Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp712765iog;
        Thu, 30 Jun 2022 08:46:00 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1tdrPO+q0iB46mHVBF6w82NDgjERlrLqHLIqYPOrv1yrAC+poVU066YizybXvOD/5TGi3L7
X-Received: by 2002:a63:cc52:0:b0:3fd:69ac:f3f with SMTP id q18-20020a63cc52000000b003fd69ac0f3fmr7952323pgi.423.1656603960488;
        Thu, 30 Jun 2022 08:46:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656603960; cv=none;
        d=google.com; s=arc-20160816;
        b=i7/nRJVxedW4EEq0Hemi4EIPy/1bkNQxiI5bhyQjNTW0BiieP7P9MYsrwbTaIOzr4H
         DoEeypX7as2FX5lEp+SgM+vsOFsnC6dketjrKT2dhym705W4gJboNfuIYsZo2EJIcCko
         u+GzHWHkA/JhaVmHm2f6quAtoYfmC+3cjo2AMnFdG1YemgNG+YdpHXclpKx7n0GJaPLB
         ugn9y5h9MOnfVkAnV6UtaQGqLL9eu6qb8ApcQzB6KhMkBAzQz/t6WX219Cmd27nokchT
         yjEMwy11q/n2YxeE1A3M9CFWdjRogn9r0JL90uRyLiJjJ8FVBlR94Cwzg63+o5YxsXPl
         Mtgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=UjN5WCjSlW6XRDQEx4W7qChY8LG6Krf9efhMPYxn9eQ=;
        b=W9xPl3uRDjuR1Dtdsv76bTBPAROl0REBe6zS5VGTODzpH8vZdqY0spuwiEWMEAEwnR
         yunLZjPx8JSTgZmOym9F1dg1zHbM4cuIymUNc4QMDlbOPRGz3rwWPVQz1gBqKA71P/OO
         OmsWFUNyIoVJXPmWQJKr78MRw4drWK2uD4+A2tgobsL6APe6j/LYzpAWKsIvrYTKZ8mL
         v1FMa1C25/L+TMrA1OG0mMFqgtsbAcgmEtfTIvdxMfofi+8kYd2L4ZvnTt4T3oPNtLB/
         0wbnK8zjFkMdO4x0DGB7maEKgVEz4j/U6Bv32ooaRuuov14bGEAfuXxTow29BnzcaRoZ
         E1vw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=eMdf6L5d;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id lx13-20020a17090b4b0d00b001ec9090a847si3450563pjb.3.2022.06.30.08.45.48;
        Thu, 30 Jun 2022 08:46:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=eMdf6L5d;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235752AbiF3PRi (ORCPT <rfc822;aleksandr.v.piskunov@gmail.com>
        + 99 others); Thu, 30 Jun 2022 11:17:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53388 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235545AbiF3PRY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Jun 2022 11:17:24 -0400
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F212832ED8
        for <linux-kernel@vger.kernel.org>; Thu, 30 Jun 2022 08:17:22 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id y2so149886ior.12
        for <linux-kernel@vger.kernel.org>; Thu, 30 Jun 2022 08:17:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=UjN5WCjSlW6XRDQEx4W7qChY8LG6Krf9efhMPYxn9eQ=;
        b=eMdf6L5d1qhr4EE1eKwxr+AUepysYtXrnVQSqPA2ePr2jp+PQbvPDwBkSfkngH+Avn
         dyHEvEY45qIrBSbgOGvFlMsg1L4wAwXEYj5gqdYod50dkcKWRLXEY5z0YYrcq/JrRzEk
         E9+3sPWB6c2BoYQy54Lur6hM+P2daS0eZrGkucK1wi0v0u0Vc3PnJJ7ucY/KWticVw9N
         paUYCaRr4ZYyx8XwPDPqM5xXPAA0blgvL+6j14xRdx12969O2RCXoJvE0yPywp0GbW9F
         0zTpSkwYozh+IrzRf0+bIKYiFzUb6ryrJkL4twuCNl04PBw5AnU3c3nt+nVk92M2XLyq
         5uvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=UjN5WCjSlW6XRDQEx4W7qChY8LG6Krf9efhMPYxn9eQ=;
        b=6FoVi9oMdCqfx9Mq9o/A2UF/vA1243yGiC+TVWDeY0CXRbXxAdnJucIXcJFIYo3O7j
         p1sczwG/HCrS5fK9DidDf8wZQ8HPT8oQzOoKc0zCcXYE6hunojSMlIGh+M68aBUzL9u5
         V8MEAYsSFm9TypfUpeUBLbnt2QMaeruteLBomL/CmToiliXdGsNQSt9EKsFwL04Ayzeg
         N35NcLKleoWe9CGfGDV0mRrwnDS1lqQ/fMNjZicGRkRB0F5WP0vtBjM4W4L5qL6DOMz5
         eTJqwago/EUJAEwwn00TDjTOcA8SYB/RnLAIZyPSZXrUbGQfVaL2nWWejQrkFLciI4im
         xlMQ==
X-Gm-Message-State: AJIora8T3vkB4dvTV+q0EIgyhSXitd/xuwbC/ztOWSVYwQKLGzeWpmmP
        fDt5jmcPPwypfmAAifcnAF5SsyFywk1TsKqXflPPjw==
X-Received: by 2002:a05:6638:388e:b0:33c:b603:516 with SMTP id
 b14-20020a056638388e00b0033cb6030516mr5654843jav.133.1656602242135; Thu, 30
 Jun 2022 08:17:22 -0700 (PDT)
MIME-Version: 1.0
References: <20220630143842.24906-1-duoming@zju.edu.cn> <CANn89iLda2oxoPQaGd9r8frAaOu1LqxmWYm2O8W4HXaGRN8tcQ@mail.gmail.com>
 <bed69ee.1e8d9.181b528391c.Coremail.duoming@zju.edu.cn>
In-Reply-To: <bed69ee.1e8d9.181b528391c.Coremail.duoming@zju.edu.cn>
From:   Eric Dumazet <edumazet@google.com>
Date:   Thu, 30 Jun 2022 17:17:10 +0200
Message-ID: <CANn89iKo-uuF-iQWrfL=pgMu7bEakWHPDAVuLvT-TZ4AujiD=w@mail.gmail.com>
Subject: Re: [PATCH net] net: rose: fix UAF bug caused by rose_t0timer_expiry
To:     Duoming Zhou <duoming@zju.edu.cn>
Cc:     linux-hams@vger.kernel.org, netdev <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        David Miller <davem@davemloft.net>,
        Ralf Baechle <ralf@linux-mips.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 30, 2022 at 5:08 PM <duoming@zju.edu.cn> wrote:
>
> Hello,
>
> On Thu, 30 Jun 2022 16:44:29 +0200 Eric Dumazet wrote:
>
> > > There are UAF bugs caused by rose_t0timer_expiry(). The
> > > root cause is that del_timer() could not stop the timer
> > > handler that is running and there is no synchronization.
> > > One of the race conditions is shown below:
> > >
> > >     (thread 1)             |        (thread 2)
> > >                            | rose_device_event
> > >                            |   rose_rt_device_down
> > >                            |     rose_remove_neigh
> > > rose_t0timer_expiry        |       rose_stop_t0timer(rose_neigh)
> > >   ...                      |         del_timer(&neigh->t0timer)
> > >                            |         kfree(rose_neigh) //[1]FREE
> > >   neigh->dce_mode //[2]USE |
> > >
> > > The rose_neigh is deallocated in position [1] and use in
> > > position [2].
> > >
> > > The crash trace triggered by POC is like below:
> > >
> > > BUG: KASAN: use-after-free in expire_timers+0x144/0x320
> > > Write of size 8 at addr ffff888009b19658 by task swapper/0/0
> > > ...
> > > Call Trace:
> > >  <IRQ>
> > >  dump_stack_lvl+0xbf/0xee
> > >  print_address_description+0x7b/0x440
> > >  print_report+0x101/0x230
> > >  ? expire_timers+0x144/0x320
> > >  kasan_report+0xed/0x120
> > >  ? expire_timers+0x144/0x320
> > >  expire_timers+0x144/0x320
> > >  __run_timers+0x3ff/0x4d0
> > >  run_timer_softirq+0x41/0x80
> > >  __do_softirq+0x233/0x544
> > >  ...
> > >
> > > This patch changes del_timer() in rose_stop_t0timer() and
> > > rose_stop_ftimer() to del_timer_sync() in order that the
> > > timer handler could be finished before the resources such as
> > > rose_neigh and so on are deallocated. As a result, the UAF
> > > bugs could be mitigated.
> > >
> > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > > Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> > > ---
> > >  net/rose/rose_link.c | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c
> > > index 8b96a56d3a4..9734d1264de 100644
> > > --- a/net/rose/rose_link.c
> > > +++ b/net/rose/rose_link.c
> > > @@ -54,12 +54,12 @@ static void rose_start_t0timer(struct rose_neigh *neigh)
> > >
> > >  void rose_stop_ftimer(struct rose_neigh *neigh)
> > >  {
> > > -       del_timer(&neigh->ftimer);
> > > +       del_timer_sync(&neigh->ftimer);
> > >  }
> >
> > Are you sure this is safe ?
> >
> > del_timer_sync() could hang if the caller holds a lock that the timer
> > function would need to acquire.
>
> I think this is safe. The rose_ftimer_expiry() is an empty function that is
> shown below:
>
> static void rose_ftimer_expiry(struct timer_list *t)
> {
> }
>
> > >
> > >  void rose_stop_t0timer(struct rose_neigh *neigh)
> > >  {
> > > -       del_timer(&neigh->t0timer);
> > > +       del_timer_sync(&neigh->t0timer);
> > >  }
> >
> > Same here, please explain why it is safe.
>
> The rose_stop_t0timer() may hold "rose_node_list_lock" and "rose_neigh_list_lock",
> but the timer handler rose_t0timer_expiry() that is shown below does not need
> these two locks.
>
> static void rose_t0timer_expiry(struct timer_list *t)
> {
>         struct rose_neigh *neigh = from_timer(neigh, t, t0timer);
>
>         rose_transmit_restart_request(neigh);
>
>         neigh->dce_mode = 0;
>
>         rose_start_t0timer(neigh);

This will rearm the timer.  del_timer_sync() will not help.

Please read the comment in front of del_timer_sync(), in kernel/time/timer.c

> }
>
> Best regards,
> Duoming Zhou