From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mao Wenan <maowenan@huawei.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.20 07/32] net: crypto set sk to NULL when af_alg_release.
Date: Thu, 21 Feb 2019 15:35:55 +0100 [thread overview]
Message-ID: <20190221125251.274926430@linuxfoundation.org> (raw)
In-Reply-To: <20190221125250.855065214@linuxfoundation.org>
4.20-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 9060cb719e61b685ec0102574e10337fa5f445ea ]
KASAN has found use-after-free in sockfs_setattr.
The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close()
and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
that crypto module forgets to set the sk to NULL after af_alg_release.
KASAN report details as below:
BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0xca/0x13e
print_address_description+0x79/0x330
? vprintk_func+0x5e/0xf0
kasan_report+0x18a/0x2e0
? sockfs_setattr+0x120/0x150
sockfs_setattr+0x120/0x150
? sock_register+0x2d0/0x2d0
notify_change+0x90c/0xd40
? chown_common+0x2ef/0x510
chown_common+0x2ef/0x510
? chmod_common+0x3b0/0x3b0
? __lock_is_held+0xbc/0x160
? __sb_start_write+0x13d/0x2b0
? __mnt_want_write+0x19a/0x250
do_fchownat+0x15c/0x190
? __ia32_sys_chmod+0x80/0x80
? trace_hardirqs_on_thunk+0x1a/0x1c
__x64_sys_fchownat+0xbf/0x160
? lockdep_hardirqs_on+0x39a/0x5e0
do_syscall_64+0xc8/0x580
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462589
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
f7 48 89 d6 48 89
ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
48 c7 c1 bc ff ff
ff f7 d8 64 89 01 48
RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
Allocated by task 4185:
kasan_kmalloc+0xa0/0xd0
__kmalloc+0x14a/0x350
sk_prot_alloc+0xf6/0x290
sk_alloc+0x3d/0xc00
af_alg_accept+0x9e/0x670
hash_accept+0x4a3/0x650
__sys_accept4+0x306/0x5c0
__x64_sys_accept4+0x98/0x100
do_syscall_64+0xc8/0x580
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 4184:
__kasan_slab_free+0x12e/0x180
kfree+0xeb/0x2f0
__sk_destruct+0x4e6/0x6a0
sk_destruct+0x48/0x70
__sk_free+0xa9/0x270
sk_free+0x2a/0x30
af_alg_release+0x5c/0x70
__sock_release+0xd3/0x280
sock_close+0x1a/0x20
__fput+0x27f/0x7f0
task_work_run+0x136/0x1b0
exit_to_usermode_loop+0x1a7/0x1d0
do_syscall_64+0x461/0x580
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Syzkaller reproducer:
r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
0xffffffffffffffff, 0x0)
r1 = socket$alg(0x26, 0x5, 0x0)
getrusage(0x0, 0x0)
bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
'sha256-ssse3\x00'}, 0x80)
r2 = accept(r1, 0x0, 0x0)
r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
r4 = dup3(r3, r0, 0x0)
fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()")
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/af_alg.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 17eb09d222ff4..ec78a04eb136e 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private)
int af_alg_release(struct socket *sock)
{
- if (sock->sk)
+ if (sock->sk) {
sock_put(sock->sk);
+ sock->sk = NULL;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(af_alg_release);
--
2.19.1
next prev parent reply other threads:[~2019-02-21 14:42 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-21 14:35 [PATCH 4.20 00/32] 4.20.12-stable review Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 4.20 01/32] dsa: mv88e6xxx: Ensure all pending interrupts are handled prior to exit Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 4.20 02/32] net: fix IPv6 prefix route residue Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 4.20 03/32] net: ipv4: use a dedicated counter for icmp_v4 redirect packets Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 4.20 04/32] vsock: cope with memory allocation failure at socket creation time Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 4.20 05/32] vxlan: test dev->flags & IFF_UP before calling netif_rx() Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 4.20 06/32] mlxsw: __mlxsw_sp_port_headroom_set(): Fix a use of local variable Greg Kroah-Hartman
2019-02-21 14:35 ` Greg Kroah-Hartman [this message]
2019-02-21 14:35 ` [PATCH 4.20 08/32] net: Fix for_each_netdev_feature on Big endian Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 4.20 09/32] net: ip6_gre: initialize erspan_ver just for erspan tunnels Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 4.20 10/32] net: phy: xgmiitorgmii: Support generic PHY status read Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 4.20 11/32] net: stmmac: Fix a race in EEE enable callback Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 12/32] net: stmmac: handle endianness in dwmac4_get_timestamp Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 13/32] net: validate untrusted gso packets without csum offload Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 14/32] sky2: Increase D3 delay again Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 15/32] vhost: correctly check the return value of translate_desc() in log_used() Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 16/32] net: Add header for usage of fls64() Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 17/32] tcp: clear icsk_backoff in tcp_write_queue_purge() Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 18/32] tcp: tcp_v4_err() should be more careful Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 19/32] net: netcp: Fix ethss driver probe issue Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 20/32] net: Do not allocate page fragments that are not skb aligned Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 21/32] af_packet: fix raw sockets over 6in4 tunnel Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 22/32] arm64, mm, efi: Account for GICv3 LPI tables in static memblock reserve table Greg Kroah-Hartman
2019-02-21 14:36 ` Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 23/32] efi/arm: Revert "Defer persistent reservations until after paging_init()" Greg Kroah-Hartman
2019-02-21 14:36 ` Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 24/32] PCI: Fix __initdata issue with "pci=disable_acs_redir" parameter Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 25/32] scsi: target/core: Use kmem_cache_free() instead of kfree() Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 26/32] x86_64: increase stack size for KASAN_EXTRA Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 27/32] mmc: meson-gx: fix interrupt name Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 28/32] hwmon: (lm80) Fix missing unlock on error in set_fan_div() Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 29/32] netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 30/32] net/x25: do not hold the cpu too long in x25_new_lci() Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 31/32] mISDN: fix a race in dev_expire_timer() Greg Kroah-Hartman
2019-02-21 14:36 ` [PATCH 4.20 32/32] ax25: fix possible use-after-free Greg Kroah-Hartman
2019-02-22 15:05 ` [PATCH 4.20 00/32] 4.20.12-stable review Naresh Kamboju
2019-02-22 15:40 ` Greg Kroah-Hartman
2019-02-22 23:15 ` shuah
2019-02-23 8:05 ` Greg Kroah-Hartman
2019-02-22 23:32 ` Guenter Roeck
2019-02-23 8:04 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190221125251.274926430@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=maowenan@huawei.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.