Received: by 10.192.165.148 with SMTP id m20csp87954imm; Wed, 9 May 2018 09:12:43 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp38nzhDWUhECYefV4T1Xw3U5jRjo+FN50A74V+T6tXmq29vv0WJuAptruiuJJUmlhtiE6S X-Received: by 10.98.208.68 with SMTP id p65mr44798972pfg.64.1525882363897; Wed, 09 May 2018 09:12:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525882363; cv=none; d=google.com; s=arc-20160816; b=JSr48w6fmWWTIrqToCCU40AI8CXAlaxn5EMbeUvhPFp1gbHxAsAfD8amoYd+ZvY1Qa 3GZtv1s6PpzmtQ7ZSoXnnxSyx3Y0OA3+85Ow5Qn5j1Eq9lUEwxcVvvAUIGW5KcooCjcG POjXneEzwL1Re+GFdWv2X8LGsoBIXKJDPkUTmW1jXcptuYdO+ZKXKOmvZth4/3S9DhUh 7uPiLQZ9ZsYE3e9KO6M7tlMA7cOathE/fc6VLoBYcKsXcuKrTeaieUJPeoSBmI266YyU lIzB9BvoJ02YdOX3KbmVvbKfYPOaZKEH3F7Lc3nYVDDPVMEb/LsLxsZKJ3iX0UBirkkz 6IGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=sNoddvFokU5OQf/EACgG0Dl7RrTLtu192Q5ap+EEXuA=; b=IMFBUTgpLgvuF9f5QnGh6Xp62xalKCkW209c72LLb4ZbUm/AI66nqdOiL+ccl690Lz Aw3ZLChe/M2sf3tdXu7UDWwxSP688EFi5419pgmjkFTpFSqVgezgmzGORdRCM8KDY6Cl ktTDIJpeJ6U7aVZ86mLAJqxxXNWIjsRZAsr6BKwA9m6LOGooUt5G4trl7VUEvi06d62i x6rw6kTknvCrWf/ye09ndYZSzryZvZKAczkyGO2k3mlSi95XBafvVfQP85p3D1CFpOWn t45zAwi6LnPIMcr7ZBEvO6pNW4VCzLFzA3uFSEd6eijelVdeBXJrSwrFKczgn9iYslpj 9t4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RNEtzlyx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r4si27872602pff.24.2018.05.09.09.12.28; Wed, 09 May 2018 09:12:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RNEtzlyx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965365AbeEIQMJ (ORCPT + 99 others); Wed, 9 May 2018 12:12:09 -0400 Received: from mail-ua0-f196.google.com ([209.85.217.196]:37092 "EHLO mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933573AbeEIQMH (ORCPT ); Wed, 9 May 2018 12:12:07 -0400 Received: by mail-ua0-f196.google.com with SMTP id i3so23328679uad.4; Wed, 09 May 2018 09:12:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=sNoddvFokU5OQf/EACgG0Dl7RrTLtu192Q5ap+EEXuA=; b=RNEtzlyxtQUrkNKWbaVsfbUZcFoRRUajj6OoPx3HnnkUaLsxv0UCUWKe6wX7baNe/F u3HSLrvcOvzflCOY761jumUwM8OyegaXz82KNnPGN3WT1byp1xewEUxYyeubew2t1Sxx VHT9Vll1e8S+by8sIaUHYfb7Cn7Y9pbfGXJXrZOZ3Fyis+pzETPrM0UJlC/mL0i//+pr C+bqFq5/z2CYCDpSIq8FiK8swArD8QdiWUmwLAsvBZ5PjzKTwodZ0J5vdl5XSAe7UwHb Qj2VT0XR9S2kcq0TejL3eJ1dIOB+8zY8KphUkm+ujhdvu2egdREExC8UWtzMUOoVXrvw pHSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=sNoddvFokU5OQf/EACgG0Dl7RrTLtu192Q5ap+EEXuA=; b=tcq4qrk7d6AkaRs6L0yItlgTf32mnILqSlCJlcpa10GfhsR/hsxuXT11fzYZTv+RuB eM7GC1I/9os4RaXyV4tzCutgoVqme3Bo2GdaGnaiMeTB+cT97INnYJ+RdpLAJHU53E6X InvWP5pfE5kt6+yzsLVTj5XACR6V8Rqud+19cKyY+zj8QkXuqtvK3kSGqpansxTfpTdG eSPyZp4DkFRBlBOr6fpB/ODs+CYkw42UZGAJIxiS4gGQ6qF7bgC2xAYpQ5A0qRAedGvS i0OQyPesP7qHzHbLJiPjZCOv4i1E/nin/zTC6nsyeJjAAfSfsB+iBOrpsebJsk+beOV0 N5wQ== X-Gm-Message-State: ALQs6tDmJ9DHY/LUBI5+a+46TJ+ONiBXcdKpUrQlA7VcH9FcoAcFH46c XpNwmJroaz88VkA4zh3/IP1m50rVTiehFRHjjWw= X-Received: by 10.176.82.87 with SMTP id j23mr38460265uaa.70.1525882326219; Wed, 09 May 2018 09:12:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.151.90 with HTTP; Wed, 9 May 2018 09:11:25 -0700 (PDT) In-Reply-To: <20180509073754.GG711@sol.localdomain> References: <94eb2c0ce3aa27cfa40561ec2dc3@google.com> <1515048794.131759.4.camel@gmail.com> <20180509073754.GG711@sol.localdomain> From: Willem de Bruijn Date: Wed, 9 May 2018 12:11:25 -0400 Message-ID: Subject: Re: KASAN: use-after-free Read in __dev_queue_xmit To: Eric Biggers Cc: Eric Dumazet , Eric Dumazet , syzbot , alexander.deucher@amd.com, Andrey Konovalov , Anoob Soman , chris@chris-wilson.co.uk, David Miller , "Reshetova, Elena" , Greg Kroah-Hartman , Kees Cook , LKML , Mike Maloney , mchehab@kernel.org, netdev , "Rosen, Rami" , Sowmini Varadhan , syzkaller-bugs@googlegroups.com, Willem de Bruijn Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 9, 2018 at 3:37 AM, Eric Biggers wrote: > On Wed, Jan 03, 2018 at 10:53:14PM -0800, Eric Dumazet wrote: >> On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote: >> > Note: all commands must start from beginning of the line in the email body. >> > >> > I guess skb_probe_transport_header() should be hardened to reject malicious >> > packets given by user space, instead of being gentle. >> >> Although bug triggered for this particular repro is in flow dissector >> :/ >> >> I will test : >> >> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c >> index 15ce300637650e17fcab7e378b20fe7972686d46..544bddf08e13c7f6e47aadc737244c9ba5af56b2 100644 >> --- a/net/core/flow_dissector.c >> +++ b/net/core/flow_dissector.c >> @@ -976,8 +976,8 @@ bool __skb_flow_dissect(const struct sk_buff *skb, >> out_good: >> ret = true; >> >> - key_control->thoff = (u16)nhoff; >> out: >> + key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen); >> key_basic->n_proto = proto; >> key_basic->ip_proto = ip_proto; >> >> @@ -985,7 +985,6 @@ bool __skb_flow_dissect(const struct sk_buff *skb, >> >> out_bad: >> ret = false; >> - key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen); >> goto out; >> } >> EXPORT_SYMBOL(__skb_flow_dissect); > > Fix for this was commit d0c081b49137cd: > > #syz fix: flow_dissector: properly cap thoff field > > But a crash with the same signature is still occurring, so it should eventually > get reported again. C reproducer is here, it works on Linus' tree (commit > 036db8bd963): https://syzkaller.appspot.com/text?tag=ReproC&x=105b1ae7800000 This appears to be a separate issue. This reproducer requires a setsockopt SOL_SOCKET/SO_TIMESTAMPING to trigger the use-after-free. And the freed path also points at a timestamping skb: [ 31.963619] Freed by task 2672: [ 31.964006] __kasan_slab_free+0x125/0x170 [ 31.964509] kfree+0x8b/0x1a0 [ 31.964875] skb_free_head+0x6f/0xa0 [ 31.965314] skb_release_data+0x420/0x5a0 [ 31.965802] skb_release_all+0x46/0x60 [ 31.966260] kfree_skb+0x91/0x1c0 [ 31.966669] __skb_complete_tx_timestamp+0x2e9/0x3d0 [ 31.967273] __skb_tstamp_tx+0x3b3/0x620 [ 31.967774] __dev_queue_xmit+0xed5/0x1a20 [ 31.968300] packet_sendmsg+0x36fd/0x5400 [ 31.968821] sock_sendmsg+0xc0/0x100 [ 31.969284] ___sys_sendmsg+0x367/0x880 [ 31.969777] __sys_sendmmsg+0x178/0x410 [ 31.970267] __x64_sys_sendmmsg+0x99/0x100 [ 31.970789] do_syscall_64+0x9a/0x2c0 [ 31.971260] entry_SYSCALL_64_after_hwframe+0x44/0xa9 The data skb itself is zero bytes, it appears.