From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com,
Alexey Kodanev <alexey.kodanev@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 10/24] dccp: dont free ccid2_hc_tx_sock struct in dccp_disconnect()
Date: Tue, 12 Jun 2018 18:51:54 +0200 [thread overview]
Message-ID: <20180612164817.081920047@linuxfoundation.org> (raw)
In-Reply-To: <20180612164816.587001852@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <alexey.kodanev@oracle.com>
[ Upstream commit 2677d20677314101293e6da0094ede7b5526d2b1 ]
Syzbot reported the use-after-free in timer_is_static_object() [1].
This can happen because the structure for the rto timer (ccid2_hc_tx_sock)
is removed in dccp_disconnect(), and ccid2_hc_tx_rto_expire() can be
called after that.
The report [1] is similar to the one in commit 120e9dabaf55 ("dccp:
defer ccid_hc_tx_delete() at dismantle time"). And the fix is the same,
delay freeing ccid2_hc_tx_sock structure, so that it is freed in
dccp_sk_destruct().
[1]
==================================================================
BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90
kernel/time/timer.c:607
Read of size 8 at addr ffff8801bebb5118 by task syz-executor2/25299
CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
timer_is_static_object+0x80/0x90 kernel/time/timer.c:607
debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508
debug_timer_activate kernel/time/timer.c:709 [inline]
debug_activate kernel/time/timer.c:764 [inline]
__mod_timer kernel/time/timer.c:1041 [inline]
mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102
sk_reset_timer+0x22/0x60 net/core/sock.c:2742
ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147
call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
expire_timers kernel/time/timer.c:1363 [inline]
__run_timers+0x79e/0xc50 kernel/time/timer.c:1666
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1d1/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:525 [inline]
smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
</IRQ>
...
Allocated by task 25374:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151
dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
__dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344
dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538
dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128
dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408
dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415
dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197
dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841
ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:450 [inline]
ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
__netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
__netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
process_backlog+0x219/0x760 net/core/dev.c:5337
napi_poll net/core/dev.c:5735 [inline]
net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
Freed by task 25374:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
ccid_hc_tx_delete+0xc3/0x100 net/dccp/ccid.c:190
dccp_disconnect+0x130/0xc66 net/dccp/proto.c:286
dccp_close+0x3bc/0xe60 net/dccp/proto.c:1045
inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460
sock_release+0x96/0x1b0 net/socket.c:594
sock_close+0x16/0x20 net/socket.c:1149
__fput+0x34d/0x890 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x1e4/0x290 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801bebb4cc0
which belongs to the cache ccid2_hc_tx_sock of size 1240
The buggy address is located 1112 bytes inside of
1240-byte region [ffff8801bebb4cc0, ffff8801bebb5198)
The buggy address belongs to the page:
page:ffffea0006faed00 count:1 mapcount:0 mapping:ffff8801bebb41c0
index:0xffff8801bebb5240 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801bebb41c0 ffff8801bebb5240 0000000100000003
raw: ffff8801cdba3138 ffffea0007634120 ffff8801cdbaab40 0000000000000000
page dumped because: kasan: bad access detected
...
==================================================================
Reported-by: syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dccp/proto.c | 2 --
1 file changed, 2 deletions(-)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -280,9 +280,7 @@ int dccp_disconnect(struct sock *sk, int
dccp_clear_xmit_timers(sk);
ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
- ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
dp->dccps_hc_rx_ccid = NULL;
- dp->dccps_hc_tx_ccid = NULL;
__skb_queue_purge(&sk->sk_receive_queue);
__skb_queue_purge(&sk->sk_write_queue);
next prev parent reply other threads:[~2018-06-12 16:51 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-12 16:51 [PATCH 4.4 00/24] 4.4.137-stable review Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 01/24] tpm: do not suspend/resume if power stays on Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 02/24] tpm: self test failure should not cause suspend to fail Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 03/24] mmap: introduce sane default mmap limits Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 04/24] mmap: relax file size limit for regular files Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 06/24] xfs: fix incorrect log_flushed on fsync Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 07/24] drm: set FMODE_UNSIGNED_OFFSET for drm files Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 08/24] brcmfmac: Fix check for ISO3166 code Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 09/24] bnx2x: use the right constant Greg Kroah-Hartman
2018-06-12 16:51 ` Greg Kroah-Hartman [this message]
2018-06-12 16:51 ` [PATCH 4.4 11/24] enic: set DMA mask to 47 bit Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 12/24] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 13/24] ipv4: remove warning in ip_recv_error Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 14/24] isdn: eicon: fix a missing-check bug Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 4.4 15/24] netdev-FAQ: clarify DaveMs position for stable backports Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 4.4 16/24] net/packet: refine check for priv area size Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 4.4 18/24] packet: fix reserve calculation Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 4.4 19/24] qed: Fix mask for physical address in ILT entry Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 4.4 20/24] net/mlx4: Fix irq-unsafe spinlock usage Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 4.4 21/24] team: use netdev_features_t instead of u32 Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 4.4 22/24] rtnetlink: validate attributes in do_setlink() Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 4.4 23/24] net: phy: broadcom: Fix bcm_write_exp() Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 4.4 24/24] net: metrics: add proper netlink validation Greg Kroah-Hartman
2018-06-19 13:15 ` Ben Hutchings
2018-06-12 18:17 ` [PATCH 4.4 00/24] 4.4.137-stable review Nathan Chancellor
2018-06-12 18:49 ` Greg Kroah-Hartman
2018-06-12 20:59 ` Shuah Khan
2018-06-13 13:48 ` Guenter Roeck
2018-06-13 20:47 ` Rafael Tinoco
2018-06-13 21:00 ` Greg Kroah-Hartman
2018-06-13 21:08 ` Rafael David Tinoco
2018-06-14 1:48 ` Rafael Tinoco
2018-06-14 6:34 ` Greg Kroah-Hartman
2018-06-14 8:54 ` Naresh Kamboju
2018-06-14 9:01 ` Greg Kroah-Hartman
2018-06-14 9:49 ` [LTP] " Jan Stancek
2018-06-14 10:21 ` Greg Kroah-Hartman
2018-06-14 10:36 ` Jan Stancek
2018-06-14 10:54 ` Rafael Tinoco
2018-06-14 11:36 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180612164817.081920047@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexey.kodanev@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).