From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Zhengchao Shao <shaozhengchao@huawei.com>,
Eric Dumazet <edumazet@google.com>,
Hangbin Liu <liuhangbin@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 46/71] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
Date: Tue, 5 Dec 2023 12:16:44 +0900 [thread overview]
Message-ID: <20231205031520.522974499@linuxfoundation.org> (raw)
In-Reply-To: <20231205031517.859409664@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ]
When I perform the following test operations:
1.ip link add br0 type bridge
2.brctl addif br0 eth0
3.ip addr add 239.0.0.1/32 dev eth0
4.ip addr add 239.0.0.1/32 dev br0
5.ip addr add 224.0.0.1/32 dev br0
6.while ((1))
do
ifconfig br0 up
ifconfig br0 down
done
7.send IGMPv2 query packets to port eth0 continuously. For example,
./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00
1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00"
The preceding tests may trigger the refcnt uaf issue of the mc list. The
stack is as follows:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25)
CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:refcount_warn_saturate (lib/refcount.c:25)
RSP: 0018:ffffb68f00657910 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908
RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900
RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff
R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680
R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00
FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0
Call Trace:
<TASK>
igmp_heard_query (net/ipv4/igmp.c:1068)
igmp_rcv (net/ipv4/igmp.c:1132)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
ip_local_deliver_finish (net/ipv4/ip_input.c:234)
__netif_receive_skb_one_core (net/core/dev.c:5529)
netif_receive_skb_internal (net/core/dev.c:5729)
netif_receive_skb (net/core/dev.c:5788)
br_handle_frame_finish (net/bridge/br_input.c:216)
nf_hook_bridge_pre (net/bridge/br_input.c:294)
__netif_receive_skb_core (net/core/dev.c:5423)
__netif_receive_skb_list_core (net/core/dev.c:5606)
__netif_receive_skb_list (net/core/dev.c:5674)
netif_receive_skb_list_internal (net/core/dev.c:5764)
napi_gro_receive (net/core/gro.c:609)
e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467)
e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805)
__napi_poll (net/core/dev.c:6533)
net_rx_action (net/core/dev.c:6735)
__do_softirq (kernel/softirq.c:554)
run_ksoftirqd (kernel/softirq.c:913)
smpboot_thread_fn (kernel/smpboot.c:164)
kthread (kernel/kthread.c:388)
ret_from_fork (arch/x86/kernel/process.c:153)
ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
</TASK>
The root causes are as follows:
Thread A Thread B
... netif_receive_skb
br_dev_stop ...
br_multicast_leave_snoopers ...
__ip_mc_dec_group ...
__igmp_group_dropped igmp_rcv
igmp_stop_timer igmp_heard_query //ref = 1
ip_ma_put igmp_mod_timer
refcount_dec_and_test igmp_start_timer //ref = 0
... refcount_inc //ref increases from 0
When the device receives an IGMPv2 Query message, it starts the timer
immediately, regardless of whether the device is running. If the device is
down and has left the multicast group, it will cause the mc list refcount
uaf issue.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/igmp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 7d82818b711ea..5edf426fa4143 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -221,8 +221,10 @@ static void igmp_start_timer(struct ip_mc_list *im, int max_delay)
int tv = prandom_u32() % max_delay;
im->tm_running = 1;
- if (!mod_timer(&im->timer, jiffies+tv+2))
- refcount_inc(&im->refcnt);
+ if (refcount_inc_not_zero(&im->refcnt)) {
+ if (mod_timer(&im->timer, jiffies + tv + 2))
+ ip_ma_put(im);
+ }
}
static void igmp_gq_start_timer(struct in_device *in_dev)
--
2.42.0
next prev parent reply other threads:[~2023-12-05 3:28 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-05 3:15 [PATCH 4.19 00/71] 4.19.301-rc1 review Greg Kroah-Hartman
2023-12-05 3:15 ` [PATCH 4.19 01/71] driver core: Release all resources during unbind before updating device links Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 02/71] RDMA/irdma: Prevent zero-length STAG registration Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 03/71] drm/panel: simple: Fix Innolux G101ICE-L01 timings Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 04/71] ata: pata_isapnp: Add missing error check for devm_ioport_map() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 05/71] drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 06/71] HID: core: store the unique system identifier in hid_device Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 07/71] HID: fix HID device resource race between HID core and debugging support Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 08/71] ipv4: Correct/silence an endian warning in __ip_do_redirect Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 09/71] net: usb: ax88179_178a: fix failed operations during ax88179_reset Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 10/71] arm/xen: fix xen_vcpu_info allocation alignment Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 11/71] amd-xgbe: handle corner-case during sfp hotplug Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 12/71] amd-xgbe: handle the corner-case during tx completion Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 13/71] amd-xgbe: propagate the correct speed and duplex status Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 14/71] net: axienet: Fix check for partial TX checksum Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 15/71] MIPS: KVM: Fix a build warning about variable set but not used Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 16/71] arm64: cpufeature: Extract capped perfmon fields Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 17/71] KVM: arm64: limit PMU version to PMUv3 for ARMv8.1 Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 18/71] mtd: rawnand: brcmnand: Fix ecc chunk calculation for erased page bitfips Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 19/71] bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 20/71] s390/dasd: protect device queue against concurrent access Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 21/71] USB: serial: option: add Luat Air72*U series products Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 22/71] hv_netvsc: Fix race of register_netdevice_notifier and VF register Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 23/71] hv_netvsc: Mark VF as slave before exposing it to user-mode Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 24/71] dm-delay: fix a race between delay_presuspend and delay_bio Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 25/71] bcache: check return value from btree_node_alloc_replacement() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 26/71] bcache: prevent potential division by zero error Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 27/71] USB: serial: option: add Fibocom L7xx modules Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 28/71] USB: serial: option: fix FM101R-GL defines Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 29/71] USB: serial: option: dont claim interface 4 for ZTE MF290 Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 30/71] USB: dwc2: write HCINT with INTMASK applied Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 31/71] usb: dwc3: set the dma max_seg_size Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 32/71] USB: dwc3: qcom: fix wakeup after probe deferral Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 33/71] perf inject: Fix GEN_ELF_TEXT_OFFSET for jit Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 34/71] pinctrl: avoid reload of p state in list iteration Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 35/71] firewire: core: fix possible memory leak in create_units() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 36/71] mmc: block: Do not lose cache flush during CQE error recovery Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 37/71] ALSA: hda: Disable power-save on KONTRON SinglePC Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 38/71] ALSA: hda/realtek: Headset Mic VREF to 100% Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 39/71] dm-verity: align struct dm_verity_fec_io properly Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 40/71] dm verity: dont perform FEC for failed readahead IO Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 41/71] bcache: revert replacing IS_ERR_OR_NULL with IS_ERR Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 42/71] powerpc: Dont clobber f0/vs0 during fp|altivec register save Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 43/71] btrfs: fix off-by-one when checking chunk map includes logical address Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 44/71] btrfs: send: ensure send_fd is writable Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 45/71] Input: xpad - add HyperX Clutch Gladiate Support Greg Kroah-Hartman
2023-12-05 3:16 ` Greg Kroah-Hartman [this message]
2023-12-05 3:16 ` [PATCH 4.19 47/71] ravb: Fix races between ravb_tx_timeout_work() and net related ops Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 48/71] net: ravb: Start TX queues after HW initialization succeeded Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 49/71] perf intel-pt: Adjust sample flags for VM-Exit Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 50/71] perf intel-pt: Fix async branch flags Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 51/71] smb3: fix touch -h of symlink Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 52/71] PCI: let pci_disable_link_state propagate errors Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 53/71] PCI: Move ASPM declarations to linux/pci.h Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 54/71] PCI/ASPM: Add L1 PM substate support to pci_disable_link_state() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 55/71] PCI/ASPM: Disable only ASPM_STATE_L1 when driver disables L1 Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 56/71] Revert "PCI/ASPM: Disable only ASPM_STATE_L1 when driver, disables L1" Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 57/71] s390/mm: fix phys vs virt confusion in mark_kernel_pXd() functions family Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 58/71] s390/cmma: fix detection of DAT pages Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 59/71] mtd: cfi_cmdset_0001: Support the absence of protection registers Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 60/71] mtd: cfi_cmdset_0001: Byte swap OTP info Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.19 61/71] fbdev: stifb: Make the STI next font pointer a 32-bit signed offset Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 62/71] ima: annotate iint mutex to avoid lockdep false positive warnings Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 63/71] ovl: skip overlayfs superblocks at global sync Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 64/71] ima: detect changes to the backing overlay file Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 65/71] cpufreq: imx6q: dont warn for disabling a non-existing frequency Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 66/71] cpufreq: imx6q: Dont disable 792 Mhz OPP unnecessarily Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 67/71] mmc: cqhci: Increase recovery halt timeout Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 68/71] mmc: cqhci: Warn of halt or task clear failure Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 69/71] mmc: cqhci: Fix task clearing in CQE error recovery Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 70/71] mmc: core: convert comma to semicolon Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 4.19 71/71] mmc: block: Retry commands in CQE error recovery Greg Kroah-Hartman
2023-12-05 6:54 ` [PATCH 4.19 00/71] 4.19.301-rc1 review Harshit Mogalapalli
2023-12-05 10:37 ` Pavel Machek
2023-12-05 11:09 ` Jon Hunter
2023-12-05 14:59 ` Naresh Kamboju
2023-12-05 16:44 ` Guenter Roeck
2023-12-06 1:39 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231205031520.522974499@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=liuhangbin@gmail.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=shaozhengchao@huawei.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox