From: Nir Levy <bhr166@gmail.com>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, linux-atm-general@lists.sourceforge.net,
netdev@vger.kernel.org
Cc: bhr166@gmail.com
Subject: [PATCH] atm: Fix use-after-free bug in atm_dev_register()
Date: Sat, 3 Dec 2022 13:09:24 +0200 [thread overview]
Message-ID: <20221203110924.7759-1-bhr166@gmail.com> (raw)
When device_register() return failed in atm_register_sysfs,
the program will return to atm_dev_register and will kfree
the device. As the comment of device_register() says,
put_device() needs to be used to give up the reference
in the error path. Using kfree instead triggers a UAF,
as shown by the following KASAN report, obtained by causing
device_register() to fail. This patch calls put_device instead
of kfree when atm_register_sysfs has failed, and call kfree
only when atm_proc_dev_register has failed.
KASAN report details as below:
[ 94.341664] BUG: KASAN: use-after-free in sysfs_kf_seq_show+0x306/0x440
[ 94.341674] Read of size 8 at addr ffff88819a8a30e8 by task systemd-udevd/484
[ 94.341680] CPU: 3 PID: 484 Comm: systemd-udevd Tainted: G E 6.1.0-rc1+ #1
[ 94.341684] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/27/2020
[ 94.341703] Call Trace:
[ 94.341705] <TASK>
[ 94.341707] dump_stack_lvl+0x49/0x63
[ 94.341713] print_report+0x177/0x46e
[ 94.341717] ? kasan_complete_mode_report_info+0x7c/0x210
[ 94.341720] ? sysfs_kf_seq_show+0x306/0x440
[ 94.341753] kasan_report+0xb0/0x140
[ 94.341757] ? sysfs_kf_seq_show+0x306/0x440
[ 94.341760] __asan_report_load8_noabort+0x14/0x20
[ 94.341763] sysfs_kf_seq_show+0x306/0x440
[ 94.341766] kernfs_seq_show+0x145/0x1b0
[ 94.341769] seq_read_iter+0x408/0x1080
[ 94.341774] kernfs_fop_read_iter+0x3d5/0x540
[ 94.341794] vfs_read+0x542/0x800
[ 94.341797] ? kernel_read+0x130/0x130
[ 94.341800] ? __kasan_check_read+0x11/0x20
[ 94.341824] ? get_nth_filter.part.0+0x200/0x200
[ 94.341828] ksys_read+0x116/0x220
[ 94.341831] ? __ia32_sys_pwrite64+0x1f0/0x1f0
[ 94.341849] ? __secure_computing+0x17c/0x2d0
[ 94.341852] __x64_sys_read+0x72/0xb0
[ 94.341875] do_syscall_64+0x59/0x90
[ 94.341878] ? exc_page_fault+0x72/0xf0
[ 94.341881] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 94.341885] RIP: 0033:0x7fc391f14992
[ 94.341888] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[ 94.341891] RSP: 002b:00007ffe33fed818 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 94.341896] RAX: ffffffffffffffda RBX: 0000000000001018 RCX: 00007fc391f14992
[ 94.341898] RDX: 0000000000001018 RSI: 0000558a696b0880 RDI: 000000000000000e
[ 94.341900] RBP: 0000558a696b0880 R08: 0000000000000000 R09: 0000558a696b0880
[ 94.341902] R10: 00007fc39201a300 R11: 0000000000000246 R12: 000000000000000e
[ 94.341904] R13: 0000000000001017 R14: 0000000000000002 R15: 00007ffe33fed840
[ 94.341908] </TASK>
[ 94.341911] Allocated by task 2613:
[ 94.341914] kasan_save_stack+0x26/0x50
[ 94.341932] kasan_set_track+0x25/0x40
[ 94.341934] kasan_save_alloc_info+0x1e/0x30
[ 94.341936] __kasan_kmalloc+0xb4/0xc0
[ 94.341938] kmalloc_trace+0x4a/0xb0
[ 94.341941] atm_dev_register+0x5d/0x700 [atm]
[ 94.341949] atmtcp_create+0x77/0x1f0 [atmtcp]
[ 94.341953] atmtcp_ioctl+0x12d/0xb9f [atmtcp]
[ 94.341957] do_vcc_ioctl+0xfe/0x640 [atm]
[ 94.341962] vcc_ioctl+0x10/0x20 [atm]
[ 94.341968] svc_ioctl+0x587/0x6c0 [atm]
[ 94.341973] sock_do_ioctl+0xd7/0x1e0
[ 94.341977] sock_ioctl+0x1b5/0x560
[ 94.341979] __x64_sys_ioctl+0x132/0x1b0
[ 94.341981] do_syscall_64+0x59/0x90
[ 94.341983] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 94.341986] Freed by task 2613:
[ 94.341988] kasan_save_stack+0x26/0x50
[ 94.341991] kasan_set_track+0x25/0x40
[ 94.341993] kasan_save_free_info+0x2e/0x50
[ 94.341995] ____kasan_slab_free+0x174/0x1e0
[ 94.341997] __kasan_slab_free+0x12/0x20
[ 94.342000] slab_free_freelist_hook+0xd0/0x1a0
[ 94.342002] __kmem_cache_free+0x193/0x2c0
[ 94.342005] kfree+0x79/0x120
[ 94.342007] atm_dev_register.cold+0x46/0x64 [atm]
[ 94.342013] atmtcp_create+0x77/0x1f0 [atmtcp]
[ 94.342016] atmtcp_ioctl+0x12d/0xb9f [atmtcp]
[ 94.342020] do_vcc_ioctl+0xfe/0x640 [atm]
[ 94.342077] vcc_ioctl+0x10/0x20 [atm]
[ 94.342083] svc_ioctl+0x587/0x6c0 [atm]
[ 94.342088] sock_do_ioctl+0xd7/0x1e0
[ 94.342091] sock_ioctl+0x1b5/0x560
[ 94.342093] __x64_sys_ioctl+0x132/0x1b0
[ 94.342095] do_syscall_64+0x59/0x90
[ 94.342098] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 94.342102] The buggy address belongs to the object at ffff88819a8a3000 which belongs to the cache kmalloc-1k of size 1024
[ 94.342105] The buggy address is located 232 bytes inside of 1024-byte region [ffff88819a8a3000, ffff88819a8a3400)
[ 94.342109] The buggy address belongs to the physical page:
[ 94.342111] page:0000000099993f0a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19a8a0
[ 94.342114] head:0000000099993f0a order:3 compound_mapcount:0 compound_pincount:0
[ 94.342116] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 94.342136] raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042dc0
[ 94.342138] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 94.342139] page dumped because: kasan: bad access detected
[ 94.342141] Memory state around the buggy address:
[ 94.342143] ffff88819a8a2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 94.342145] ffff88819a8a3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 94.342147] >ffff88819a8a3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 94.342148] ^
[ 94.342150] ffff88819a8a3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 94.342152] ffff88819a8a3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Signed-off-by: Nir Levy <bhr166@gmail.com>
---
net/atm/resources.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/atm/resources.c b/net/atm/resources.c
index 2b2d33eeaf20..9ec07d66783b 100644
--- a/net/atm/resources.c
+++ b/net/atm/resources.c
@@ -112,12 +112,14 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
if (atm_proc_dev_register(dev) < 0) {
pr_err("atm_proc_dev_register failed for dev %s\n", type);
+ kfree(dev);
goto out_fail;
}
if (atm_register_sysfs(dev, parent) < 0) {
pr_err("atm_register_sysfs failed for dev %s\n", type);
atm_proc_dev_deregister(dev);
+ put_device(&dev->class_dev);
goto out_fail;
}
@@ -128,7 +130,6 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
return dev;
out_fail:
- kfree(dev);
dev = NULL;
goto out;
}
--
2.34.1
next reply other threads:[~2022-12-03 11:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-03 11:09 Nir Levy [this message]
2022-12-05 7:04 ` [PATCH] atm: Fix use-after-free bug in atm_dev_register() Leon Romanovsky
[not found] ` <CAJey7buiiSqO+tXDUYDTue6Hy06Jbyo5yeaGBeBz5b8wLiW+pQ@mail.gmail.com>
2022-12-06 2:08 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221203110924.7759-1-bhr166@gmail.com \
--to=bhr166@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-atm-general@lists.sourceforge.net \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.