queue-4.19/neigh-fix-use-after-free-read-in-pneigh_get_next.patch-3377

   1 From c5095242d1faf966c4e2605277caf3014f66f9c1 Mon Sep 17 00:00:00 2001
   2 From: Eric Dumazet <edumazet@google.com>
   3 Date: Sat, 15 Jun 2019 16:28:48 -0700
   4 Subject: neigh: fix use-after-free read in pneigh_get_next
   5
   6 [ Upstream commit f3e92cb8e2eb8c27d109e6fd73d3a69a8c09e288 ]
   7
   8 Nine years ago, I added RCU handling to neighbours, not pneighbours.
   9 (pneigh are not commonly used)
  10
  11 Unfortunately I missed that /proc dump operations would use a
  12 common entry and exit point : neigh_seq_start() and neigh_seq_stop()
  13
  14 We need to read_lock(tbl->lock) or risk use-after-free while
  15 iterating the pneigh structures.
  16
  17 We might later convert pneigh to RCU and revert this patch.
  18
  19 sysbot reported :
  20
  21 BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158
  22 Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825
  23
  24 CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32
  25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  26 Call Trace:
  27  __dump_stack lib/dump_stack.c:77 [inline]
  28  dump_stack+0x172/0x1f0 lib/dump_stack.c:113
  29  print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
  30  __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
  31  kasan_report+0x12/0x20 mm/kasan/common.c:614
  32  __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
  33  pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158
  34  neigh_seq_next+0xdb/0x210 net/core/neighbour.c:3240
  35  seq_read+0x9cf/0x1110 fs/seq_file.c:258
  36  proc_reg_read+0x1fc/0x2c0 fs/proc/inode.c:221
  37  do_loop_readv_writev fs/read_write.c:714 [inline]
  38  do_loop_readv_writev fs/read_write.c:701 [inline]
  39  do_iter_read+0x4a4/0x660 fs/read_write.c:935
  40  vfs_readv+0xf0/0x160 fs/read_write.c:997
  41  kernel_readv fs/splice.c:359 [inline]
  42  default_file_splice_read+0x475/0x890 fs/splice.c:414
  43  do_splice_to+0x127/0x180 fs/splice.c:877
  44  splice_direct_to_actor+0x2d2/0x970 fs/splice.c:954
  45  do_splice_direct+0x1da/0x2a0 fs/splice.c:1063
  46  do_sendfile+0x597/0xd00 fs/read_write.c:1464
  47  __do_sys_sendfile64 fs/read_write.c:1525 [inline]
  48  __se_sys_sendfile64 fs/read_write.c:1511 [inline]
  49  __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511
  50  do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
  51  entry_SYSCALL_64_after_hwframe+0x49/0xbe
  52 RIP: 0033:0x4592c9
  53 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
  54 RSP: 002b:00007f4aab51dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
  55 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9
  56 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
  57 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
  58 R10: 0000000080000000 R11: 0000000000000246 R12: 00007f4aab51e6d4
  59 R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff
  60
  61 Allocated by task 9827:
  62  save_stack+0x23/0x90 mm/kasan/common.c:71
  63  set_track mm/kasan/common.c:79 [inline]
  64  __kasan_kmalloc mm/kasan/common.c:489 [inline]
  65  __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
  66  kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
  67  __do_kmalloc mm/slab.c:3660 [inline]
  68  __kmalloc+0x15c/0x740 mm/slab.c:3669
  69  kmalloc include/linux/slab.h:552 [inline]
  70  pneigh_lookup+0x19c/0x4a0 net/core/neighbour.c:731
  71  arp_req_set_public net/ipv4/arp.c:1010 [inline]
  72  arp_req_set+0x613/0x720 net/ipv4/arp.c:1026
  73  arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1226
  74  inet_ioctl+0x2a0/0x340 net/ipv4/af_inet.c:926
  75  sock_do_ioctl+0xd8/0x2f0 net/socket.c:1043
  76  sock_ioctl+0x3ed/0x780 net/socket.c:1194
  77  vfs_ioctl fs/ioctl.c:46 [inline]
  78  file_ioctl fs/ioctl.c:509 [inline]
  79  do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
  80  ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
  81  __do_sys_ioctl fs/ioctl.c:720 [inline]
  82  __se_sys_ioctl fs/ioctl.c:718 [inline]
  83  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
  84  do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
  85  entry_SYSCALL_64_after_hwframe+0x49/0xbe
  86
  87 Freed by task 9824:
  88  save_stack+0x23/0x90 mm/kasan/common.c:71
  89  set_track mm/kasan/common.c:79 [inline]
  90  __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
  91  kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
  92  __cache_free mm/slab.c:3432 [inline]
  93  kfree+0xcf/0x220 mm/slab.c:3755
  94  pneigh_ifdown_and_unlock net/core/neighbour.c:812 [inline]
  95  __neigh_ifdown+0x236/0x2f0 net/core/neighbour.c:356
  96  neigh_ifdown+0x20/0x30 net/core/neighbour.c:372
  97  arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1274
  98  inetdev_destroy net/ipv4/devinet.c:319 [inline]
  99  inetdev_event+0xa14/0x11f0 net/ipv4/devinet.c:1544
 100  notifier_call_chain+0xc2/0x230 kernel/notifier.c:95
 101  __raw_notifier_call_chain kernel/notifier.c:396 [inline]
 102  raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403
 103  call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1749
 104  call_netdevice_notifiers_extack net/core/dev.c:1761 [inline]
 105  call_netdevice_notifiers net/core/dev.c:1775 [inline]
 106  rollback_registered_many+0x9b9/0xfc0 net/core/dev.c:8178
 107  rollback_registered+0x109/0x1d0 net/core/dev.c:8220
 108  unregister_netdevice_queue net/core/dev.c:9267 [inline]
 109  unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9260
 110  unregister_netdevice include/linux/netdevice.h:2631 [inline]
 111  __tun_detach+0xd8a/0x1040 drivers/net/tun.c:724
 112  tun_detach drivers/net/tun.c:741 [inline]
 113  tun_chr_close+0xe0/0x180 drivers/net/tun.c:3451
 114  __fput+0x2ff/0x890 fs/file_table.c:280
 115  ____fput+0x16/0x20 fs/file_table.c:313
 116  task_work_run+0x145/0x1c0 kernel/task_work.c:113
 117  tracehook_notify_resume include/linux/tracehook.h:185 [inline]
 118  exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168
 119  prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 120  syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
 121  do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304
 122  entry_SYSCALL_64_after_hwframe+0x49/0xbe
 123
 124 The buggy address belongs to the object at ffff888097f2a700
 125  which belongs to the cache kmalloc-64 of size 64
 126 The buggy address is located 0 bytes inside of
 127  64-byte region [ffff888097f2a700, ffff888097f2a740)
 128 The buggy address belongs to the page:
 129 page:ffffea00025fca80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0
 130 flags: 0x1fffc0000000200(slab)
 131 raw: 01fffc0000000200 ffffea000250d548 ffffea00025726c8 ffff8880aa400340
 132 raw: 0000000000000000 ffff888097f2a000 0000000100000020 0000000000000000
 133 page dumped because: kasan: bad access detected
 134
 135 Memory state around the buggy address:
 136  ffff888097f2a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 137  ffff888097f2a680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 138 >ffff888097f2a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 139                    ^
 140  ffff888097f2a780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 141  ffff888097f2a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 142
 143 Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
 144 Signed-off-by: Eric Dumazet <edumazet@google.com>
 145 Reported-by: syzbot <syzkaller@googlegroups.com>
 146 Signed-off-by: David S. Miller <davem@davemloft.net>
 147 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 148 ---
 149  net/core/neighbour.c | 7 +++++++
 150  1 file changed, 7 insertions(+)
 151
 152 diff --git a/net/core/neighbour.c b/net/core/neighbour.c
 153 index 4e4ac77c6816..cd9e991f21d7 100644
 154 --- a/net/core/neighbour.c
 155 +++ b/net/core/neighbour.c
 156 @@ -2751,6 +2751,7 @@ static void *neigh_get_idx_any(struct seq_file *seq, loff_t *pos)
 157  }
 158
 159  void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl, unsigned int neigh_seq_flags)
 160 +       __acquires(tbl->lock)
 161         __acquires(rcu_bh)
 162  {
 163         struct neigh_seq_state *state = seq->private;
 164 @@ -2761,6 +2762,7 @@ void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl
 165
 166         rcu_read_lock_bh();
 167         state->nht = rcu_dereference_bh(tbl->nht);
 168 +       read_lock(&tbl->lock);
 169
 170         return *pos ? neigh_get_idx_any(seq, pos) : SEQ_START_TOKEN;
 171  }
 172 @@ -2794,8 +2796,13 @@ void *neigh_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 173  EXPORT_SYMBOL(neigh_seq_next);
 174
 175  void neigh_seq_stop(struct seq_file *seq, void *v)
 176 +       __releases(tbl->lock)
 177         __releases(rcu_bh)
 178  {
 179 +       struct neigh_seq_state *state = seq->private;
 180 +       struct neigh_table *tbl = state->tbl;
 181 +
 182 +       read_unlock(&tbl->lock);
 183         rcu_read_unlock_bh();
 184  }
 185  EXPORT_SYMBOL(neigh_seq_stop);
 186 --
 187 2.20.1
 188