Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp553656ybg; Sun, 26 Jul 2020 13:10:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzRSKkOyd0pA5FXIhbSepEINJhp5119x6HayulJl0KxxTl0RaygkE/gtw9ujwZuHFsTfw9g X-Received: by 2002:a17:906:e299:: with SMTP id gg25mr17958863ejb.160.1595794228200; Sun, 26 Jul 2020 13:10:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595794228; cv=none; d=google.com; s=arc-20160816; b=Jv+/gZAlJ6C9v/fxfkNLQuPKif2bysnsTPtmO6WhN7f/HJCHctjYjT9KQDBjABIWgI vK1mwNU0WIzO0ittYptcLvBas2T98Qd20sjmykXJm0Bh4NBpF/NcqGyb2VV1PdD97qWG 7fAuTwiH5hQdA7A6/FrKH2T8ewp7s73XHOcpugPKrpOlRpCbZ6MBu6QV4xWYnggH+kNP /a3lGrwE2wJDBsD8eWedEjrBautMylkEByD3lZjmga/EGbUbOqL3DctKK8XTaQWF8MPc F75GnOXXs13hsQODCcvAqwWE6vrAaKZZ85bgFc+Ece9QqEtbq1BmM/PNlr8AR44TsoVt vHfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=hepoEcj03sM0CyU8joldRCATVzSo814tkMYfqpOgn8Q=; b=SrOYTxyKDN5ILwltvbd9hpNwaGDbGsUi6RhKCzOhhV3nVBHM7glkTC2Zoivfi6Ls2E 7zrHwEcKThwWtLPIor9+WtJmR1fqkWi/welk64v2vK8Jz9ESBCvQSgz2/HEYf9gQfpsP JGju/OSi8clWDti4UsyoWbA56lRTkv5aChE2dRjKMpYtulOlsYaFWET9dTLvsJb9NDvn 1wwx816aamlxnpsKrm5V4YtYxbxgYm1MZcNwBLnRgyVtG/+7B/+Ghra/DfspuVuTWxcC n3KdrzIvLNtG/cHfV1qBEE8XiYdZzVRzwFIjsovFxyrBrk+MSEUqwjBfEjAdryxJkmYD 8xLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=R90fe9DZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v18si2675749ejb.407.2020.07.26.13.10.03; Sun, 26 Jul 2020 13:10:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=R90fe9DZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727869AbgGZUHk (ORCPT + 99 others); Sun, 26 Jul 2020 16:07:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726427AbgGZUHk (ORCPT ); Sun, 26 Jul 2020 16:07:40 -0400 Received: from mail-il1-x144.google.com (mail-il1-x144.google.com [IPv6:2607:f8b0:4864:20::144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3AA85C0619D2; Sun, 26 Jul 2020 13:07:39 -0700 (PDT) Received: by mail-il1-x144.google.com with SMTP id j9so7967479ilc.11; Sun, 26 Jul 2020 13:07:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hepoEcj03sM0CyU8joldRCATVzSo814tkMYfqpOgn8Q=; b=R90fe9DZCZzsKaiZN6ZyStpg7gXNGe8uBdtvnltvSyM1GUusMVJH+adyWtYPGeIQQ5 mT+8va8Vauu42JeMx8EvhRq0taB4YYKz+HutaLZI1N38fBKQq0lb+885IKovVZKEuyMk j1HU1yMnnIgHCo7nBsRwJIJltfsJNnVb/DvjoDDyNnIKvfbPyHrlx1NQdBlmkwkWtxIh bIv6nNn8Xe/QrKBXWDgJbvccBox4ItHPIGrIQC/s9YKNirgPktlEB/bLHCe50OJ+bh7w UAoOb9+4lAgZmSgAXjYcA75Td/XPNe23b9OTOMO6qrF3NtwzNZD+BKJyDQoAoBdGC+pS oI2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hepoEcj03sM0CyU8joldRCATVzSo814tkMYfqpOgn8Q=; b=q44chjjjBBSn3WBr8F7UXhO+9CSj1jVBqRfmXNYzFb3g3Wduew49kyyvGcwlV0p86v CahyWLrSlCLr9/VRDKXqkWGnfAm+Rq6st5gABKWuqNgXScCvKh6LRqCuNHDNlPDGwzLA 7xj7DI+1aLE+qaiuxQOh3ni9LaPDdTQBBTahgvIhjqAUe35iTmvUQQzgOK52Vjur9EkA q5PAtdP1zPg5cMnkwBb6igwuPOF0A2Xdn9Yyu9D7Go80eU/MB5h4gcRiRNxpIjy0oKzt dHnGTEv11Su2PXNQgedj7N3Fle3PHk6i06Tbo4qZgPjZZDvhOWi6khnU1SKCY+5fBPyO ftDA== X-Gm-Message-State: AOAM533VqSdUgS/rqX/yVcxhEYHipynoesdvNkHihvK1OBzurUOvOArs mpxBE21YNjXKvi9DeH89rqzmnlM32Vsx1KRI9E0= X-Received: by 2002:a92:9a45:: with SMTP id t66mr18391483ili.268.1595794058048; Sun, 26 Jul 2020 13:07:38 -0700 (PDT) MIME-Version: 1.0 References: <20200726030855.q6dfjekazfzl5usw@pesu.pes.edu> In-Reply-To: From: Cong Wang Date: Sun, 26 Jul 2020 13:07:25 -0700 Message-ID: Subject: Re: [PATCH v2] net: ipv6: fix use-after-free Read in __xfrm6_tunnel_spi_lookup To: B K Karthik Cc: Steffen Klassert , Herbert Xu , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , Jakub Kicinski , Linux Kernel Network Developers , LKML , Greg KH , Shuah Khan , linux-kernel-mentees@lists.linuxfoundation.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 25, 2020 at 11:12 PM B K Karthik wrote: > > On Sun, Jul 26, 2020 at 11:05 AM Cong Wang wrote: > > > > On Sat, Jul 25, 2020 at 8:09 PM B K Karthik wrote: > > > @@ -103,10 +103,10 @@ static int __xfrm6_tunnel_spi_check(struct net *net, u32 spi) > > > { > > > struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net); > > > struct xfrm6_tunnel_spi *x6spi; > > > - int index = xfrm6_tunnel_spi_hash_byspi(spi); > > > + int index = xfrm6_tunnel_spi_hash_byaddr((const xfrm_address_t *)spi); > > > > > > hlist_for_each_entry(x6spi, > > > - &xfrm6_tn->spi_byspi[index], > > > + &xfrm6_tn->spi_byaddr[index], > > > list_byspi) { > > > if (x6spi->spi == spi) > > > > How did you convince yourself this is correct? This lookup is still > > using spi. :) > > I'm sorry, but my intention behind writing this patch was not to fix > the UAF, but to fix a slab-out-of-bound. Odd, your $subject is clearly UAF, so is the stack trace in your changelog. :) > If required, I can definitely change the subject line and resend the > patch, but I figured this was correct for > https://syzkaller.appspot.com/bug?id=058d05f470583ab2843b1d6785fa8d0658ef66ae > . since that particular report did not have a reproducer, > Dmitry Vyukov suggested that I test this patch on > other reports for xfrm/spi . You have to change it to avoid misleading. > > Forgive me if this was the wrong way to send a patch for that > particular report, but I guessed since the reproducer did not trigger > the crash > for UAF, I would leave the subject line as 'fix UAF' :) > > xfrm6_spi_hash_by_hash seemed more convincing because I had to prevent > a slab-out-of-bounds because it uses ipv6_addr_hash. > It would be of great help if you could help me understand how this was > able to fix a UAF. Sure, you just avoid a pointer deref, which of course can fix the UAF, but I still don't think it is correct in any aspect. Even if it is a OOB, you still have to explain why it happened. Once again, I can't see how it could happen either. > > > > > More importantly, can you explain how UAF happens? Apparently > > the syzbot stack traces you quote make no sense at all. I also > > looked at other similar reports, none of them makes sense to me. > > Forgive me, but I do not understand what you mean by the stack traces > (this or other similar reports) "make no sense". Because the stack trace in your changelog clearly shows it is allocated in tomoyo_init_log(), which is a buffer in struct tomoyo_query, but none of xfrm paths uses it. Or do you see anything otherwise? Thanks.