2021-03-30 10:14:11

by Hao Sun

[permalink] [raw]

Subject: BUG: use-after-free in macvlan_broadcast

---

Hi

When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
the Linux kernel, I found a use-after-free vulnerability in
macvlan_broadcast.
Hope the report can help you locate the problem.

Details:
commit: 5695e5161 Linux 5.11
git tree: upstream
kernel config and reproducing program can be found in the attachment.
report:
==================================================================
BUG: KASAN: use-after-free in macvlan_broadcast+0x595/0x6e0
Read of size 4 at addr ffff88806ae70801 by task syz-executor392/8448

CPU: 0 PID: 8448 Comm: syz-executor392 Not tainted 5.4.0 #14
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
dump_stack+0xf3/0x16a
print_address_description.constprop.0.cold+0xd3/0x372
__kasan_report.cold+0x75/0x9b
kasan_report+0x12/0x20
macvlan_broadcast+0x595/0x6e0
macvlan_start_xmit+0x40e/0x630
dev_direct_xmit+0x3f6/0x5f0
packet_sendmsg+0x233b/0x5a60
sock_sendmsg+0xd7/0x130
__sys_sendto+0x21e/0x330
__x64_sys_sendto+0xe1/0x1b0
do_syscall_64+0xbf/0x640
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x453d6d
Code: c3 e8 77 2c 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff89ba8378 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000453d6d
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000040 R08: 0000000020000280 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 00007fff89ba83e8 R14: 00007fff89ba83f0 R15: 0000000000000000

Allocated by task 8448:
save_stack+0x1b/0x80
__kasan_kmalloc.constprop.0+0xc2/0xd0
__kmalloc_node_track_caller+0x116/0x410
__kmalloc_reserve.isra.0+0x35/0xd0
__alloc_skb+0xf3/0x5c0
rtmsg_fib+0x16f/0x11a0
fib_table_insert+0x66e/0x1560
fib_magic+0x406/0x570
fib_add_ifaddr+0x39a/0x520
fib_netdev_event+0x3d0/0x560
notifier_call_chain+0xc0/0x230
__dev_notify_flags+0x125/0x2d0
dev_change_flags+0x104/0x160
do_setlink+0x999/0x32a0
__rtnl_newlink+0xac8/0x14c0
rtnl_newlink+0x68/0xa0
rtnetlink_rcv_msg+0x4a4/0xb70
netlink_rcv_skb+0x15e/0x410
netlink_unicast+0x4d4/0x690
netlink_sendmsg+0x8ae/0xd00
sock_sendmsg+0xd7/0x130
__sys_sendto+0x21e/0x330
__x64_sys_sendto+0xe1/0x1b0
do_syscall_64+0xbf/0x640
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8448:
save_stack+0x1b/0x80
__kasan_slab_free+0x126/0x170
kfree+0xfa/0x460
skb_free_head+0x8b/0xa0
pskb_expand_head+0x2bd/0xe80
netlink_trim+0x203/0x260
netlink_broadcast_filtered+0x61/0xbd0
nlmsg_notify+0x15b/0x1a0
rtmsg_fib+0x2eb/0x11a0
fib_table_insert+0x66e/0x1560
fib_magic+0x406/0x570
fib_add_ifaddr+0x39a/0x520
fib_netdev_event+0x3d0/0x560
notifier_call_chain+0xc0/0x230
__dev_notify_flags+0x125/0x2d0
dev_change_flags+0x104/0x160
do_setlink+0x999/0x32a0
__rtnl_newlink+0xac8/0x14c0
rtnl_newlink+0x68/0xa0
rtnetlink_rcv_msg+0x4a4/0xb70
netlink_rcv_skb+0x15e/0x410
netlink_unicast+0x4d4/0x690
netlink_sendmsg+0x8ae/0xd00
sock_sendmsg+0xd7/0x130
__sys_sendto+0x21e/0x330
__x64_sys_sendto+0xe1/0x1b0
do_syscall_64+0xbf/0x640
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88806ae70800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 1 bytes inside of
1024-byte region [ffff88806ae70800, ffff88806ae70c00)
The buggy address belongs to the page:
page:ffffea0001ab9c00 refcount:1 mapcount:0 mapping:ffff88806b802280
index:0x0 compound_mapcount: 0
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88806b802280
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88806ae70700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88806ae70780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88806ae70800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88806ae70880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88806ae70900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

---

Attachments:

config (216.22 kB)
repro.cprog (44.88 kB)
Download all attachments

2021-03-30 21:32:18

by Eric Dumazet

[permalink] [raw]

Subject: Re: BUG: use-after-free in macvlan_broadcast

---

On 3/30/21 12:11 PM, Hao Sun wrote:
> Hi
>
> When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> the Linux kernel, I found a use-after-free vulnerability in
> macvlan_broadcast.
> Hope the report can help you locate the problem.
>
> Details:
> commit: 5695e5161 Linux 5.11
> git tree: upstream
> kernel config and reproducing program can be found in the attachment.
> report:
> ==================================================================
> BUG: KASAN: use-after-free in macvlan_broadcast+0x595/0x6e0
> Read of size 4 at addr ffff88806ae70801 by task syz-executor392/8448
>
> CPU: 0 PID: 8448 Comm: syz-executor392 Not tainted 5.4.0 #14

Why is 5.4.0 printed if your tree is linux-5.11 ?


You describe something that has been fixed already in linux-5.5


> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> dump_stack+0xf3/0x16a
> print_address_description.constprop.0.cold+0xd3/0x372
> __kasan_report.cold+0x75/0x9b
> kasan_report+0x12/0x20
> macvlan_broadcast+0x595/0x6e0
> macvlan_start_xmit+0x40e/0x630
> dev_direct_xmit+0x3f6/0x5f0
> packet_sendmsg+0x233b/0x5a60
> sock_sendmsg+0xd7/0x130
> __sys_sendto+0x21e/0x330
> __x64_sys_sendto+0xe1/0x1b0
> do_syscall_64+0xbf/0x640
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x453d6d
> Code: c3 e8 77 2c 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fff89ba8378 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000453d6d
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
> RBP: 0000000000000040 R08: 0000000020000280 R09: 0000000000000014
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
> R13: 00007fff89ba83e8 R14: 00007fff89ba83f0 R15: 0000000000000000
>
> Allocated by task 8448:
> save_stack+0x1b/0x80
> __kasan_kmalloc.constprop.0+0xc2/0xd0
> __kmalloc_node_track_caller+0x116/0x410
> __kmalloc_reserve.isra.0+0x35/0xd0
> __alloc_skb+0xf3/0x5c0
> rtmsg_fib+0x16f/0x11a0
> fib_table_insert+0x66e/0x1560
> fib_magic+0x406/0x570
> fib_add_ifaddr+0x39a/0x520
> fib_netdev_event+0x3d0/0x560
> notifier_call_chain+0xc0/0x230
> __dev_notify_flags+0x125/0x2d0
> dev_change_flags+0x104/0x160
> do_setlink+0x999/0x32a0
> __rtnl_newlink+0xac8/0x14c0
> rtnl_newlink+0x68/0xa0
> rtnetlink_rcv_msg+0x4a4/0xb70
> netlink_rcv_skb+0x15e/0x410
> netlink_unicast+0x4d4/0x690
> netlink_sendmsg+0x8ae/0xd00
> sock_sendmsg+0xd7/0x130
> __sys_sendto+0x21e/0x330
> __x64_sys_sendto+0xe1/0x1b0
> do_syscall_64+0xbf/0x640
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 8448:
> save_stack+0x1b/0x80
> __kasan_slab_free+0x126/0x170
> kfree+0xfa/0x460
> skb_free_head+0x8b/0xa0
> pskb_expand_head+0x2bd/0xe80
> netlink_trim+0x203/0x260
> netlink_broadcast_filtered+0x61/0xbd0
> nlmsg_notify+0x15b/0x1a0
> rtmsg_fib+0x2eb/0x11a0
> fib_table_insert+0x66e/0x1560
> fib_magic+0x406/0x570
> fib_add_ifaddr+0x39a/0x520
> fib_netdev_event+0x3d0/0x560
> notifier_call_chain+0xc0/0x230
> __dev_notify_flags+0x125/0x2d0
> dev_change_flags+0x104/0x160
> do_setlink+0x999/0x32a0
> __rtnl_newlink+0xac8/0x14c0
> rtnl_newlink+0x68/0xa0
> rtnetlink_rcv_msg+0x4a4/0xb70
> netlink_rcv_skb+0x15e/0x410
> netlink_unicast+0x4d4/0x690
> netlink_sendmsg+0x8ae/0xd00
> sock_sendmsg+0xd7/0x130
> __sys_sendto+0x21e/0x330
> __x64_sys_sendto+0xe1/0x1b0
> do_syscall_64+0xbf/0x640
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> The buggy address belongs to the object at ffff88806ae70800
> which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 1 bytes inside of
> 1024-byte region [ffff88806ae70800, ffff88806ae70c00)
> The buggy address belongs to the page:
> page:ffffea0001ab9c00 refcount:1 mapcount:0 mapping:ffff88806b802280
> index:0x0 compound_mapcount: 0
> raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88806b802280
> raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88806ae70700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88806ae70780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff88806ae70800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88806ae70880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88806ae70900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>