* KASAN: use-after-free Read in ipv6_gso_pull_exthdrs
@ 2018-06-18 13:31 syzbot
2018-07-06 17:52 ` syzbot
0 siblings, 1 reply; 7+ messages in thread
From: syzbot @ 2018-06-18 13:31 UTC (permalink / raw)
To: davem, kuznet, linux-kernel, netdev, syzkaller-bugs, yoshfuji
Hello,
syzbot found the following crash on:
HEAD commit: f0dc7f9c6dd9 Merge git://git.kernel.org/pub/scm/linux/kern..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1463121f800000
kernel config: https://syzkaller.appspot.com/x/.config?x=fa9c20c48788d1c1
dashboard link: https://syzkaller.appspot.com/bug?extid=7b9ed9872dab8c32305d
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs+0x53e/0x5d0
net/ipv6/ip6_offload.c:45
Read of size 1 at addr ffff8801cf0d7769 by task syz-executor0/21808
CPU: 1 PID: 21808 Comm: syz-executor0 Not tainted 4.17.0+ #84
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
ipv6_gso_pull_exthdrs+0x53e/0x5d0 net/ipv6/ip6_offload.c:45
netlink: 48 bytes leftover after parsing attributes in process
`syz-executor6'.
ipv6_gso_segment+0x372/0x11c0 net/ipv6/ip6_offload.c:87
skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111
skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
__skb_gso_segment+0x3bb/0x870 net/core/dev.c:2865
skb_gso_segment include/linux/netdevice.h:4079 [inline]
validate_xmit_skb+0x638/0xf20 net/core/dev.c:3104
__dev_queue_xmit+0xc0c/0x3900 net/core/dev.c:3561
dev_queue_xmit+0x17/0x20 net/core/dev.c:3602
packet_snd net/packet/af_packet.c:2921 [inline]
packet_sendmsg+0x4275/0x6100 net/packet/af_packet.c:2946
sock_sendmsg_nosec net/socket.c:645 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:655
__sys_sendto+0x3d7/0x670 net/socket.c:1833
__do_sys_sendto net/socket.c:1845 [inline]
__se_sys_sendto net/socket.c:1841 [inline]
__x64_sys_sendto+0xe1/0x1a0 net/socket.c:1841
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455b29
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1665cd0c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f1665cd16d4 RCX: 0000000000455b29
RDX: 000000000000020b RSI: 00000000200016c0 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 00000000200000c0 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c0eb8 R14: 00000000004d0960 R15: 0000000000000000
Allocated by task 21219:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
getname_flags+0xd0/0x5a0 fs/namei.c:140
user_path_at_empty+0x2d/0x50 fs/namei.c:2555
user_path_at include/linux/namei.h:57 [inline]
do_faccessat+0x24a/0x7c0 fs/open.c:389
__do_sys_access fs/open.c:441 [inline]
__se_sys_access fs/open.c:439 [inline]
__x64_sys_access+0x59/0x80 fs/open.c:439
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 21219:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
putname+0xf2/0x130 fs/namei.c:261
filename_lookup+0x38b/0x4f0 fs/namei.c:2330
user_path_at_empty+0x40/0x50 fs/namei.c:2555
user_path_at include/linux/namei.h:57 [inline]
do_faccessat+0x24a/0x7c0 fs/open.c:389
__do_sys_access fs/open.c:441 [inline]
__se_sys_access fs/open.c:439 [inline]
__x64_sys_access+0x59/0x80 fs/open.c:439
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801cf0d6d00
which belongs to the cache names_cache of size 4096
The buggy address is located 2665 bytes inside of
4096-byte region [ffff8801cf0d6d00, ffff8801cf0d7d00)
The buggy address belongs to the page:
page:ffffea00073c3580 count:1 mapcount:0 mapping:ffff8801da986dc0 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffffea00073c3508 ffffea0006a10008 ffff8801da986dc0
raw: 0000000000000000 ffff8801cf0d6d00 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801cf0d7600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cf0d7680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801cf0d7700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cf0d7780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cf0d7800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: KASAN: use-after-free Read in ipv6_gso_pull_exthdrs 2018-06-18 13:31 KASAN: use-after-free Read in ipv6_gso_pull_exthdrs syzbot @ 2018-07-06 17:52 ` syzbot 2018-07-06 22:16 ` Willem de Bruijn 0 siblings, 1 reply; 7+ messages in thread From: syzbot @ 2018-07-06 17:52 UTC (permalink / raw) To: davem, kuznet, linux-kernel, netdev, syzkaller-bugs, yoshfuji syzbot has found a reproducer for the following crash on: HEAD commit: 70ba5b6db96f ipv4: Return EINVAL when ping_group_range sys.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=13cd2970400000 kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86 dashboard link: https://syzkaller.appspot.com/bug?extid=7b9ed9872dab8c32305d compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15dfb748400000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a1050c400000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready 8021q: adding VLAN 0 to HW filter on device team0 ================================================================== BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs+0x57a/0x5f0 net/ipv6/ip6_offload.c:45 Read of size 1 at addr ffff8801ce17f3a9 by task syz-executor655/4567 CPU: 1 PID: 4567 Comm: syz-executor655 Not tainted 4.18.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 ipv6_gso_pull_exthdrs+0x57a/0x5f0 net/ipv6/ip6_offload.c:45 ipv6_gso_segment+0x37a/0x11e0 net/ipv6/ip6_offload.c:87 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 __skb_gso_segment+0x3c3/0x880 net/core/dev.c:2865 skb_gso_segment include/linux/netdevice.h:4099 [inline] validate_xmit_skb+0x640/0xf30 net/core/dev.c:3104 __dev_queue_xmit+0xc14/0x3910 net/core/dev.c:3561 dev_queue_xmit+0x17/0x20 net/core/dev.c:3602 packet_snd net/packet/af_packet.c:2919 [inline] packet_sendmsg+0x428e/0x6130 net/packet/af_packet.c:2944 sock_sendmsg_nosec net/socket.c:641 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:651 __sys_sendto+0x3d7/0x670 net/socket.c:1797 __do_sys_sendto net/socket.c:1809 [inline] __se_sys_sendto net/socket.c:1805 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1805 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x441de9 Code: 25 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 0d fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00000000007dfe28 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000021 RCX: 0000000000441de9 RDX: 0000000000000012 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00000000004a3f10 R08: 00000000200000c0 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000212 R12: 00000000007dff68 R13: 0000000000403090 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 3516: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 kmem_cache_zalloc include/linux/slab.h:697 [inline] get_empty_filp+0x12d/0x530 fs/file_table.c:122 path_openat+0x11e/0x4e10 fs/namei.c:3516 do_filp_open+0x255/0x380 fs/namei.c:3574 do_sys_open+0x584/0x760 fs/open.c:1101 __do_sys_open fs/open.c:1119 [inline] __se_sys_open fs/open.c:1114 [inline] __x64_sys_open+0x7e/0xc0 fs/open.c:1114 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 3519: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 file_free_rcu+0x6f/0x90 fs/file_table.c:49 __rcu_reclaim kernel/rcu/rcu.h:178 [inline] rcu_do_batch kernel/rcu/tree.c:2558 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline] rcu_process_callbacks+0xed5/0x1850 kernel/rcu/tree.c:2802 __do_softirq+0x2e8/0xb17 kernel/softirq.c:288 The buggy address belongs to the object at ffff8801ce17f280 which belongs to the cache filp of size 456 The buggy address is located 297 bytes inside of 456-byte region [ffff8801ce17f280, ffff8801ce17f448) The buggy address belongs to the page: page:ffffea0007385fc0 count:1 mapcount:0 mapping:ffff8801da987940 index:0xffff8801ce17f780 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0007368048 ffffea0007368148 ffff8801da987940 raw: ffff8801ce17f780 ffff8801ce17f000 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801ce17f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ce17f300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff8801ce17f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ce17f400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff8801ce17f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in ipv6_gso_pull_exthdrs 2018-07-06 17:52 ` syzbot @ 2018-07-06 22:16 ` Willem de Bruijn 2018-07-08 22:58 ` Willem de Bruijn 0 siblings, 1 reply; 7+ messages in thread From: Willem de Bruijn @ 2018-07-06 22:16 UTC (permalink / raw) To: syzbot+7b9ed9872dab8c32305d Cc: David Miller, Alexey Kuznetsov, LKML, Network Development, syzkaller-bugs, Hideaki YOSHIFUJI On Fri, Jul 6, 2018 at 1:55 PM syzbot <syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com> wrote: > > syzbot has found a reproducer for the following crash on: > > HEAD commit: 70ba5b6db96f ipv4: Return EINVAL when ping_group_range sys.. > git tree: net > console output: https://syzkaller.appspot.com/x/log.txt?x=13cd2970400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86 > dashboard link: https://syzkaller.appspot.com/bug?extid=7b9ed9872dab8c32305d > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15dfb748400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a1050c400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com > > IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready > IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready > IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready > 8021q: adding VLAN 0 to HW filter on device team0 > ================================================================== > BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs+0x57a/0x5f0 > net/ipv6/ip6_offload.c:45 > Read of size 1 at addr ffff8801ce17f3a9 by task syz-executor655/4567 This is an 8 byte packet with a virtio_net_hdr describing it as VIRTIO_NET_HDR_GSO_TCPV4, but with protocol ETH_P_NSH. That matches the occurrence of nsh_gso_segment in the stack trace. This pulls the struct nshhdr of 8B, passing a packet with skb->len 0 to skb_mac_gso_segment. That is the only GRO function that unconditionally calls _skb_pull without first checking pskb_may_pull. Adding that check does catch this: + if (unlikely(!pskb_may_pull(skb, vlan_depth))) + return ERR_PTR(-EINVAL); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in ipv6_gso_pull_exthdrs 2018-07-06 22:16 ` Willem de Bruijn @ 2018-07-08 22:58 ` Willem de Bruijn 2018-07-08 23:18 ` Willem de Bruijn 2018-07-11 10:07 ` Jiri Benc 0 siblings, 2 replies; 7+ messages in thread From: Willem de Bruijn @ 2018-07-08 22:58 UTC (permalink / raw) To: syzbot+7b9ed9872dab8c32305d Cc: David Miller, Alexey Kuznetsov, LKML, Network Development, syzkaller-bugs, Hideaki YOSHIFUJI, Jiri Benc On Fri, Jul 6, 2018 at 6:16 PM Willem de Bruijn <willemdebruijn.kernel@gmail.com> wrote: > > On Fri, Jul 6, 2018 at 1:55 PM syzbot > <syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com> wrote: > > > > syzbot has found a reproducer for the following crash on: > > > > HEAD commit: 70ba5b6db96f ipv4: Return EINVAL when ping_group_range sys.. > > git tree: net > > console output: https://syzkaller.appspot.com/x/log.txt?x=13cd2970400000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86 > > dashboard link: https://syzkaller.appspot.com/bug?extid=7b9ed9872dab8c32305d > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15dfb748400000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a1050c400000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com > > > > IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready > > IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready > > IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready > > 8021q: adding VLAN 0 to HW filter on device team0 > > ================================================================== > > BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs+0x57a/0x5f0 > > net/ipv6/ip6_offload.c:45 > > Read of size 1 at addr ffff8801ce17f3a9 by task syz-executor655/4567 > > This is an 8 byte packet with a virtio_net_hdr describing it as > VIRTIO_NET_HDR_GSO_TCPV4, but with protocol ETH_P_NSH. That > matches the occurrence of nsh_gso_segment in the stack trace. > > This pulls the struct nshhdr of 8B, passing a packet with skb->len 0 > to skb_mac_gso_segment. That is the only GRO function that > unconditionally calls _skb_pull without first checking pskb_may_pull. > Adding that check does catch this: > > + if (unlikely(!pskb_may_pull(skb, vlan_depth))) > + return ERR_PTR(-EINVAL); vlan_depth is 65528 when entering skb_mac_gso_segment due to overflow of skb->mac_len in nsh_gso_segment. For this packet, the outer mac len is zero, so skb->data == skb_mac_header(skb). Then skb_reset_network_header(skb); [...] __skb_pull(skb, nsh_len); skb_reset_mac_header(skb); // now mac hdr starts nsh_len == 8B after net hdr skb_reset_mac_len(skb); // mac len = net hdr - mac hdr == (u16) -8 == 65528 [..] skb_mac_gso_segment(skb, ..) Setting skb->mac_len to 0, similar to mpls_gs_segment, is sufficient if the encapsulated packet is not ETH_P_TEB. If the packet is encapsulated at L2, __skb_pull(skb, vlan_depth) has to pull the inner mac header before passing to l3 handlers like inet_gso_segment. If that header includes VLAN tags, skb_network_protocol will parse then and update the mac length in vlan_depth. So hardcoding to ETH_HLEN should be fine: @@ -104,7 +95,7 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, __skb_pull(skb, nsh_len); skb_reset_mac_header(skb); - skb_reset_mac_len(skb); + skb->mac_len = proto == ETH_P_TEB ? ETH_HLEN : 0; skb->protocol = proto; features &= NETIF_F_SG; ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in ipv6_gso_pull_exthdrs 2018-07-08 22:58 ` Willem de Bruijn @ 2018-07-08 23:18 ` Willem de Bruijn 2018-07-11 10:07 ` Jiri Benc 1 sibling, 0 replies; 7+ messages in thread From: Willem de Bruijn @ 2018-07-08 23:18 UTC (permalink / raw) To: syzbot+7b9ed9872dab8c32305d Cc: David Miller, Alexey Kuznetsov, LKML, Network Development, syzkaller-bugs, Hideaki YOSHIFUJI, Jiri Benc On Sun, Jul 8, 2018 at 6:58 PM Willem de Bruijn <willemdebruijn.kernel@gmail.com> wrote: > > On Fri, Jul 6, 2018 at 6:16 PM Willem de Bruijn > <willemdebruijn.kernel@gmail.com> wrote: > > > > On Fri, Jul 6, 2018 at 1:55 PM syzbot > > <syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com> wrote: > > > > > > syzbot has found a reproducer for the following crash on: > > > > > > HEAD commit: 70ba5b6db96f ipv4: Return EINVAL when ping_group_range sys.. > > > git tree: net > > > console output: https://syzkaller.appspot.com/x/log.txt?x=13cd2970400000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=7b9ed9872dab8c32305d > > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15dfb748400000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a1050c400000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+7b9ed9872dab8c32305d@syzkaller.appspotmail.com > > > > > > IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready > > > IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready > > > IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > ================================================================== > > > BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs+0x57a/0x5f0 > > > net/ipv6/ip6_offload.c:45 > > > Read of size 1 at addr ffff8801ce17f3a9 by task syz-executor655/4567 > > > > This is an 8 byte packet with a virtio_net_hdr describing it as > > VIRTIO_NET_HDR_GSO_TCPV4, but with protocol ETH_P_NSH. That > > matches the occurrence of nsh_gso_segment in the stack trace. > > > > This pulls the struct nshhdr of 8B, passing a packet with skb->len 0 > > to skb_mac_gso_segment. That is the only GRO function that > > unconditionally calls _skb_pull without first checking pskb_may_pull. > > Adding that check does catch this: > > > > + if (unlikely(!pskb_may_pull(skb, vlan_depth))) > > + return ERR_PTR(-EINVAL); > > vlan_depth is 65528 when entering skb_mac_gso_segment due to > overflow of skb->mac_len in nsh_gso_segment. For this packet, the > outer mac len is zero, so skb->data == skb_mac_header(skb). Then > > skb_reset_network_header(skb); > [...] > __skb_pull(skb, nsh_len); > skb_reset_mac_header(skb); // now mac hdr starts nsh_len == 8B > after net hdr > skb_reset_mac_len(skb); // mac len = net hdr - mac hdr == > (u16) -8 == 65528 > [..] > skb_mac_gso_segment(skb, ..) > > Setting skb->mac_len to 0, similar to mpls_gs_segment, > is sufficient if the encapsulated packet is not ETH_P_TEB. > > If the packet is encapsulated at L2, __skb_pull(skb, vlan_depth) > has to pull the inner mac header before passing to l3 handlers like > inet_gso_segment. > > If that header includes VLAN tags, skb_network_protocol will > parse then and update the mac length in vlan_depth. So > hardcoding to ETH_HLEN should be fine: > > @@ -104,7 +95,7 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, > __skb_pull(skb, nsh_len); > > skb_reset_mac_header(skb); > - skb_reset_mac_len(skb); > + skb->mac_len = proto == ETH_P_TEB ? ETH_HLEN : 0; Well, htons(ETH_P_TEB) but after this patch the reproducer no longer triggers. ipv6_gso_segment will catch the zero length inner packet with pskb_may_pull. skb_mac_gso_segment itself does not strictly need a pskb_may_pull, as skb_network_protocol calls pskb_may_pull when processing ETH_P_TEB and VLAN headers. Still, adding this would help catch bugs in callers sooner: - if (unlikely(!type)) + if (unlikely(!type || !pskb_may_pull(skb, vlan_depth))) return ERR_PTR(-EINVAL); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in ipv6_gso_pull_exthdrs 2018-07-08 22:58 ` Willem de Bruijn 2018-07-08 23:18 ` Willem de Bruijn @ 2018-07-11 10:07 ` Jiri Benc 2018-07-11 16:08 ` Willem de Bruijn 1 sibling, 1 reply; 7+ messages in thread From: Jiri Benc @ 2018-07-11 10:07 UTC (permalink / raw) To: Willem de Bruijn Cc: syzbot+7b9ed9872dab8c32305d, David Miller, Alexey Kuznetsov, LKML, Network Development, syzkaller-bugs, Hideaki YOSHIFUJI Sorry for the delayed reply, I'm working through a pile of stuff after being off. On Sun, 8 Jul 2018 18:58:14 -0400, Willem de Bruijn wrote: > Setting skb->mac_len to 0, similar to mpls_gs_segment, > is sufficient if the encapsulated packet is not ETH_P_TEB. > > If the packet is encapsulated at L2, __skb_pull(skb, vlan_depth) > has to pull the inner mac header before passing to l3 handlers like > inet_gso_segment. > > If that header includes VLAN tags, skb_network_protocol will > parse then and update the mac length in vlan_depth. So > hardcoding to ETH_HLEN should be fine: > > @@ -104,7 +95,7 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, > __skb_pull(skb, nsh_len); > > skb_reset_mac_header(skb); > - skb_reset_mac_len(skb); > + skb->mac_len = proto == ETH_P_TEB ? ETH_HLEN : 0; > skb->protocol = proto; > > features &= NETIF_F_SG; I agree. I think my original intention was to set mac_len to 0. Which is obviously not done by calling skb_reset_mac_len... Strangely, skb_network_protocol does not set *depth to ETH_HLEN if it is 0 and the type is ETH_P_TEB, which is something I would expect it to do. Thus we indeed have to differentiate between the two cases before calling skb_mac_gso_segment. Willem, will you send the patch formally (with the htons fix)? Thanks a lot for the analysis and the patch! Jiri ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in ipv6_gso_pull_exthdrs 2018-07-11 10:07 ` Jiri Benc @ 2018-07-11 16:08 ` Willem de Bruijn 0 siblings, 0 replies; 7+ messages in thread From: Willem de Bruijn @ 2018-07-11 16:08 UTC (permalink / raw) To: Jiri Benc Cc: syzbot+7b9ed9872dab8c32305d, David Miller, Alexey Kuznetsov, LKML, Network Development, syzkaller-bugs, Hideaki YOSHIFUJI On Wed, Jul 11, 2018 at 6:07 AM Jiri Benc <jbenc@redhat.com> wrote: > > Sorry for the delayed reply, I'm working through a pile of stuff after > being off. > > On Sun, 8 Jul 2018 18:58:14 -0400, Willem de Bruijn wrote: > > Setting skb->mac_len to 0, similar to mpls_gs_segment, > > is sufficient if the encapsulated packet is not ETH_P_TEB. > > > > If the packet is encapsulated at L2, __skb_pull(skb, vlan_depth) > > has to pull the inner mac header before passing to l3 handlers like > > inet_gso_segment. > > > > If that header includes VLAN tags, skb_network_protocol will > > parse then and update the mac length in vlan_depth. So > > hardcoding to ETH_HLEN should be fine: > > > > @@ -104,7 +95,7 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, > > __skb_pull(skb, nsh_len); > > > > skb_reset_mac_header(skb); > > - skb_reset_mac_len(skb); > > + skb->mac_len = proto == ETH_P_TEB ? ETH_HLEN : 0; > > skb->protocol = proto; > > > > features &= NETIF_F_SG; > > I agree. I think my original intention was to set mac_len to 0. Which > is obviously not done by calling skb_reset_mac_len... > > Strangely, skb_network_protocol does not set *depth to ETH_HLEN if it > is 0 and the type is ETH_P_TEB, which is something I would expect it to > do. Thus we indeed have to differentiate between the two cases before > calling skb_mac_gso_segment. > > Willem, will you send the patch formally (with the htons fix)? Thanks a > lot for the analysis and the patch! Thanks for verifying, Jiri. Posted as http://patchwork.ozlabs.org/patch/942588/. I forgot to cc: you directly in git send-email, sorry. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-07-11 16:08 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-06-18 13:31 KASAN: use-after-free Read in ipv6_gso_pull_exthdrs syzbot 2018-07-06 17:52 ` syzbot 2018-07-06 22:16 ` Willem de Bruijn 2018-07-08 22:58 ` Willem de Bruijn 2018-07-08 23:18 ` Willem de Bruijn 2018-07-11 10:07 ` Jiri Benc 2018-07-11 16:08 ` Willem de Bruijn
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).