Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10423223ybi; Wed, 24 Jul 2019 22:58:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqyygLTTAIzprSh62XJrISol+XrJEtwozg9akaLYhWLDYsWG1ZdKyNZ6Bgmok0RI7itPCuTP X-Received: by 2002:a17:902:8207:: with SMTP id x7mr89544800pln.63.1564034290769; Wed, 24 Jul 2019 22:58:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564034290; cv=none; d=google.com; s=arc-20160816; b=ZDpetL0npjUgNUliNt4rfkw8VA56UTbu3Hy8FeCDUkZUe+RoBl9owT9fxa2Oe3NIu9 6fIGxjmcV2pKRHRa0H9hoSPQwUcIA7EYxmHhw8UFOy76QQ40T+brdnHG0URfRGroBouO TaarpLmotagXUQkoPT0On4zdbb7aiZRr6ZsaXN7LV0ba9aLm8FxMMQT9CBaxijKllsR+ Lx1EfwHakyZWtytJKhiaG67lyO0arnakt594m8+2hqWR6Sjv0BMGpnUkyZtt5FnlQ7Kd Rja23wBn6NS6vlIJMCxL5gzsVum8hDktnjc0QH5kKmj+tWD7di5tBlnoqhPNT0+LLa5z T2vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=uJTnxdY3Q2R1+fO6kx9ib2EPk6oooMfm6iGrfT4Eyfw=; b=w5DQX3IFrX/cOlSG6aPdXXbaNYI71JfOrM7fGX8MsDXneh+39nWR3eKYOWOx9gAWiF j4rXNxPQm3QDfCbgDiZ9Ov8kq4EDq8Yk+RSf8GpUoQ/2Z91/aR7UCbiCYlKWCQs9Z2C1 UhOa3jrfp/femJiYEWwRglXXCL9p/0hnBolKD6P1LKuuJVc3NCeYu3AUKaXo3aBVSFeW QDmvUF+ba0rRMF8PzFrhDv/JMcMeXkvxwD1e3z0mjqJWPyFQGhF26vL2ms9JoRFAoehy 9FlJHdXxnAjSutKiX/I7IvZdPAI/mvp8D2BAHR1LdtIBcS7IyEmw9dpD9FZn0mOYfpEF hxqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=aHd8Gdxj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w10si17328196pgt.451.2019.07.24.22.57.55; Wed, 24 Jul 2019 22:58:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=aHd8Gdxj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404667AbfGYFlc (ORCPT + 99 others); Thu, 25 Jul 2019 01:41:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:56298 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404634AbfGYFla (ORCPT ); Thu, 25 Jul 2019 01:41:30 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C812421850; Thu, 25 Jul 2019 05:41:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564033289; bh=17jCJL5zuBe/GPCZS7pxSIb3AQiYXCf5u6WkB59NyS0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aHd8GdxjgNG4ya06GNuvtSEV6YBkl8ILiq9o/JUrjPNwJK3lCONKgU7Yu9mgXLbeV wRGOcE3H30+ZeOZ+6gu3gf/nTJJrx7MtvgbwoiP0/L8eEcRIVSYIDiCBJPNqIFDxJj RVJOxr7O4TS+Q0PPkZW78CZTrUHjQdOyXkQtW2pU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Taehee Yoo , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 156/271] gtp: fix use-after-free in gtp_encap_destroy() Date: Wed, 24 Jul 2019 21:20:25 +0200 Message-Id: <20190724191708.570416436@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191655.268628197@linuxfoundation.org> References: <20190724191655.268628197@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 1788b8569f5de27da09087fa3f6580d2aa04cc75 ] gtp_encap_destroy() is called twice. 1. When interface is deleted. 2. When udp socket is destroyed. either gtp->sk0 or gtp->sk1u could be freed by sock_put() in gtp_encap_destroy(). so, when gtp_encap_destroy() is called again, it would uses freed sk pointer. patch makes gtp_encap_destroy() to set either gtp->sk0 or gtp->sk1u to null. in addition, both gtp->sk0 and gtp->sk1u pointer are protected by rtnl_lock. so, rtnl_lock() is added. Test command: gtp-link add gtp1 & killall gtp-link ip link del gtp1 Splat looks like: [ 83.182767] BUG: KASAN: use-after-free in __lock_acquire+0x3a20/0x46a0 [ 83.184128] Read of size 8 at addr ffff8880cc7d5360 by task ip/1008 [ 83.185567] CPU: 1 PID: 1008 Comm: ip Not tainted 5.2.0-rc6+ #50 [ 83.188469] Call Trace: [ ... ] [ 83.200126] lock_acquire+0x141/0x380 [ 83.200575] ? lock_sock_nested+0x3a/0xf0 [ 83.201069] _raw_spin_lock_bh+0x38/0x70 [ 83.201551] ? lock_sock_nested+0x3a/0xf0 [ 83.202044] lock_sock_nested+0x3a/0xf0 [ 83.202520] gtp_encap_destroy+0x18/0xe0 [gtp] [ 83.203065] gtp_encap_disable.isra.14+0x13/0x50 [gtp] [ 83.203687] gtp_dellink+0x56/0x170 [gtp] [ 83.204190] rtnl_delete_link+0xb4/0x100 [ ... ] [ 83.236513] Allocated by task 976: [ 83.236925] save_stack+0x19/0x80 [ 83.237332] __kasan_kmalloc.constprop.3+0xa0/0xd0 [ 83.237894] kmem_cache_alloc+0xd8/0x280 [ 83.238360] sk_prot_alloc.isra.42+0x50/0x200 [ 83.238874] sk_alloc+0x32/0x940 [ 83.239264] inet_create+0x283/0xc20 [ 83.239684] __sock_create+0x2dd/0x540 [ 83.240136] __sys_socket+0xca/0x1a0 [ 83.240550] __x64_sys_socket+0x6f/0xb0 [ 83.240998] do_syscall_64+0x9c/0x450 [ 83.241466] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.242061] [ 83.242249] Freed by task 0: [ 83.242616] save_stack+0x19/0x80 [ 83.243013] __kasan_slab_free+0x111/0x150 [ 83.243498] kmem_cache_free+0x89/0x250 [ 83.244444] __sk_destruct+0x38f/0x5a0 [ 83.245366] rcu_core+0x7e9/0x1c20 [ 83.245766] __do_softirq+0x213/0x8fa Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/gtp.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index 6f1ad7ccaea6..61e9b288d2dc 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -289,13 +289,17 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb) return gtp_rx(pctx, skb, hdrlen, gtp->role); } -static void gtp_encap_destroy(struct sock *sk) +static void __gtp_encap_destroy(struct sock *sk) { struct gtp_dev *gtp; lock_sock(sk); gtp = sk->sk_user_data; if (gtp) { + if (gtp->sk0 == sk) + gtp->sk0 = NULL; + else + gtp->sk1u = NULL; udp_sk(sk)->encap_type = 0; rcu_assign_sk_user_data(sk, NULL); sock_put(sk); @@ -303,12 +307,19 @@ static void gtp_encap_destroy(struct sock *sk) release_sock(sk); } +static void gtp_encap_destroy(struct sock *sk) +{ + rtnl_lock(); + __gtp_encap_destroy(sk); + rtnl_unlock(); +} + static void gtp_encap_disable_sock(struct sock *sk) { if (!sk) return; - gtp_encap_destroy(sk); + __gtp_encap_destroy(sk); } static void gtp_encap_disable(struct gtp_dev *gtp) @@ -1047,6 +1058,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) return -EINVAL; } + rtnl_lock(); rcu_read_lock(); gtp = gtp_find_dev(sock_net(skb->sk), info->attrs); @@ -1071,6 +1083,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) out_unlock: rcu_read_unlock(); + rtnl_unlock(); return err; } -- 2.20.1