* KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
@ 2018-04-02 9:20 syzbot
2018-05-25 13:52 ` syzbot
2019-11-28 10:30 ` syzbot
0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2018-04-02 9:20 UTC (permalink / raw)
To: alexey.kodanev, davem, dccp, edumazet, gerrit, keescook,
linux-kernel, netdev, soheil, syzkaller-bugs
Hello,
syzbot hit the following crash on upstream commit
0adb32858b0bddf4ada5f364a84ed60b196dbcda (Sun Apr 1 21:20:27 2018 +0000)
Linux 4.16
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=554ccde221001ab5479a
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5822430194958336
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-2374466361298166459
compiler: gcc (GCC) 7.1.1 20170620
user-space arch: i386
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+554ccde221001ab5479a@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
dccp_parse_options: DCCP(000000007d56a000): Option 32 (len=7) error=9
==================================================================
dccp_check_seqno: Step 6 failed for RESET packet, (LSWL(279336972291068) <=
P.seqno(279336972291066) <= S.SWH(279336972291142)) and (P.ackno exists or
LAWL(234137106534459) <= P.ackno(234137106534459) <=
S.AWH(234137106534460), sending SYNC...
BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x234a/0x2440
net/dccp/ccids/ccid2.c:598
Read of size 1 at addr ffff8801bb7a4a82 by task syz-executor1/1660
CPU: 1 PID: 1660 Comm: syz-executor1 Not tainted 4.16.0+ #285
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
ccid2_hc_tx_packet_recv+0x234a/0x2440 net/dccp/ccids/ccid2.c:598
ccid_hc_tx_packet_recv net/dccp/ccid.h:192 [inline]
dccp_deliver_input_to_ccids+0x1d0/0x250 net/dccp/input.c:186
dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378
dccp_v4_do_rcv+0x135/0x160 net/dccp/ipv4.c:653
sk_backlog_rcv include/net/sock.h:908 [inline]
__release_sock+0x124/0x360 net/core/sock.c:2271
release_sock+0xa4/0x2a0 net/core/sock.c:2786
dccp_sendmsg+0x528/0xe60 net/dccp/proto.c:820
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x320/0x8b0 net/socket.c:2046
__sys_sendmmsg+0x31b/0x620 net/socket.c:2129
C_SYSC_sendmmsg net/compat.c:745 [inline]
compat_SyS_sendmmsg+0x32/0x40 net/compat.c:742
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f6dc99
RSP: 002b:00000000f5f690ac EFLAGS: 00000282 ORIG_RAX: 0000000000000159
RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 000000002000b880
RDX: 0000000000000122 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1660:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
__do_kmalloc_node mm/slab.c:3670 [inline]
__kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3684
__kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137
__alloc_skb+0x13b/0x780 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:983 [inline]
dccp_send_ack+0xb6/0x350 net/dccp/output.c:580
ccid2_hc_rx_packet_recv+0x10d/0x180 net/dccp/ccids/ccid2.c:766
ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
dccp_deliver_input_to_ccids+0xd9/0x250 net/dccp/input.c:180
dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378
dccp_v4_do_rcv+0x135/0x160 net/dccp/ipv4.c:653
sk_backlog_rcv include/net/sock.h:908 [inline]
__sk_receive_skb+0x33e/0xc10 net/core/sock.c:513
dccp_v4_rcv+0xf5f/0x1c80 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2f1/0xc50 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:449 [inline]
ip_rcv_finish+0xa36/0x2040 net/ipv4/ip_input.c:397
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0xb76/0x1820 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4562
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627
process_backlog+0x203/0x740 net/core/dev.c:5307
napi_poll net/core/dev.c:5705 [inline]
net_rx_action+0x792/0x1910 net/core/dev.c:5771
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
Freed by task 1660:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3486 [inline]
kfree+0xd9/0x260 mm/slab.c:3801
skb_free_head+0x74/0xb0 net/core/skbuff.c:550
skb_release_data+0x58c/0x790 net/core/skbuff.c:570
skb_release_all+0x4a/0x60 net/core/skbuff.c:627
__kfree_skb net/core/skbuff.c:641 [inline]
kfree_skb+0x15d/0x4c0 net/core/skbuff.c:659
dccp_v4_do_rcv+0x10d/0x160 net/dccp/ipv4.c:688
sk_backlog_rcv include/net/sock.h:908 [inline]
__release_sock+0x124/0x360 net/core/sock.c:2271
release_sock+0xa4/0x2a0 net/core/sock.c:2786
dccp_sendmsg+0x528/0xe60 net/dccp/proto.c:820
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x320/0x8b0 net/socket.c:2046
__sys_sendmmsg+0x31b/0x620 net/socket.c:2129
C_SYSC_sendmmsg net/compat.c:745 [inline]
compat_SyS_sendmmsg+0x32/0x40 net/compat.c:742
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
The buggy address belongs to the object at ffff8801bb7a4600
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1154 bytes inside of
2048-byte region [ffff8801bb7a4600, ffff8801bb7a4e00)
The buggy address belongs to the page:
page:ffffea0006ede900 count:1 mapcount:0 mapping:ffff8801bb7a4600 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801bb7a4600 0000000000000000 0000000100000003
raw: ffffea0006bcbd20 ffffea0006f5b1a0 ffff8801dac00c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801bb7a4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801bb7a4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801bb7a4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801bb7a4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801bb7a4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
2018-04-02 9:20 KASAN: use-after-free Read in ccid2_hc_tx_packet_recv syzbot
@ 2018-05-25 13:52 ` syzbot
2019-11-28 10:30 ` syzbot
1 sibling, 0 replies; 5+ messages in thread
From: syzbot @ 2018-05-25 13:52 UTC (permalink / raw)
To: alexey.kodanev, davem, dccp, edumazet, gerrit, keescook,
linux-kernel, netdev, soheil, syzkaller-bugs
syzbot has found a reproducer for the following crash on:
HEAD commit: b50694381cfc Merge branch 'stable/for-linus-4.17' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17151cb7800000
kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=554ccde221001ab5479a
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1363ccb7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1272e2b7800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+554ccde221001ab5479a@syzkaller.appspotmail.com
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
==================================================================
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold.4+0xa/0x1a lib/fault-inject.c:149
BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x2383/0x275e
net/dccp/ccids/ccid2.c:597
Read of size 1 at addr ffff8801ba4911c2 by task syz-executor940/4542
__should_failslab+0x124/0x180 mm/failslab.c:32
should_failslab+0x9/0x14 mm/slab_common.c:1522
slab_pre_alloc_hook mm/slab.h:423 [inline]
slab_alloc mm/slab.c:3378 [inline]
kmem_cache_alloc_trace+0x4b/0x780 mm/slab.c:3618
kmalloc include/linux/slab.h:512 [inline]
dccp_ackvec_parsed_add+0xa1/0x310 net/dccp/ackvec.c:352
ccid2_hc_tx_parse_options+0x9a/0xb0 net/dccp/ccids/ccid2.c:510
ccid_hc_tx_parse_options net/dccp/ccid.h:207 [inline]
dccp_parse_options+0x658/0x11f0 net/dccp/options.c:233
dccp_rcv_established+0x44/0xb0 net/dccp/input.c:374
dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
sk_backlog_rcv include/net/sock.h:909 [inline]
__release_sock+0x12f/0x3a0 net/core/sock.c:2335
release_sock+0xa4/0x2b0 net/core/sock.c:2850
dccp_sendmsg+0x771/0x1020 net/dccp/proto.c:820
inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:639
___sys_sendmsg+0x525/0x940 net/socket.c:2117
__sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
__do_sys_sendmmsg net/socket.c:2241 [inline]
__se_sys_sendmmsg net/socket.c:2238 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441819
RSP: 002b:00007ffdb9a9df08 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441819
RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000005
RBP: 00007ffdb9a9df20 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 04000000000001e6 R14: 0000000000000006 R15: 0000000000000000
CPU: 0 PID: 4542 Comm: syz-executor940 Not tainted 4.17.0-rc6+ #66
dccp_parse_options: DCCP( (ptrval)): Option 38 (len=1) error=5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
ccid2_hc_tx_packet_recv+0x2383/0x275e net/dccp/ccids/ccid2.c:597
ccid_hc_tx_packet_recv net/dccp/ccid.h:192 [inline]
dccp_deliver_input_to_ccids+0x203/0x280 net/dccp/input.c:186
dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
sk_backlog_rcv include/net/sock.h:909 [inline]
__release_sock+0x12f/0x3a0 net/core/sock.c:2335
release_sock+0xa4/0x2b0 net/core/sock.c:2850
dccp_sendmsg+0x771/0x1020 net/dccp/proto.c:820
inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:639
___sys_sendmsg+0x525/0x940 net/socket.c:2117
__sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
__do_sys_sendmmsg net/socket.c:2241 [inline]
__se_sys_sendmmsg net/socket.c:2238 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441819
RSP: 002b:00007ffdb9a9df08 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441819
RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000005
RBP: 00007ffdb9a9df20 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 04000000000001e6 R14: 0000000000000006 R15: 0000000000000000
Allocated by task 4542:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
__kmalloc_reserve.isra.38+0x3a/0xe0 net/core/skbuff.c:137
__alloc_skb+0x14d/0x780 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:987 [inline]
dccp_send_ack+0xd2/0x340 net/dccp/output.c:580
ccid2_hc_rx_packet_recv+0x139/0x1b0 net/dccp/ccids/ccid2.c:776
ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
sk_backlog_rcv include/net/sock.h:909 [inline]
__sk_receive_skb+0x3a2/0xd60 net/core/sock.c:513
dccp_v4_rcv+0x10e5/0x1f3f net/dccp/ipv4.c:875
ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:450 [inline]
ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
__netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
__netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
process_backlog+0x219/0x760 net/core/dev.c:5337
napi_poll net/core/dev.c:5735 [inline]
net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
Freed by task 4542:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xd9/0x260 mm/slab.c:3813
skb_free_head+0x99/0xc0 net/core/skbuff.c:550
skb_release_data+0x690/0x860 net/core/skbuff.c:570
skb_release_all+0x4a/0x60 net/core/skbuff.c:627
__kfree_skb net/core/skbuff.c:641 [inline]
kfree_skb+0x195/0x560 net/core/skbuff.c:659
dccp_v4_do_rcv+0x12b/0x180 net/dccp/ipv4.c:689
sk_backlog_rcv include/net/sock.h:909 [inline]
__release_sock+0x12f/0x3a0 net/core/sock.c:2335
release_sock+0xa4/0x2b0 net/core/sock.c:2850
dccp_sendmsg+0x771/0x1020 net/dccp/proto.c:820
inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:639
___sys_sendmsg+0x525/0x940 net/socket.c:2117
__sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
__do_sys_sendmmsg net/socket.c:2241 [inline]
__se_sys_sendmmsg net/socket.c:2238 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801ba490d40
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1154 bytes inside of
2048-byte region [ffff8801ba490d40, ffff8801ba491540)
The buggy address belongs to the page:
page:ffffea0006e92400 count:1 mapcount:0 mapping:ffff8801ba4904c0 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801ba4904c0 0000000000000000 0000000100000003
raw: ffffea0006ed9a20 ffffea0006fa5fa0 ffff8801da800c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801ba491080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801ba491100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801ba491180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801ba491200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801ba491280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
2018-04-02 9:20 KASAN: use-after-free Read in ccid2_hc_tx_packet_recv syzbot
2018-05-25 13:52 ` syzbot
@ 2019-11-28 10:30 ` syzbot
1 sibling, 0 replies; 5+ messages in thread
From: syzbot @ 2019-11-28 10:30 UTC (permalink / raw)
To: alexey.kodanev, coreteam, davem, dccp, dsahern, edumazet, fw,
gerrit, kadlec, keescook, kuznet, linux-kernel, netdev,
netfilter-devel, pablo, soheil, syzkaller-bugs, yoshfuji
syzbot has bisected this bug to:
commit 3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b
Author: David Ahern <dsahern@gmail.com>
Date: Mon Aug 7 15:44:17 2017 +0000
net: ipv4: add second dif to inet socket lookups
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=141e882ae00000
start commit: b5069438 Merge branch 'stable/for-linus-4.17' of git://git..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=161e882ae00000
console output: https://syzkaller.appspot.com/x/log.txt?x=121e882ae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=554ccde221001ab5479a
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1363ccb7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1272e2b7800000
Reported-by: syzbot+554ccde221001ab5479a@syzkaller.appspotmail.com
Fixes: 3fa6f616a7a4 ("net: ipv4: add second dif to inet socket lookups")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
@ 2024-10-23 12:09 Dmitry Antipov
2024-10-23 17:51 ` Kuniyuki Iwashima
0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Antipov @ 2024-10-23 12:09 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: dccp, netdev@vger.kernel.org, syzbot+554ccde221001ab5479a
Looking through https://syzkaller.appspot.com/bug?extid=554ccde221001ab5479a,
I've found the problem which may be illustrated with the following patch:
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 5926159a6f20..eb551872170c 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -678,6 +678,7 @@ int dccp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
if (sk->sk_state == DCCP_OPEN) { /* Fast path */
if (dccp_rcv_established(sk, skb, dh, skb->len))
+ /* Go to reset here */
goto reset;
return 0;
}
@@ -712,6 +713,7 @@ int dccp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
reset:
dccp_v4_ctl_send_reset(sk, skb, SK_RST_REASON_NOT_SPECIFIED);
+ /* Freeing skb may leave dangling pointers in ack vectors */
kfree_skb(skb);
return 0;
}
I'm not an expert with DCCP protocol innards and have no idea whether ack
vectors still needs to be processed after sending reset. But if it is so,
the solution might be to copy all of the data from the relevant skbs instead
of just saving the pointers, e.g.:
diff --git a/net/dccp/ackvec.c b/net/dccp/ackvec.c
index 1cba001bb4c8..24c6ad06d896 100644
--- a/net/dccp/ackvec.c
+++ b/net/dccp/ackvec.c
@@ -347,17 +347,18 @@ void dccp_ackvec_clear_state(struct dccp_ackvec *av, const u64 ackno)
}
/*
- * Routines to keep track of Ack Vectors received in an skb
+ * Routines to keep track of Ack Vectors copied from the received skb
*/
int dccp_ackvec_parsed_add(struct list_head *head, u8 *vec, u8 len, u8 nonce)
{
- struct dccp_ackvec_parsed *new = kmalloc(sizeof(*new), GFP_ATOMIC);
-
+ struct dccp_ackvec_parsed *new = kmalloc(struct_size(new, vec, len),
+ GFP_ATOMIC);
if (new == NULL)
return -ENOBUFS;
- new->vec = vec;
- new->len = len;
+
+ new->len = len;
new->nonce = nonce;
+ memcpy(new->vec, vec, len);
list_add_tail(&new->node, head);
return 0;
diff --git a/net/dccp/ackvec.h b/net/dccp/ackvec.h
index d2c4220fb377..491fd587de90 100644
--- a/net/dccp/ackvec.h
+++ b/net/dccp/ackvec.h
@@ -117,18 +117,18 @@ static inline bool dccp_ackvec_is_empty(const struct dccp_ackvec *av)
/**
* struct dccp_ackvec_parsed - Record offsets of Ack Vectors in skb
- * @vec: start of vector (offset into skb)
+ * @vec: contents of ack vector (copied from skb)
* @len: length of @vec
* @nonce: whether @vec had an ECN nonce of 0 or 1
* @node: FIFO - arranged in descending order of ack_ackno
*
- * This structure is used by CCIDs to access Ack Vectors in a received skb.
+ * This structure is used by CCIDs to access Ack Vectors from the received skb.
*/
struct dccp_ackvec_parsed {
- u8 *vec,
- len,
- nonce:1;
struct list_head node;
+ u8 len;
+ u8 nonce:1;
+ u8 vec[] __counted_by(len);
};
int dccp_ackvec_parsed_add(struct list_head *head, u8 *vec, u8 len, u8 nonce);
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
index d6b30700af67..a1f2da3c4fa9 100644
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -589,14 +589,15 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
/* go through all ack vectors */
list_for_each_entry(avp, &hc->tx_av_chunks, node) {
/* go through this ack vector */
- for (; avp->len--; avp->vec++) {
+ u8 *v;
+ for (v = avp->vec; v < avp->vec + avp->len--; v++) {
u64 ackno_end_rl = SUB48(ackno,
- dccp_ackvec_runlen(avp->vec));
+ dccp_ackvec_runlen(v));
ccid2_pr_debug("ackvec %llu |%u,%u|\n",
(unsigned long long)ackno,
- dccp_ackvec_state(avp->vec) >> 6,
- dccp_ackvec_runlen(avp->vec));
+ dccp_ackvec_state(v) >> 6,
+ dccp_ackvec_runlen(v));
/* if the seqno we are analyzing is larger than the
* current ackno, then move towards the tail of our
* seqnos.
@@ -615,7 +616,7 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
* run length
*/
while (between48(seqp->ccid2s_seq,ackno_end_rl,ackno)) {
- const u8 state = dccp_ackvec_state(avp->vec);
+ const u8 state = dccp_ackvec_state(v);
/* new packet received or marked */
if (state != DCCPAV_NOT_RECEIVED &&
Comments are highly appreciated.
Dmitry
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
2024-10-23 12:09 Dmitry Antipov
@ 2024-10-23 17:51 ` Kuniyuki Iwashima
0 siblings, 0 replies; 5+ messages in thread
From: Kuniyuki Iwashima @ 2024-10-23 17:51 UTC (permalink / raw)
To: dmantipov; +Cc: dccp, kuniyu, netdev, syzbot+554ccde221001ab5479a
From: Dmitry Antipov <dmantipov@yandex.ru>
Date: Wed, 23 Oct 2024 15:09:59 +0300
> Looking through https://syzkaller.appspot.com/bug?extid=554ccde221001ab5479a,
> I've found the problem which may be illustrated with the following patch:
>
> diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
> index 5926159a6f20..eb551872170c 100644
> --- a/net/dccp/ipv4.c
> +++ b/net/dccp/ipv4.c
> @@ -678,6 +678,7 @@ int dccp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
>
> if (sk->sk_state == DCCP_OPEN) { /* Fast path */
> if (dccp_rcv_established(sk, skb, dh, skb->len))
> + /* Go to reset here */
> goto reset;
> return 0;
> }
> @@ -712,6 +713,7 @@ int dccp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
>
> reset:
> dccp_v4_ctl_send_reset(sk, skb, SK_RST_REASON_NOT_SPECIFIED);
> + /* Freeing skb may leave dangling pointers in ack vectors */
> kfree_skb(skb);
> return 0;
> }
>
> I'm not an expert with DCCP protocol innards and have no idea whether ack
> vectors still needs to be processed after sending reset. But if it is so,
> the solution might be to copy all of the data from the relevant skbs instead
> of just saving the pointers, e.g.:
>
> diff --git a/net/dccp/ackvec.c b/net/dccp/ackvec.c
> index 1cba001bb4c8..24c6ad06d896 100644
> --- a/net/dccp/ackvec.c
> +++ b/net/dccp/ackvec.c
> @@ -347,17 +347,18 @@ void dccp_ackvec_clear_state(struct dccp_ackvec *av, const u64 ackno)
> }
>
> /*
> - * Routines to keep track of Ack Vectors received in an skb
> + * Routines to keep track of Ack Vectors copied from the received skb
> */
> int dccp_ackvec_parsed_add(struct list_head *head, u8 *vec, u8 len, u8 nonce)
> {
> - struct dccp_ackvec_parsed *new = kmalloc(sizeof(*new), GFP_ATOMIC);
> -
> + struct dccp_ackvec_parsed *new = kmalloc(struct_size(new, vec, len),
> + GFP_ATOMIC);
> if (new == NULL)
> return -ENOBUFS;
> - new->vec = vec;
> - new->len = len;
> +
> + new->len = len;
> new->nonce = nonce;
> + memcpy(new->vec, vec, len);
>
> list_add_tail(&new->node, head);
> return 0;
> diff --git a/net/dccp/ackvec.h b/net/dccp/ackvec.h
> index d2c4220fb377..491fd587de90 100644
> --- a/net/dccp/ackvec.h
> +++ b/net/dccp/ackvec.h
> @@ -117,18 +117,18 @@ static inline bool dccp_ackvec_is_empty(const struct dccp_ackvec *av)
>
> /**
> * struct dccp_ackvec_parsed - Record offsets of Ack Vectors in skb
> - * @vec: start of vector (offset into skb)
> + * @vec: contents of ack vector (copied from skb)
> * @len: length of @vec
> * @nonce: whether @vec had an ECN nonce of 0 or 1
> * @node: FIFO - arranged in descending order of ack_ackno
> *
> - * This structure is used by CCIDs to access Ack Vectors in a received skb.
> + * This structure is used by CCIDs to access Ack Vectors from the received skb.
> */
> struct dccp_ackvec_parsed {
> - u8 *vec,
> - len,
> - nonce:1;
> struct list_head node;
> + u8 len;
> + u8 nonce:1;
> + u8 vec[] __counted_by(len);
> };
>
> int dccp_ackvec_parsed_add(struct list_head *head, u8 *vec, u8 len, u8 nonce);
> diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
> index d6b30700af67..a1f2da3c4fa9 100644
> --- a/net/dccp/ccids/ccid2.c
> +++ b/net/dccp/ccids/ccid2.c
> @@ -589,14 +589,15 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
> /* go through all ack vectors */
> list_for_each_entry(avp, &hc->tx_av_chunks, node) {
> /* go through this ack vector */
> - for (; avp->len--; avp->vec++) {
> + u8 *v;
> + for (v = avp->vec; v < avp->vec + avp->len--; v++) {
> u64 ackno_end_rl = SUB48(ackno,
> - dccp_ackvec_runlen(avp->vec));
> + dccp_ackvec_runlen(v));
>
> ccid2_pr_debug("ackvec %llu |%u,%u|\n",
> (unsigned long long)ackno,
> - dccp_ackvec_state(avp->vec) >> 6,
> - dccp_ackvec_runlen(avp->vec));
> + dccp_ackvec_state(v) >> 6,
> + dccp_ackvec_runlen(v));
> /* if the seqno we are analyzing is larger than the
> * current ackno, then move towards the tail of our
> * seqnos.
> @@ -615,7 +616,7 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
> * run length
> */
> while (between48(seqp->ccid2s_seq,ackno_end_rl,ackno)) {
> - const u8 state = dccp_ackvec_state(avp->vec);
> + const u8 state = dccp_ackvec_state(v);
>
> /* new packet received or marked */
> if (state != DCCPAV_NOT_RECEIVED &&
>
> Comments are highly appreciated.
I wouldn't touch DCCP anymore unless the change is required for TCP.
(see b144fcaf46d43)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-10-23 17:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-02 9:20 KASAN: use-after-free Read in ccid2_hc_tx_packet_recv syzbot
2018-05-25 13:52 ` syzbot
2019-11-28 10:30 ` syzbot
-- strict thread matches above, loose matches on Subject: below --
2024-10-23 12:09 Dmitry Antipov
2024-10-23 17:51 ` Kuniyuki Iwashima
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).