From: Willy Tarreau <w@1wt.eu>
To: darklight2357@icloud.com
Cc: "security@kernel.org" <security@kernel.org>,
selinux@vger.kernel.org, paul@paul-moore.com,
stephen.smalley.work@gmail.com, eparis@parisplace.org
Subject: Re: memory leak in inet_create
Date: Fri, 16 Dec 2022 08:29:01 +0100 [thread overview]
Message-ID: <20221216072901.GF2473@1wt.eu> (raw)
In-Reply-To: <5bfd9daf-9180-4b9d-b4b7-0035848ab860@me.com>
Hello,
could you please fix your mailer and resend, something wrong happened,
we received the totally unreadable block below, as if all line breaks
were removed!
Thanks,
Willy
On Fri, Dec 16, 2022 at 07:16:08AM -0000, ??? wrote:
> On Dec 16, 2022, at 4:11 PM, ??? <darklight2357@icloud.com> wrote:Attachments available until January 15, 2023.Hello, I am "Changheon Lee" concerned with kernel security.A "memory leak in inet_create" was reported in Syzkaller targeting Linux kernel Version 6.1 on December 15, 2022 at 18:36 (KST).The environment in which the bug was detected is as follows.Syzkaller revision : 67be1ae7Kernel version : Linux kernel 6.1The report provided by Syzkaller is as follows.BUG: memory leakunreferenced object 0xffff88810a908c80 (size 2912): comm "syz-executor609", pid 330, jiffies 4294839395 (age 15.786s) hex dump (first 32 bytes): 7f 00 00 01 7f 00 00 01 08 e4 6b 1b 4e 20 00 00 ..........k.N .. 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<ffffffff83478054>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024 [<ffffffff8348316b>] sk_alloc+0x3b/0x7d0 net/core/sock.c:2083 [<ffffffff838e2e8b>] inet_create+0x39b/0xee0 net/ipv4/af_inet.c:319 [<ffffffff8346bca1>] __sock_create+0x381/0x850 net/socket.c:1515 [<ffffffff8346fa8b>] sock_create net/socket.c:1566 [inline] [<ffffffff8346fa8b>] __sys_socket_create net/socket.c:1603 [inline] [<ffffffff8346fa8b>] __sys_socket+0x13b/0x250 net/socket.c:1636 [<ffffffff8346fc13>] __do_sys_socket net/socket.c:1649 [inline] [<ffffffff8346fc13>] __se_sys_socket net/socket.c:1647 [inline] [<ffffffff8346fc13>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<ffffffff843153c8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff843153c8>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<ffffffff8440009b>] entry_SYSCALL_64_after_hwframe+0x63/0xcdBUG: memory leakunreferenced object 0xffff888112a6f020 (size 32): comm "syz-executor609", pid 330, jiffies 4294839395 (age 15.786s) hex dump (first 32 bytes): 02 00 00 00 00 00 00 00 40 e9 ba 0e 81 88 ff ff ........@....... 01 00 00 00 03 00 00 00 10 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff816d8987>] kmalloc_trace+0x27/0x60 mm/slab_common.c:1045 [<ffffffff81f4869f>] kmalloc include/linux/slab.h:553 [inline] [<ffffffff81f4869f>] kzalloc include/linux/slab.h:689 [inline] [<ffffffff81f4869f>] selinux_sk_alloc_security+0x9f/0x230 security/selinux/hooks.c:5190 [<ffffffff81f34938>] security_sk_alloc+0x58/0xc0 security/security.c:2286 [<ffffffff8347809e>] sk_prot_alloc+0xae/0x2a0 net/core/sock.c:2033 [<ffffffff8348316b>] sk_alloc+0x3b/0x7d0 net/core/sock.c:2083 [<ffffffff838e2e8b>] inet_create+0x39b/0xee0 net/ipv4/af_inet.c:319 [<ffffffff8346bca1>] __sock_create+0x381/0x850 net/socket.c:1515 [<ffffffff8346fa8b>] sock_create net/socket.c:1566 [inline] [<ffffffff8346fa8b>] __sys_socket_create net/socket.c:1603 [inline] [<ffffffff8346fa8b>] __sys_socket+0x13b/0x250 net/socket.c:1636 [<ffffffff8346fc13>] __do_sys_socket net/socket.c:1649 [inline] [<ffffffff8346fc13>] __se_sys_socket net/socket.c:1647 [inline] [<ffffffff8346fc13>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<ffffffff843153c8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff843153c8>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<ffffffff8440009b>] entry_SYSCALL_64_after_hwframe+0x63/0xcdBUG: memory leakunreferenced object 0xffff88810ebae940 (size 64): comm "syz-executor609", pid 330, jiffies 4294839395 (age 15.787s) hex dump (first 32 bytes): 15 00 00 01 00 00 00 00 70 33 b8 02 81 88 ff ff ........p3...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff816d8987>] kmalloc_trace+0x27/0x60 mm/slab_common.c:1045 [<ffffffff81fb7e15>] kmalloc include/linux/slab.h:553 [inline] [<ffffffff81fb7e15>] kzalloc include/linux/slab.h:689 [inline] [<ffffffff81fb7e15>] netlbl_secattr_alloc include/net/netlabel.h:382 [inline] [<ffffffff81fb7e15>] selinux_netlbl_sock_genattr+0xb5/0x4b0 security/selinux/netlabel.c:77 [<ffffffff81fb9bfc>] selinux_netlbl_socket_post_create+0x7c/0x170 security/selinux/netlabel.c:401 [<ffffffff81f5215f>] selinux_socket_post_create+0x30f/0x820 security/selinux/hooks.c:4605 [<ffffffff81f33fcc>] security_socket_post_create+0x6c/0xd0 security/security.c:2198 [<ffffffff8346c024>] __sock_create+0x704/0x850 net/socket.c:1531 [<ffffffff8346fa8b>] sock_create net/socket.c:1566 [inline] [<ffffffff8346fa8b>] __sys_socket_create net/socket.c:1603 [inline] [<ffffffff8346fa8b>] __sys_socket+0x13b/0x250 net/socket.c:1636 [<ffffffff8346fc13>] __do_sys_socket net/socket.c:1649 [inline] [<ffffffff8346fc13>] __se_sys_socket net/socket.c:1647 [inline] [<ffffffff8346fc13>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<ffffffff843153c8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff843153c8>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<ffffffff8440009b>] entry_SYSCALL_64_after_hwframe+0x63/0xcdBUG: memory leakunreferenced object 0xffff888102b83370 (size 16): comm "syz-executor609", pid 330, jiffies 4294839395 (age 15.787s) hex dump (first 16 bytes): 6b 65 72 6e 65 6c 5f 74 00 6b 6b 6b 6b 6b 6b a5 kernel_t.kkkkkk. backtrace: [<ffffffff816d949c>] __do_kmalloc_node mm/slab_common.c:954 [inline] [<ffffffff816d949c>] __kmalloc_node_track_caller+0x4c/0xd0 mm/slab_common.c:975 [<ffffffff816b7b90>] kstrdup+0x40/0x80 mm/util.c:61 [<ffffffff81fade31>] security_netlbl_sid_to_secattr+0x1f1/0x4e0 security/selinux/ss/services.c:3973 [<ffffffff81fb7e59>] selinux_netlbl_sock_genattr+0xf9/0x4b0 security/selinux/netlabel.c:80 [<ffffffff81fb9bfc>] selinux_netlbl_socket_post_create+0x7c/0x170 security/selinux/netlabel.c:401 [<ffffffff81f5215f>] selinux_socket_post_create+0x30f/0x820 security/selinux/hooks.c:4605 [<ffffffff81f33fcc>] security_socket_post_create+0x6c/0xd0 security/security.c:2198 [<ffffffff8346c024>] __sock_create+0x704/0x850 net/socket.c:1531 [<ffffffff8346fa8b>] sock_create net/socket.c:1566 [inline] [<ffffffff8346fa8b>] __sys_socket_create net/socket.c:1603 [inline] [<ffffffff8346fa8b>] __sys_socket+0x13b/0x250 net/socket.c:1636 [<ffffffff8346fc13>] __do_sys_socket net/socket.c:1649 [inline] [<ffffffff8346fc13>] __se_sys_socket net/socket.c:1647 [inline] [<ffffffff8346fc13>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<ffffffff843153c8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff843153c8>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<ffffffff8440009b>] entry_SYSCALL_64_after_hwframe+0x63/0xcdI cannot rule out the possibility that this bug detected in Syzkaller targeting 6.1 is a false positive.However, as far as I can check, this memory leak has not been reported recently.I just found a reported case on "mail-archive.com" with a backtrace very similar to the memory leak I just reported.Considering the contents of the mail I found, the "memory leak in inet_create" I reported seems to be related to SElinux, and I attach the link at the bottom.Link : https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1950307.htmlThe email in the link was made in 2019, and it seems to be related to what I reported this time, but it is seen as a separate matter.kernel config, vmlinux, bzImage and C reproducer will be attached separately.Thanks.ChangHeon Lee Ps. I have now cheaked that emails with the same contents were sent multiple times due to issues such as the inability to properly set the recipient, CC settings, or HTML forms being included in the email.I apologize for any inconvenience caused.Download from iCloudvmlinux475.5 MBDownload from iCloudC_repo.c5 KBDownload from iCloudbzImage30 MBDownload from iCloudkernel config (.config).txt139 KBI'm so sorry... no more HTML forms or links are included...
next parent reply other threads:[~2022-12-16 7:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <f30a9b00-5133-43ce-ad97-1cb4f1970ff3@me.com>
[not found] ` <5bfd9daf-9180-4b9d-b4b7-0035848ab860@me.com>
2022-12-16 7:29 ` Willy Tarreau [this message]
[not found] <8d7c2742-a724-43c9-b8ad-4a0b98a5b8a6@me.com>
2022-12-16 8:18 ` memory leak in inet_create Greg KH
[not found] <114ee67a-3349-454e-9387-40f1f29cb822@me.com>
2022-12-16 8:55 ` Eric Dumazet
2022-12-16 15:24 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221216072901.GF2473@1wt.eu \
--to=w@1wt.eu \
--cc=darklight2357@icloud.com \
--cc=eparis@parisplace.org \
--cc=paul@paul-moore.com \
--cc=security@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.