From: Al Viro <viro@ZenIV.linux.org.uk>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>,
Kees Cook <keescook@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
Jiri Pirko <jiri@resnulli.us>, David Miller <davem@davemloft.net>,
Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL
Date: Fri, 31 Aug 2018 05:03:33 +0100 [thread overview]
Message-ID: <20180831040333.GA20509@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20180828155938.GF6515@ZenIV.linux.org.uk>
On Tue, Aug 28, 2018 at 04:59:38PM +0100, Al Viro wrote:
> On Tue, Aug 28, 2018 at 01:03:10AM +0100, Al Viro wrote:
> > if (tcf_exts_get_net(&n->exts))
> > tcf_queue_work(&n->rwork, u32_delete_key_freepf_work);
> > else
> > u32_destroy_key(n->tp, n, true);
> > ... and we hit u32_destroy_key(<tp>, <knode>, true), which does
>
> Speaking of which, we'd better never hit that branch for other reasons - there's
> no RCU delay between removal of knode from the hash chain and its kfree().
> tcf_queue_work() does guarantee such delay (by use of queue_rcu_work()), direct
> call doesn't...
>
> Anyway, whichever branch is taken, the memory corruption problem remains - the
> comments below are accurate, AFAICS.
>
> > Incidentally, if we hit
> > tcf_queue_work(&n->rwork, u32_delete_key_freepf_work);
> > instead of u32_destroy_key(), the things don't seem to be any better - we
> > won't do anything to <knode> until rtnl is dropped, so u32_destroy() won't
> > break on the second pass through the loop - it'll free <ht0> there and
> > return. Setting us up for trouble, since when u32_delete_key_freepf_work()
> > finally gets to u32_destroy_key() we'll have <knode>->ht_down pointing
> > to freed memory and decrementing its contents...
Build the kernel with slab poisoning and try this:
tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: protocol ip prio 100 handle 1: u32 divisor 1
tc filter add dev eth0 parent ffff: protocol ip prio 200 handle 2: u32 divisor 1
tc filter add dev eth0 parent ffff: protocol ip prio 100 handle 1:0:11 u32 ht 1: link 801: offset at 0 mask 0f00 shift 6 plus 0 eat match ip protocol 6 ff
tc filter delete dev eth0 parent ffff: protocol ip prio 200
tc filter change dev eth0 parent ffff: protocol ip prio 100 handle 1:0:11 u32 ht 1: link 0: offset at 0 mask 0f00 shift 6 plus 0 eat match ip protocol 6 ff
tc filter delete dev eth0 parent ffff: protocol ip prio 100
Then watch it oops in u32_lookup_ht() from u32_get() from tc_del_tfilter()
Oopsing insn: cmp %ebp,0x8(%rbx). RBX: 6b6b6b6b6b6b6b6b, i.e. slab
poison...
What happens is that ht 801: (created when we'd added tcf_proto for prio 200)
gets pinned down by link 801: in the third tc filter add. Then removal of
prio 200 triggers u32_destroy(), dropping refcount on 801: and doing nothing
else to it. Then filter change drops the last reference to 801:, freeing
it. And we have a freed struct tc_u_hnode stuck in the middle of the list...
next prev parent reply other threads:[~2018-08-31 4:03 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-26 5:58 [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL Kees Cook
2018-08-26 6:15 ` Al Viro
2018-08-26 6:19 ` Kees Cook
2018-08-26 17:30 ` Jamal Hadi Salim
2018-08-26 21:56 ` Kees Cook
2018-08-27 11:46 ` Jamal Hadi Salim
2018-08-27 14:08 ` Kees Cook
2018-08-27 14:26 ` Roman Mashak
2018-08-26 17:32 ` Al Viro
2018-08-26 18:57 ` Joe Perches
2018-08-26 21:24 ` Al Viro
2018-08-26 22:26 ` Joe Perches
2018-08-26 22:43 ` Al Viro
2018-08-27 2:00 ` Julia Lawall
2018-08-27 2:35 ` Al Viro
2018-08-27 3:35 ` Julia Lawall
2018-08-27 4:04 ` Al Viro
2018-08-27 4:41 ` Julia Lawall
2018-08-27 1:59 ` Julia Lawall
2018-08-26 22:57 ` Al Viro
2018-08-27 11:57 ` Jamal Hadi Salim
2018-08-27 21:31 ` Cong Wang
2018-08-28 0:03 ` Al Viro
2018-08-28 15:59 ` Al Viro
2018-08-31 4:03 ` Al Viro [this message]
2018-08-29 19:07 ` Cong Wang
2018-08-29 21:33 ` Al Viro
2018-08-26 21:22 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180831040333.GA20509@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).