mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-18 16:44:33 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Kuniyuki Iwashima 67daeaecd7 raw: Fix NULL deref in raw_get_next(). 
[ Upstream commit 0a78cf7264 ]

Dae R. Jeong reported a NULL deref in raw_get_next() [0].

It seems that the repro was running these sequences in parallel so
that one thread was iterating on a socket that was being freed in
another netns.

  unshare(0x40060200)
  r0 = syz_open_procfs(0x0, &(0x7f0000002080)='net/raw\x00')
  socket$inet_icmp_raw(0x2, 0x3, 0x1)
  pread64(r0, &(0x7f0000000000)=""/10, 0xa, 0x10000000007f)

After commit 0daf07e527 ("raw: convert raw sockets to RCU"), we
use RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW
sockets.  However, we should use spinlock for slow paths to avoid
the NULL deref.

Also, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object
is not reused during iteration in the grace period.  In fact, the
lockless readers do not check the nulls marker with get_nulls_value().
So, SOCK_RAW should use hlist instead of hlist_nulls.

Instead of adding an unnecessary barrier by sk_nulls_for_each_rcu(),
let's convert hlist_nulls to hlist and use sk_for_each_rcu() for
fast paths and sk_for_each() and spinlock for /proc/net/raw.

[0]:
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS:  00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225
 seq_read+0x224/0x320 fs/seq_file.c:162
 pde_read fs/proc/inode.c:316 [inline]
 proc_reg_read+0x23f/0x330 fs/proc/inode.c:328
 vfs_read+0x31e/0xd30 fs/read_write.c:468
 ksys_pread64 fs/read_write.c:665 [inline]
 __do_sys_pread64 fs/read_write.c:675 [inline]
 __se_sys_pread64 fs/read_write.c:672 [inline]
 __x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x478d29
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
RAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29
RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000
R10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740
R13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]
RIP: 0010:sock_net include/net/sock.h:649 [inline]
RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]
RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]
RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995
Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef
RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000
RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338
RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9
R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78
R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030
FS:  00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92ff166000 CR3: 000000003c672000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fixes: 0daf07e527 ("raw: convert raw sockets to RCU")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Dae R. Jeong <threeearcat@gmail.com>
Link: https://lore.kernel.org/netdev/ZCA2mGV_cmq7lIfV@dragonet/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-04-13 17:02:41 +02:00
..
6lowpan
9p net/9p: fix bug in client create for .L 2023-03-22 13:37:56 +01:00
802 treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
8021q net: Remove the obsolte u64_stats_fetch_*_irq() users (net). 2022-10-28 20:13:54 -07:00
appletalk
atm driver core: make struct class.dev_uevent() take a const * 2022-11-24 17:12:15 +01:00
ax25 ax25: af_ax25: Remove unnecessary (void*) conversions 2022-11-16 13:31:03 +00:00
batman-adv Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
bluetooth Bluetooth: Fix race condition in hci_cmd_sync_clear 2023-03-30 12:51:34 +02:00
bpf Revert "bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES" 2023-03-17 08:58:03 +01:00
bpfilter
bridge netfilter: ebtables: fix table blob use-after-free 2023-03-11 13:50:30 +01:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:57:54 +01:00
can can: j1939: prevent deadlock by moving j1939_sk_errqueue() 2023-04-06 12:12:42 +02:00
ceph Treewide: Stop corrupting socket's task_frag 2022-12-19 17:28:49 -08:00
core net: don't let netpoll invoke NAPI if in xmit context 2023-04-13 17:02:38 +02:00
dcb net: dcb: move getapptrust to separate function 2022-11-15 15:27:43 +01:00
dccp dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. 2023-02-10 19:53:42 -08:00
dns_resolver cred: Do not default to init_cred in prepare_kernel_cred() 2022-11-01 10:04:52 -07:00
dsa net: dsa: sync unicast and multicast addresses for VLAN filters too 2023-04-06 12:12:39 +02:00
ethernet net: ethernet: use sysfs_emit() to instead of scnprintf() 2022-12-07 20:02:44 -08:00
ethtool Revert "Merge branch 'ethtool-mac-merge'" 2023-01-24 17:44:14 +01:00
hsr hsr: ratelimit only when errors are printed 2023-04-06 12:12:48 +02:00
ieee802154 Merge tag 'ieee802154-for-net-next-2022-12-05' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan-next 2022-12-07 17:33:26 -08:00
ife
ipv4 raw: Fix NULL deref in raw_get_next(). 2023-04-13 17:02:41 +02:00
ipv6 raw: Fix NULL deref in raw_get_next(). 2023-04-13 17:02:41 +02:00
iucv net/iucv: Fix size of interrupt data 2023-03-22 13:37:53 +01:00
kcm kcm: close race conditions on sk_receive_queue 2022-11-15 12:42:26 +01:00
key af_key: Fix heap information leak 2023-02-13 09:30:14 +00:00
l2tp l2tp: generate correct module alias strings 2023-04-13 17:02:37 +02:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta 2023-04-13 17:02:36 +02:00
mac802154 mac802154: Fix possible double free upon parsing error 2022-12-19 11:38:12 +01:00
mctp net: mctp: purge receive queues on sk destruction 2023-01-28 00:26:09 -08:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-15 10:26:37 +00:00
mptcp mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket() 2023-03-22 13:38:06 +01:00
ncsi net/ncsi: Silence runtime memcpy() false positive warning 2022-12-06 17:29:14 -08:00
netfilter netfilter: nft_redir: correct value of inet type .maxattrs 2023-03-22 13:37:44 +01:00
netlabel
netlink netlink: annotate data races around sk_state 2023-01-23 21:35:53 -08:00
netrom netrom: Fix use-after-free caused by accept on already connected socket 2023-01-30 07:30:47 +00:00
nfc nfc: change order inside nfc_se_io error path 2023-03-17 08:57:48 +01:00
nsh
openvswitch net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() 2023-02-13 09:38:25 +00:00
packet Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
phonet
psample
qrtr net: qrtr: Do not do DEL_SERVER broadcast after DEL_CLIENT 2023-04-13 17:02:39 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-03-10 09:28:18 +01:00
rfkill driver core: make struct class.dev_uevent() take a const * 2022-11-24 17:12:15 +01:00
rose net/rose: Fix to not accept on connected socket 2023-01-28 00:19:57 -08:00
rxrpc rxrpc: Fix overwaking on call poking 2023-03-10 09:28:17 +01:00
sched act_mirred: use the backlog for nested calls to mirred ingress 2023-03-30 12:51:31 +02:00
sctp sctp: check send stream number after wait_for_sndbuf 2023-04-13 17:02:38 +02:00
smc net/smc: fix deadlock triggered by cancel_delayed_work_syn() 2023-03-22 13:37:49 +01:00
strparser
sunrpc sunrpc: only free unix grouplist after RCU settles 2023-04-13 17:02:40 +02:00
switchdev
tipc tipc: fix kernel warning when sending SYN message 2023-02-14 20:46:24 -08:00
tls net: tls: fix device-offloaded sendpage straddling records 2023-03-17 08:57:57 +01:00
unix af_unix: fix struct pid leaks in OOB support 2023-03-17 08:57:59 +01:00
vmw_vsock Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
wireless wifi: cfg80211: fix MLO connection ownership 2023-03-22 13:37:45 +01:00
x25 net/x25: Fix to not accept on connected socket 2023-01-25 09:51:04 +00:00
xdp xsk: Add missing overflow check in xdp_umem_reg 2023-03-30 12:50:52 +02:00
xfrm xfrm: Zero padding when dumping algos and encap 2023-04-06 12:12:24 +02:00
compat.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c net: avoid double iput when sock_alloc_file fails 2023-03-10 09:29:57 +01:00
sysctl_net.c