Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3819200ybi; Mon, 29 Jul 2019 13:14:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqxbPOmZCPaNVhhL8m4LZr2K5GFIZP9Bth3G44XIbNxZ4gU00fV1QY7B2zw5wNEwwRL6v7Au X-Received: by 2002:a63:ec13:: with SMTP id j19mr24492980pgh.369.1564431273869; Mon, 29 Jul 2019 13:14:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564431273; cv=none; d=google.com; s=arc-20160816; b=PSbUTfqw7K10yULJdM2Sb00O09v6cR8AJkRQ/QQ8wZbh+1Jcvg/pkVJ9pL/9t4t7pB /+msW5gO3SimHBCnuGuURLpjo2+MhDOJ2GFtZ1aRNy8V95lpHjl86NtgDuz+cm08Gjvx zRS0OkwVmXPlbGIK6F6ABRKlIUfT4LBRRPcvpZYLeBrpjC42eY+Mv0lt+Jo+qX82HM47 qypRnQIHzg4zLN3LgojIRuGcLVIxnGebwsQdnaoXM4KO4CEYumxV41e71o2Jf3F8Tg6q KVixde3K1xjys9kdfzcgaAZfEdBRj+yeEKWzxrWL+xu+T6j0LV0SP+k42Cq8YQ1AyNgP 16nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=R7N8NhqdRcCox3bNe/qWmXYHicA+Mdsc0WN8b6tyn9g=; b=L7DT8EpatK6UJpp1IFgU7au4KxT4O1wYE0uEUOhInAJWpr72LN3sO7wWs738CnCwdN J6e2awv4VT/aMoY4kP5pynAQpiKgQHUyxykJKvOHvzUT6IDSvTHsMCyU5z6LjXpC9pc2 cNsS52mFTatnR1vz7pHH3pYo4ens9jqa1kYLiW33rUxOeD26VEt9bvrjTLXgjS2rCZui F9TphWmdqRSbKM4A3trBw9tCVaPWiAOFE/GAqhQ8KXlZF0CkLddem7XSQ1E0nKod8ctW kSDUfN4ywdWs5cm0QrND4JA0QARmd9gLHXvwXGIlRAEJWPbuUJ089ipMSGxnhE0Iu9n1 Sh+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2cOf1QpX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u4si28814176pgb.218.2019.07.29.13.14.19; Mon, 29 Jul 2019 13:14:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2cOf1QpX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730526AbfG2UNP (ORCPT + 99 others); Mon, 29 Jul 2019 16:13:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:43432 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729342AbfG2Tal (ORCPT ); Mon, 29 Jul 2019 15:30:41 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2D3BA217D4; Mon, 29 Jul 2019 19:30:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564428640; bh=PyKlQJ2rHOcrBoZ4zSJoeq3lpGNSP6Q6qpHvyYDs3wE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2cOf1QpXV9Hya8b9Un2qaZDBRp+8x0Tk7lBM/BXoD0WX8z2kvU79iDBM/tkKjv/ho Gxp0vnUZ67JagJZWdoVNCQ19SV6BBMGakejwHI1q08KxkGOU/KB3fmzA6YMe/qXIDC qf4g+a8Ya5UDNmCqD+DcXH7R1loxVS/u/OBgTQSM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Taehee Yoo , "David S. Miller" , Sasha Levin Subject: [PATCH 4.14 103/293] gtp: fix use-after-free in gtp_encap_destroy() Date: Mon, 29 Jul 2019 21:19:54 +0200 Message-Id: <20190729190832.541477515@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190820.321094988@linuxfoundation.org> References: <20190729190820.321094988@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 1788b8569f5de27da09087fa3f6580d2aa04cc75 ] gtp_encap_destroy() is called twice. 1. When interface is deleted. 2. When udp socket is destroyed. either gtp->sk0 or gtp->sk1u could be freed by sock_put() in gtp_encap_destroy(). so, when gtp_encap_destroy() is called again, it would uses freed sk pointer. patch makes gtp_encap_destroy() to set either gtp->sk0 or gtp->sk1u to null. in addition, both gtp->sk0 and gtp->sk1u pointer are protected by rtnl_lock. so, rtnl_lock() is added. Test command: gtp-link add gtp1 & killall gtp-link ip link del gtp1 Splat looks like: [ 83.182767] BUG: KASAN: use-after-free in __lock_acquire+0x3a20/0x46a0 [ 83.184128] Read of size 8 at addr ffff8880cc7d5360 by task ip/1008 [ 83.185567] CPU: 1 PID: 1008 Comm: ip Not tainted 5.2.0-rc6+ #50 [ 83.188469] Call Trace: [ ... ] [ 83.200126] lock_acquire+0x141/0x380 [ 83.200575] ? lock_sock_nested+0x3a/0xf0 [ 83.201069] _raw_spin_lock_bh+0x38/0x70 [ 83.201551] ? lock_sock_nested+0x3a/0xf0 [ 83.202044] lock_sock_nested+0x3a/0xf0 [ 83.202520] gtp_encap_destroy+0x18/0xe0 [gtp] [ 83.203065] gtp_encap_disable.isra.14+0x13/0x50 [gtp] [ 83.203687] gtp_dellink+0x56/0x170 [gtp] [ 83.204190] rtnl_delete_link+0xb4/0x100 [ ... ] [ 83.236513] Allocated by task 976: [ 83.236925] save_stack+0x19/0x80 [ 83.237332] __kasan_kmalloc.constprop.3+0xa0/0xd0 [ 83.237894] kmem_cache_alloc+0xd8/0x280 [ 83.238360] sk_prot_alloc.isra.42+0x50/0x200 [ 83.238874] sk_alloc+0x32/0x940 [ 83.239264] inet_create+0x283/0xc20 [ 83.239684] __sock_create+0x2dd/0x540 [ 83.240136] __sys_socket+0xca/0x1a0 [ 83.240550] __x64_sys_socket+0x6f/0xb0 [ 83.240998] do_syscall_64+0x9c/0x450 [ 83.241466] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.242061] [ 83.242249] Freed by task 0: [ 83.242616] save_stack+0x19/0x80 [ 83.243013] __kasan_slab_free+0x111/0x150 [ 83.243498] kmem_cache_free+0x89/0x250 [ 83.244444] __sk_destruct+0x38f/0x5a0 [ 83.245366] rcu_core+0x7e9/0x1c20 [ 83.245766] __do_softirq+0x213/0x8fa Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/gtp.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index c751f87c935e..53fd66534e3a 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -289,13 +289,17 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb) return gtp_rx(pctx, skb, hdrlen, gtp->role); } -static void gtp_encap_destroy(struct sock *sk) +static void __gtp_encap_destroy(struct sock *sk) { struct gtp_dev *gtp; lock_sock(sk); gtp = sk->sk_user_data; if (gtp) { + if (gtp->sk0 == sk) + gtp->sk0 = NULL; + else + gtp->sk1u = NULL; udp_sk(sk)->encap_type = 0; rcu_assign_sk_user_data(sk, NULL); sock_put(sk); @@ -303,12 +307,19 @@ static void gtp_encap_destroy(struct sock *sk) release_sock(sk); } +static void gtp_encap_destroy(struct sock *sk) +{ + rtnl_lock(); + __gtp_encap_destroy(sk); + rtnl_unlock(); +} + static void gtp_encap_disable_sock(struct sock *sk) { if (!sk) return; - gtp_encap_destroy(sk); + __gtp_encap_destroy(sk); } static void gtp_encap_disable(struct gtp_dev *gtp) @@ -1045,6 +1056,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) return -EINVAL; } + rtnl_lock(); rcu_read_lock(); gtp = gtp_find_dev(sock_net(skb->sk), info->attrs); @@ -1069,6 +1081,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) out_unlock: rcu_read_unlock(); + rtnl_unlock(); return err; } -- 2.20.1