* Re: net: GPF in netlink_getsockbyportid [not found] <CACT4Y+Zmwr0VbfB5RAoLTCJJAF7epZWbbMkHxtXUwvF3tXbrgQ@mail.gmail.com> @ 2016-01-23 19:25 ` Florian Westphal 2016-01-23 20:05 ` Daniel Borkmann 0 siblings, 1 reply; 5+ messages in thread From: Florian Westphal @ 2016-01-23 19:25 UTC (permalink / raw) To: Dmitry Vyukov Cc: David S. Miller, Herbert Xu, Thomas Graf, Daniel Borkmann, Ken-ichirou MATSUZAWA, Eric Dumazet, David Herrmann, Nicolas Dichtel, Florian Westphal, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, netfilter-devel Dmitry Vyukov <dvyukov@google.com> wrote: [ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ] > The following program causes GPF in netlink_getsockbyportid: > > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #include <pthread.h> > #include <stdint.h> > #include <string.h> > #include <sys/syscall.h> > #include <unistd.h> > > int main() > { > syscall(SYS_mmap, 0x20000000ul, 0xe65000ul, 0x3ul, 0x32ul, > 0xfffffffffffffffful, 0x0ul); > int fd = syscall(SYS_socket, 0x10ul, 0x803ul, 0xcul, 0, 0, 0); > *(uint32_t*)0x20e64000 = (uint32_t)0x28; > *(uint32_t*)0x20e64004 = (uint32_t)0x10; > *(uint64_t*)0x20e64008 = (uint64_t)0x0; > *(uint64_t*)0x20e64010 = (uint64_t)0x3; > *(uint64_t*)0x20e64018 = (uint64_t)0xfff; > *(uint16_t*)0x20e64020 = (uint16_t)0x5; > syscall(SYS_write, fd, 0x20e64000ul, 0x28ul, 0, 0, 0); > return 0; > } CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/ root cause is in nfnetlink_rcv_batch(): 296 replay: 297 status = 0; 298 299 skb = netlink_skb_clone(oskb, GFP_KERNEL); The clone op doesn't copy oskb->sk, so we oops in __netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch tries to send netlink ack. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: GPF in netlink_getsockbyportid 2016-01-23 19:25 ` net: GPF in netlink_getsockbyportid Florian Westphal @ 2016-01-23 20:05 ` Daniel Borkmann 2016-01-24 0:11 ` Florian Westphal 0 siblings, 1 reply; 5+ messages in thread From: Daniel Borkmann @ 2016-01-23 20:05 UTC (permalink / raw) To: Florian Westphal, Dmitry Vyukov Cc: David S. Miller, Herbert Xu, Thomas Graf, Ken-ichirou MATSUZAWA, Eric Dumazet, David Herrmann, Nicolas Dichtel, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, netfilter-devel On 01/23/2016 08:25 PM, Florian Westphal wrote: > Dmitry Vyukov <dvyukov@google.com> wrote: > > [ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ] > >> The following program causes GPF in netlink_getsockbyportid: >> >> // autogenerated by syzkaller (http://github.com/google/syzkaller) >> #include <pthread.h> >> #include <stdint.h> >> #include <string.h> >> #include <sys/syscall.h> >> #include <unistd.h> >> >> int main() >> { >> syscall(SYS_mmap, 0x20000000ul, 0xe65000ul, 0x3ul, 0x32ul, >> 0xfffffffffffffffful, 0x0ul); >> int fd = syscall(SYS_socket, 0x10ul, 0x803ul, 0xcul, 0, 0, 0); >> *(uint32_t*)0x20e64000 = (uint32_t)0x28; >> *(uint32_t*)0x20e64004 = (uint32_t)0x10; >> *(uint64_t*)0x20e64008 = (uint64_t)0x0; >> *(uint64_t*)0x20e64010 = (uint64_t)0x3; >> *(uint64_t*)0x20e64018 = (uint64_t)0xfff; >> *(uint16_t*)0x20e64020 = (uint16_t)0x5; >> syscall(SYS_write, fd, 0x20e64000ul, 0x28ul, 0, 0, 0); >> return 0; >> } > > CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/ > > root cause is in nfnetlink_rcv_batch(): > > 296 replay: > 297 status = 0; > 298 > 299 skb = netlink_skb_clone(oskb, GFP_KERNEL); > > The clone op doesn't copy oskb->sk, so we oops in > __netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch > tries to send netlink ack. If indeed oskb is the mmap'ed netlink skb, then it's not even allowed to call into skb_clone() as it would access skb shared info data that can be controlled by the user space mmap buffer, iirc, we had that in the past with nlmon where skb_clone() was accidentally used. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: GPF in netlink_getsockbyportid 2016-01-23 20:05 ` Daniel Borkmann @ 2016-01-24 0:11 ` Florian Westphal 2016-01-25 10:03 ` Herbert Xu 0 siblings, 1 reply; 5+ messages in thread From: Florian Westphal @ 2016-01-24 0:11 UTC (permalink / raw) To: Daniel Borkmann Cc: Florian Westphal, Dmitry Vyukov, David S. Miller, Herbert Xu, Thomas Graf, Ken-ichirou MATSUZAWA, Eric Dumazet, David Herrmann, Nicolas Dichtel, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, netfilter-devel Daniel Borkmann <daniel@iogearbox.net> wrote: > On 01/23/2016 08:25 PM, Florian Westphal wrote: > >Dmitry Vyukov <dvyukov@google.com> wrote: > > > >[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ] > > > >>The following program causes GPF in netlink_getsockbyportid: [..] > >CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/ > > > >root cause is in nfnetlink_rcv_batch(): > > > >296 replay: > >297 status = 0; > >298 > >299 skb = netlink_skb_clone(oskb, GFP_KERNEL); > > > >The clone op doesn't copy oskb->sk, so we oops in > >__netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch > >tries to send netlink ack. > > If indeed oskb is the mmap'ed netlink skb, then it's not even allowed > to call into skb_clone() Right, but in this case there is no mmap'd netlink sk involved -- we crash when we try to look up dst netlink socket to see if there is an mmap'd ring attached. [ and that code isn't there with CONFIG_NETLINK_MMAP=n ]. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: GPF in netlink_getsockbyportid 2016-01-24 0:11 ` Florian Westphal @ 2016-01-25 10:03 ` Herbert Xu 2016-01-25 10:17 ` Pablo Neira Ayuso 0 siblings, 1 reply; 5+ messages in thread From: Herbert Xu @ 2016-01-25 10:03 UTC (permalink / raw) To: Florian Westphal Cc: Daniel Borkmann, Dmitry Vyukov, David S. Miller, Thomas Graf, Ken-ichirou MATSUZAWA, Eric Dumazet, David Herrmann, Nicolas Dichtel, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, netfilter-devel, Pablo Neira Ayuso On Sun, Jan 24, 2016 at 01:11:03AM +0100, Florian Westphal wrote: > Daniel Borkmann <daniel@iogearbox.net> wrote: > > On 01/23/2016 08:25 PM, Florian Westphal wrote: > > >Dmitry Vyukov <dvyukov@google.com> wrote: > > > > > >[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ] > > > > > >>The following program causes GPF in netlink_getsockbyportid: > [..] > > > >CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/ > > > > > >root cause is in nfnetlink_rcv_batch(): > > > > > >296 replay: > > >297 status = 0; > > >298 > > >299 skb = netlink_skb_clone(oskb, GFP_KERNEL); > > > > > >The clone op doesn't copy oskb->sk, so we oops in > > >__netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch > > >tries to send netlink ack. > > > > If indeed oskb is the mmap'ed netlink skb, then it's not even allowed > > to call into skb_clone() > > Right, but in this case there is no mmap'd netlink sk involved -- we > crash when we try to look up dst netlink socket to see if there is an > mmap'd ring attached. > > [ and that code isn't there with CONFIG_NETLINK_MMAP=n ]. Let's CC Pablo since he wrote the code in question. Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net: GPF in netlink_getsockbyportid 2016-01-25 10:03 ` Herbert Xu @ 2016-01-25 10:17 ` Pablo Neira Ayuso 0 siblings, 0 replies; 5+ messages in thread From: Pablo Neira Ayuso @ 2016-01-25 10:17 UTC (permalink / raw) To: Herbert Xu Cc: Florian Westphal, Daniel Borkmann, Dmitry Vyukov, David S. Miller, Thomas Graf, Ken-ichirou MATSUZAWA, Eric Dumazet, David Herrmann, Nicolas Dichtel, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, netfilter-devel On Mon, Jan 25, 2016 at 06:03:41PM +0800, Herbert Xu wrote: > On Sun, Jan 24, 2016 at 01:11:03AM +0100, Florian Westphal wrote: > > Daniel Borkmann <daniel@iogearbox.net> wrote: > > > On 01/23/2016 08:25 PM, Florian Westphal wrote: > > > >Dmitry Vyukov <dvyukov@google.com> wrote: > > > > > > > >[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ] > > > > > > > >>The following program causes GPF in netlink_getsockbyportid: > > [..] > > > > > >CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/ > > > > > > > >root cause is in nfnetlink_rcv_batch(): > > > > > > > >296 replay: > > > >297 status = 0; > > > >298 > > > >299 skb = netlink_skb_clone(oskb, GFP_KERNEL); > > > > > > > >The clone op doesn't copy oskb->sk, so we oops in > > > >__netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch > > > >tries to send netlink ack. > > > > > > If indeed oskb is the mmap'ed netlink skb, then it's not even allowed > > > to call into skb_clone() > > > > Right, but in this case there is no mmap'd netlink sk involved -- we > > crash when we try to look up dst netlink socket to see if there is an > > mmap'd ring attached. > > > > [ and that code isn't there with CONFIG_NETLINK_MMAP=n ]. > > Let's CC Pablo since he wrote the code in question. I have just sent this patch: http://patchwork.ozlabs.org/patch/572489/ ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-25 10:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CACT4Y+Zmwr0VbfB5RAoLTCJJAF7epZWbbMkHxtXUwvF3tXbrgQ@mail.gmail.com>
2016-01-23 19:25 ` net: GPF in netlink_getsockbyportid Florian Westphal
2016-01-23 20:05 ` Daniel Borkmann
2016-01-24 0:11 ` Florian Westphal
2016-01-25 10:03 ` Herbert Xu
2016-01-25 10:17 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).