expiry() that is shown below does not need
> > these two locks.
> >
> > static void rose_t0timer_expiry(struct timer_list *t)
> > {
> >         struct rose_neigh *neigh = from_timer(neigh, t, t0timer);
> >
> >         rose_transmit_restart_request(neigh);
> >
> >         neigh->dce_mode = 0;
> >
> >         rose_start_t0timer(neigh);
> 
> This will rearm the timer.  del_timer_sync() will not help.

Thank you for your time, but I don't think so.

> Please read the comment in front of del_timer_sync(), in kernel/time/timer.c

I wrote a kernel module to test whether del_timer_sync() could finish a timer handler
that use mod_timer() to rewind itself. The following is the result.

# insmod del_timer_sync.ko 
[  929.374405] my_timer will be create.
[  929.374738] the jiffies is :4295595572
[  930.411581] In my_timer_function
[  930.411956] the jiffies is 4295596609
[  935.466643] In my_timer_function
[  935.467505] the jiffies is 4295601665
[  940.586538] In my_timer_function
[  940.586916] the jiffies is 4295606784
[  945.706579] In my_timer_function
[  945.706885] the jiffies is 4295611904

# 
# rmmod del_timer_sync.ko
[  948.507692] the del_timer_sync is :1
[  948.507692] 
# 
# 

The result of the experiment shows that the timer handler could
be killed after we execute del_timer_sync(), even if the timer could
rewind itself.

Best regards,
Duoming Zhou

  reply	other threads:[~2022-06-30 15:51 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-30 14:38 [PATCH net] net: rose: fix UAF bug caused by rose_t0timer_expiry Duoming Zhou
2022-06-30 14:44 ` Eric Dumazet
2022-06-30 15:08   ` duoming
2022-06-30 15:17     ` Eric Dumazet
2022-06-30 15:51       ` duoming [this message]
2022-06-30 16:07         ` Eric Dumazet
2022-07-01  5:14           ` duoming

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55ffc892.1ea21.181b54f4b2f.Coremail.duoming@zju.edu.cn \
    --to=duoming@zju.edu.cn \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-hams@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=ralf@linux-mips.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).