* Re: net: GPF in netlink_getsockbyportid
[not found] <CACT4Y+Zmwr0VbfB5RAoLTCJJAF7epZWbbMkHxtXUwvF3tXbrgQ@mail.gmail.com>
@ 2016-01-23 19:25 ` Florian Westphal
2016-01-23 20:05 ` Daniel Borkmann
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2016-01-23 19:25 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: David S. Miller, Herbert Xu, Thomas Graf, Daniel Borkmann,
Ken-ichirou MATSUZAWA, Eric Dumazet, David Herrmann,
Nicolas Dichtel, Florian Westphal, netdev, LKML, syzkaller,
Kostya Serebryany, Alexander Potapenko, Sasha Levin,
netfilter-devel
Dmitry Vyukov <dvyukov@google.com> wrote:
[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ]
> The following program causes GPF in netlink_getsockbyportid:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <pthread.h>
> #include <stdint.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <unistd.h>
>
> int main()
> {
> syscall(SYS_mmap, 0x20000000ul, 0xe65000ul, 0x3ul, 0x32ul,
> 0xfffffffffffffffful, 0x0ul);
> int fd = syscall(SYS_socket, 0x10ul, 0x803ul, 0xcul, 0, 0, 0);
> *(uint32_t*)0x20e64000 = (uint32_t)0x28;
> *(uint32_t*)0x20e64004 = (uint32_t)0x10;
> *(uint64_t*)0x20e64008 = (uint64_t)0x0;
> *(uint64_t*)0x20e64010 = (uint64_t)0x3;
> *(uint64_t*)0x20e64018 = (uint64_t)0xfff;
> *(uint16_t*)0x20e64020 = (uint16_t)0x5;
> syscall(SYS_write, fd, 0x20e64000ul, 0x28ul, 0, 0, 0);
> return 0;
> }
CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/
root cause is in nfnetlink_rcv_batch():
296 replay:
297 status = 0;
298
299 skb = netlink_skb_clone(oskb, GFP_KERNEL);
The clone op doesn't copy oskb->sk, so we oops in
__netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch
tries to send netlink ack.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: GPF in netlink_getsockbyportid
2016-01-23 19:25 ` net: GPF in netlink_getsockbyportid Florian Westphal
@ 2016-01-23 20:05 ` Daniel Borkmann
2016-01-24 0:11 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Daniel Borkmann @ 2016-01-23 20:05 UTC (permalink / raw)
To: Florian Westphal, Dmitry Vyukov
Cc: David S. Miller, Herbert Xu, Thomas Graf, Ken-ichirou MATSUZAWA,
Eric Dumazet, David Herrmann, Nicolas Dichtel, netdev, LKML,
syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin,
netfilter-devel
On 01/23/2016 08:25 PM, Florian Westphal wrote:
> Dmitry Vyukov <dvyukov@google.com> wrote:
>
> [ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ]
>
>> The following program causes GPF in netlink_getsockbyportid:
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <pthread.h>
>> #include <stdint.h>
>> #include <string.h>
>> #include <sys/syscall.h>
>> #include <unistd.h>
>>
>> int main()
>> {
>> syscall(SYS_mmap, 0x20000000ul, 0xe65000ul, 0x3ul, 0x32ul,
>> 0xfffffffffffffffful, 0x0ul);
>> int fd = syscall(SYS_socket, 0x10ul, 0x803ul, 0xcul, 0, 0, 0);
>> *(uint32_t*)0x20e64000 = (uint32_t)0x28;
>> *(uint32_t*)0x20e64004 = (uint32_t)0x10;
>> *(uint64_t*)0x20e64008 = (uint64_t)0x0;
>> *(uint64_t*)0x20e64010 = (uint64_t)0x3;
>> *(uint64_t*)0x20e64018 = (uint64_t)0xfff;
>> *(uint16_t*)0x20e64020 = (uint16_t)0x5;
>> syscall(SYS_write, fd, 0x20e64000ul, 0x28ul, 0, 0, 0);
>> return 0;
>> }
>
> CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/
>
> root cause is in nfnetlink_rcv_batch():
>
> 296 replay:
> 297 status = 0;
> 298
> 299 skb = netlink_skb_clone(oskb, GFP_KERNEL);
>
> The clone op doesn't copy oskb->sk, so we oops in
> __netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch
> tries to send netlink ack.
If indeed oskb is the mmap'ed netlink skb, then it's not even allowed
to call into skb_clone() as it would access skb shared info data that
can be controlled by the user space mmap buffer, iirc, we had that in
the past with nlmon where skb_clone() was accidentally used.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: GPF in netlink_getsockbyportid
2016-01-23 20:05 ` Daniel Borkmann
@ 2016-01-24 0:11 ` Florian Westphal
2016-01-25 10:03 ` Herbert Xu
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2016-01-24 0:11 UTC (permalink / raw)
To: Daniel Borkmann
Cc: Florian Westphal, Dmitry Vyukov, David S. Miller, Herbert Xu,
Thomas Graf, Ken-ichirou MATSUZAWA, Eric Dumazet, David Herrmann,
Nicolas Dichtel, netdev, LKML, syzkaller, Kostya Serebryany,
Alexander Potapenko, Sasha Levin, netfilter-devel
Daniel Borkmann <daniel@iogearbox.net> wrote:
> On 01/23/2016 08:25 PM, Florian Westphal wrote:
> >Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> >[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ]
> >
> >>The following program causes GPF in netlink_getsockbyportid:
[..]
> >CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/
> >
> >root cause is in nfnetlink_rcv_batch():
> >
> >296 replay:
> >297 status = 0;
> >298
> >299 skb = netlink_skb_clone(oskb, GFP_KERNEL);
> >
> >The clone op doesn't copy oskb->sk, so we oops in
> >__netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch
> >tries to send netlink ack.
>
> If indeed oskb is the mmap'ed netlink skb, then it's not even allowed
> to call into skb_clone()
Right, but in this case there is no mmap'd netlink sk involved -- we
crash when we try to look up dst netlink socket to see if there is an
mmap'd ring attached.
[ and that code isn't there with CONFIG_NETLINK_MMAP=n ].
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: GPF in netlink_getsockbyportid
2016-01-24 0:11 ` Florian Westphal
@ 2016-01-25 10:03 ` Herbert Xu
2016-01-25 10:17 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Herbert Xu @ 2016-01-25 10:03 UTC (permalink / raw)
To: Florian Westphal
Cc: Daniel Borkmann, Dmitry Vyukov, David S. Miller, Thomas Graf,
Ken-ichirou MATSUZAWA, Eric Dumazet, David Herrmann,
Nicolas Dichtel, netdev, LKML, syzkaller, Kostya Serebryany,
Alexander Potapenko, Sasha Levin, netfilter-devel,
Pablo Neira Ayuso
On Sun, Jan 24, 2016 at 01:11:03AM +0100, Florian Westphal wrote:
> Daniel Borkmann <daniel@iogearbox.net> wrote:
> > On 01/23/2016 08:25 PM, Florian Westphal wrote:
> > >Dmitry Vyukov <dvyukov@google.com> wrote:
> > >
> > >[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ]
> > >
> > >>The following program causes GPF in netlink_getsockbyportid:
> [..]
>
> > >CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/
> > >
> > >root cause is in nfnetlink_rcv_batch():
> > >
> > >296 replay:
> > >297 status = 0;
> > >298
> > >299 skb = netlink_skb_clone(oskb, GFP_KERNEL);
> > >
> > >The clone op doesn't copy oskb->sk, so we oops in
> > >__netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch
> > >tries to send netlink ack.
> >
> > If indeed oskb is the mmap'ed netlink skb, then it's not even allowed
> > to call into skb_clone()
>
> Right, but in this case there is no mmap'd netlink sk involved -- we
> crash when we try to look up dst netlink socket to see if there is an
> mmap'd ring attached.
>
> [ and that code isn't there with CONFIG_NETLINK_MMAP=n ].
Let's CC Pablo since he wrote the code in question.
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: GPF in netlink_getsockbyportid
2016-01-25 10:03 ` Herbert Xu
@ 2016-01-25 10:17 ` Pablo Neira Ayuso
0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2016-01-25 10:17 UTC (permalink / raw)
To: Herbert Xu
Cc: Florian Westphal, Daniel Borkmann, Dmitry Vyukov, David S. Miller,
Thomas Graf, Ken-ichirou MATSUZAWA, Eric Dumazet, David Herrmann,
Nicolas Dichtel, netdev, LKML, syzkaller, Kostya Serebryany,
Alexander Potapenko, Sasha Levin, netfilter-devel
On Mon, Jan 25, 2016 at 06:03:41PM +0800, Herbert Xu wrote:
> On Sun, Jan 24, 2016 at 01:11:03AM +0100, Florian Westphal wrote:
> > Daniel Borkmann <daniel@iogearbox.net> wrote:
> > > On 01/23/2016 08:25 PM, Florian Westphal wrote:
> > > >Dmitry Vyukov <dvyukov@google.com> wrote:
> > > >
> > > >[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ]
> > > >
> > > >>The following program causes GPF in netlink_getsockbyportid:
> > [..]
> >
> > > >CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/
> > > >
> > > >root cause is in nfnetlink_rcv_batch():
> > > >
> > > >296 replay:
> > > >297 status = 0;
> > > >298
> > > >299 skb = netlink_skb_clone(oskb, GFP_KERNEL);
> > > >
> > > >The clone op doesn't copy oskb->sk, so we oops in
> > > >__netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch
> > > >tries to send netlink ack.
> > >
> > > If indeed oskb is the mmap'ed netlink skb, then it's not even allowed
> > > to call into skb_clone()
> >
> > Right, but in this case there is no mmap'd netlink sk involved -- we
> > crash when we try to look up dst netlink socket to see if there is an
> > mmap'd ring attached.
> >
> > [ and that code isn't there with CONFIG_NETLINK_MMAP=n ].
>
> Let's CC Pablo since he wrote the code in question.
I have just sent this patch:
http://patchwork.ozlabs.org/patch/572489/
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-25 10:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CACT4Y+Zmwr0VbfB5RAoLTCJJAF7epZWbbMkHxtXUwvF3tXbrgQ@mail.gmail.com>
2016-01-23 19:25 ` net: GPF in netlink_getsockbyportid Florian Westphal
2016-01-23 20:05 ` Daniel Borkmann
2016-01-24 0:11 ` Florian Westphal
2016-01-25 10:03 ` Herbert Xu
2016-01-25 10:17 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).