[PATCH net] ipv6: fix possible use after free of dev stats

[PATCH net] ipv6: fix possible use after free of dev stats

[Robert Shearman]

The memory pointed to by idev->stats.icmpv6msgdev,
idev->stats.icmpv6dev and idev->stats.ipv6 can each be used in an RCU
read context without taking a reference on idev. For example, through
IP6_*_STATS_* calls in ip6_rcv. These memory blocks are freed without
waiting for an RCU grace period to elapse. This could lead to the
memory being written to after it has been freed.

Fix this by using call_rcu to free the memory used for stats, as well
as idev after an RCU grace period has elapsed.

Signed-off-by: Robert Shearman <rshearma@brocade.com>
---
I have no evidence of this causing any problems in reality - this
issue was found by inspection.

 net/ipv6/addrconf_core.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/addrconf_core.c b/net/ipv6/addrconf_core.c
index d873ceea86e6..ca09bf49ac68 100644
--- a/net/ipv6/addrconf_core.c
+++ b/net/ipv6/addrconf_core.c
@@ -133,6 +133,14 @@ static void snmp6_free_dev(struct inet6_dev *idev)
 	free_percpu(idev->stats.ipv6);
 }
 
+static void in6_dev_finish_destroy_rcu(struct rcu_head *head)
+{
+	struct inet6_dev *idev = container_of(head, struct inet6_dev, rcu);
+
+	snmp6_free_dev(idev);
+	kfree(idev);
+}
+
 /* Nobody refers to this device, we may destroy it. */
 
 void in6_dev_finish_destroy(struct inet6_dev *idev)
@@ -151,7 +159,6 @@ void in6_dev_finish_destroy(struct inet6_dev *idev)
 		pr_warn("Freeing alive inet6 device %p\n", idev);
 		return;
 	}
-	snmp6_free_dev(idev);
-	kfree_rcu(idev, rcu);
+	call_rcu(&idev->rcu, in6_dev_finish_destroy_rcu);
 }
 EXPORT_SYMBOL(in6_dev_finish_destroy);
-- 
2.1.4

Re: [PATCH net] ipv6: fix possible use after free of dev stats

[Hannes Frederic Sowa]

On Fr, 2015-06-05 at 18:51 +0100, Robert Shearman wrote:
> The memory pointed to by idev->stats.icmpv6msgdev,
> idev->stats.icmpv6dev and idev->stats.ipv6 can each be used in an RCU
> read context without taking a reference on idev. For example, through
> IP6_*_STATS_* calls in ip6_rcv. These memory blocks are freed without
> waiting for an RCU grace period to elapse. This could lead to the
> memory being written to after it has been freed.
> 
> Fix this by using call_rcu to free the memory used for stats, as well
> as idev after an RCU grace period has elapsed.
> 
> Signed-off-by: Robert Shearman <rshearma@brocade.com>

Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>

Thanks!

Re: [PATCH net] ipv6: fix possible use after free of dev stats

[David Miller]

From: Robert Shearman <rshearma@brocade.com>
Date: Fri, 5 Jun 2015 18:51:54 +0100

> The memory pointed to by idev->stats.icmpv6msgdev,
> idev->stats.icmpv6dev and idev->stats.ipv6 can each be used in an RCU
> read context without taking a reference on idev. For example, through
> IP6_*_STATS_* calls in ip6_rcv. These memory blocks are freed without
> waiting for an RCU grace period to elapse. This could lead to the
> memory being written to after it has been freed.
> 
> Fix this by using call_rcu to free the memory used for stats, as well
> as idev after an RCU grace period has elapsed.
> 
> Signed-off-by: Robert Shearman <rshearma@brocade.com>

Applied.