mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-05 08:26:59 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/tipc
History
Hoang Huu Le 7153ef8327 tipc: fix use-after-free in tipc_bcast_get_mode 
commit fdeba99b1e upstream.

Syzbot has reported those issues as:

==================================================================
BUG: KASAN: use-after-free in tipc_bcast_get_mode+0x3ab/0x400 net/tipc/bcast.c:759
Read of size 1 at addr ffff88805e6b3571 by task kworker/0:6/3850

CPU: 0 PID: 3850 Comm: kworker/0:6 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events tipc_net_finalize_work

Thread 1's call trace:
[...]
  kfree+0x103/0x2c0 mm/slab.c:3757 <- bcbase releasing
  tipc_bcast_stop+0x1b0/0x2f0 net/tipc/bcast.c:721
  tipc_exit_net+0x24/0x270 net/tipc/core.c:112
[...]

Thread 2's call trace:
[...]
  tipc_bcast_get_mode+0x3ab/0x400 net/tipc/bcast.c:759 <- bcbase
has already been freed by Thread 1

  tipc_node_broadcast+0x9e/0xcc0 net/tipc/node.c:1744
  tipc_nametbl_publish+0x60b/0x970 net/tipc/name_table.c:752
  tipc_net_finalize net/tipc/net.c:141 [inline]
  tipc_net_finalize+0x1fa/0x310 net/tipc/net.c:131
  tipc_net_finalize_work+0x55/0x80 net/tipc/net.c:150
[...]

==================================================================
BUG: KASAN: use-after-free in tipc_named_reinit+0xef/0x290 net/tipc/name_distr.c:344
Read of size 8 at addr ffff888052ab2000 by task kworker/0:13/30628
CPU: 0 PID: 30628 Comm: kworker/0:13 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events tipc_net_finalize_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 print_address_description+0x66/0x5a0 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 tipc_named_reinit+0xef/0x290 net/tipc/name_distr.c:344
 tipc_net_finalize+0x85/0xe0 net/tipc/net.c:138
 tipc_net_finalize_work+0x50/0x70 net/tipc/net.c:150
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
[...]
Freed by task 14058:
 save_stack mm/kasan/common.c:48 [inline]
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x220 mm/slab.c:3757
 tipc_exit_net+0x29/0x50 net/tipc/core.c:113
 ops_exit_list net/core/net_namespace.c:186 [inline]
 cleanup_net+0x708/0xba0 net/core/net_namespace.c:603
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Fix it by calling flush_scheduled_work() to make sure the
tipc_net_finalize_work() stopped before releasing bcbase object.

Reported-by: syzbot+6ea1f7a8df64596ef4d7@syzkaller.appspotmail.com
Reported-by: syzbot+e9cc557752ab126c1b99@syzkaller.appspotmail.com
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Hoang Huu Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-10 10:24:01 +01:00
..
addr.c
addr.h tipc: introduce constants for tipc address validation 2016-07-26 14:26:42 -07:00
bcast.c tipc: fix broadcast link synchronization problem 2016-10-29 17:21:09 -04:00
bcast.h tipc: fix broadcast link synchronization problem 2016-10-29 17:21:09 -04:00
bearer.c tipc: error path leak fixes in tipc_enable_bearer() 2018-03-03 10:23:24 +01:00
bearer.h tipc: check minimum bearer MTU 2016-12-02 14:03:20 -05:00
core.c tipc: fix use-after-free in tipc_bcast_get_mode 2020-11-10 10:24:01 +01:00
core.h
discover.c tipc: allocate user memory with GFP_KERNEL flag 2017-07-05 14:40:27 +02:00
discover.h
eth_media.c
ib_media.c
Kconfig
link.c tipc: fix skb may be leaky in tipc_link_input 2019-12-05 15:35:12 +01:00
link.h tipc: transfer broadcast nacks in link state messages 2016-09-02 17:10:24 -07:00
Makefile
monitor.c tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path 2018-03-03 10:23:24 +01:00
monitor.h tipc: dump monitor attributes 2016-07-26 14:26:42 -07:00
msg.c tipc: fix memory leak caused by tipc_buf_append() 2020-11-10 10:23:50 +01:00
msg.h tipc: allocate user memory with GFP_KERNEL flag 2017-07-05 14:40:27 +02:00
name_distr.c tipc: add NULL pointer check before calling kfree_rcu 2019-09-21 07:14:03 +02:00
name_distr.h
name_table.c
name_table.h
net.c tipc: Fix tipc_sk_reinit race conditions 2017-06-17 06:41:49 +02:00
net.h tipc: add peer removal functionality 2016-08-18 23:36:07 -07:00
netlink.c tipc: add policy for TIPC_NLA_NET_ADDR 2018-04-29 11:32:01 +02:00
netlink.h tipc: make cluster size threshold for monitoring configurable 2016-07-26 14:26:42 -07:00
netlink_compat.c tipc: fix uninit skb->data in tipc_nl_compat_dumpit() 2020-09-03 11:21:15 +02:00
node.c tipc: tipc clang warning 2020-01-29 10:24:19 +01:00
node.h tipc: transfer broadcast nacks in link state messages 2016-09-02 17:10:24 -07:00
server.c tipc: fix memory leak in tipc_accept_from_sock() 2017-12-16 16:25:45 +01:00
server.h
socket.c tipc: use lock_sock() in tipc_sk_reinit() 2019-01-09 16:16:41 +01:00
socket.h
subscr.c tipc: fix modprobe tipc failed after switch order of device registration 2019-06-11 12:22:36 +02:00
subscr.h tipc: fix modprobe tipc failed after switch order of device registration 2019-06-11 12:22:36 +02:00
sysctl.c tipc: set sysctl_tipc_rmem and named_timeout right range 2020-01-29 10:24:21 +01:00
udp_media.c net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup 2020-05-20 08:15:30 +02:00
udp_media.h tipc: add UDP remoteip dump to netlink API 2016-08-26 21:38:41 -07:00