Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp747813iog;
        Thu, 30 Jun 2022 09:22:50 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1sL57+oaQgfGHpoUz0FLy+gD8uSyL6DHQxmdHmWuOu4AF2ej5TMiggknicr3sqAf80AYeX3
X-Received: by 2002:aa7:dac2:0:b0:435:76a2:4ebe with SMTP id x2-20020aa7dac2000000b0043576a24ebemr12630298eds.196.1656606170314;
        Thu, 30 Jun 2022 09:22:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656606170; cv=none;
        d=google.com; s=arc-20160816;
        b=qNwm8lYEu+QOJyjQyk7IkgHVVdu7F/4lA4PFK4IvOxGgCFLXtz7IAgE7wi0/6RGvY5
         wgwy1J4pdiGrpq6HX4J2vqetdnObcF7glqvtnD475h0DW4UzoZm232479zfY6WEkvDIS
         5FWIhHYE6JqAPl8Cr264o4tesaYnQTSJ4RSz6s9siP4Ary6kWDGvyWOvvNQipwmY0UQg
         C06tfw3ZOjq7JHhLahXVc5WPzJjiH7jT0WifupA3KuJfFyKitjuLEPvEo70GcsxQ7QTA
         +UgxxrUb78DGshrG2S4R6jC8X1n4xiWSxMc+tm22OSC1bC5FyYDAIAoTNXCk5bwd/fSG
         smeQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=kZYpRpqYmpLHtSZ4UZWrh/TDPBDXwHd9fuFtqbGJNp8=;
        b=ojoSehf7Oo35LyHWgH6ZqkB8ebZVbWNwHRua44zQnFb4yadFf0e76FuOueYnPMOh+A
         1hby7DWjPBm6Njo2eU8GtOZmnPRvL2NSvAFnrNcFfhU6U3rqBdPcc/qbg13HweWOvlEm
         2F1bedgAa/khI2KdTS04lAh9KK3W9xZadhjzLlljbHiG7DViR8YDAz/3drAlhlM7DbNk
         h4JXOcB4zMOEhcPYVSrD6mpCP3eFVWaPKTkJl1v3ofpXFRJPy3vUpC5ezSoWbFAmaj2c
         VSfosP0Wq83tllw/hLbGvlqRqI0GOs9dgWr+BosmbMgfOWvxbTfMRUauqcJDY0sOuchz
         E3Xw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=BuX4qA5+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id i26-20020a056402055a00b00437df312715si4996384edx.525.2022.06.30.09.22.25;
        Thu, 30 Jun 2022 09:22:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=BuX4qA5+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235557AbiF3QHz (ORCPT <rfc822;aleksandr.v.piskunov@gmail.com>
        + 99 others); Thu, 30 Jun 2022 12:07:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44498 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234901AbiF3QHx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Jun 2022 12:07:53 -0400
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DD9822B1D
        for <linux-kernel@vger.kernel.org>; Thu, 30 Jun 2022 09:07:52 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id l11so34536964ybu.13
        for <linux-kernel@vger.kernel.org>; Thu, 30 Jun 2022 09:07:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=kZYpRpqYmpLHtSZ4UZWrh/TDPBDXwHd9fuFtqbGJNp8=;
        b=BuX4qA5++m+OrJvsOaRfSJjyTNROnqnd/mCvs1fJFZLG3AYi/V7Afuuc+DxYwklGe2
         8TTd0CJJFfjl5KQwwQlWyyn84g40XaWyHt0y/uDsKjx7TBMs1SIJTniaOuT4nRFnWCOW
         4mUH+1+M0E2Hw+WrjJvpBSvc9OZcerbYjFVpotYfn/oy5PZSMjbx3PKSOeuirVFFjRiH
         I6i0pWr1Bm26YHBfmj8Q4KWnzxx/b/1IT3Gf1o4kxilrc9UXbFRwcGcIsyEFpW80Uq+m
         CW0xXsP0zwXdpH8cWyDpSNce0LE26o0TO+q1YcwIDpeXgStFfhRqHawz8szkHxHYixXX
         RWdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=kZYpRpqYmpLHtSZ4UZWrh/TDPBDXwHd9fuFtqbGJNp8=;
        b=hdK+8jfwvvBU2231/++p+D59K1UBfbFBJcRh9iTU2zdQM6XZbgZ9yYPn7PrRaA0Z3g
         r8wLbPKp7zsUi0p2rDChBV6gHdTcGVa2VvYhQ7UoYuW73WJ6bq8XQhgNnqXrlpwmSsHG
         IZEs/eM/Ae6ZCJ4iODfZ0viczLpIa+Mq28Ff/lBBC7YAXL0+dNPjmcTzEVhY2QBrBaNP
         na0FwS3xnvwuDG5J8BNocT/5WcxKQ4v9DMOMHWa9OmLqt/nVoeI2ji/0KND0x21DRtih
         5qE6W0u6GClowUVVHzdXbOyxv8psCs5FcbejObEd9zEoy/JIVA2dZvrIR80PzCW5Mgdi
         ygKw==
X-Gm-Message-State: AJIora82E6lydzWong3d6C9uoVLxIOmevNIUF60UAMrA6pDnO/3+mquJ
        L9EJ0argEt1AvcGG7Ia6MqyPtAtyk47GSntV63pvSA==
X-Received: by 2002:a25:e211:0:b0:669:9cf9:bac7 with SMTP id
 h17-20020a25e211000000b006699cf9bac7mr9710834ybe.407.1656605271052; Thu, 30
 Jun 2022 09:07:51 -0700 (PDT)
MIME-Version: 1.0
References: <20220630143842.24906-1-duoming@zju.edu.cn> <CANn89iLda2oxoPQaGd9r8frAaOu1LqxmWYm2O8W4HXaGRN8tcQ@mail.gmail.com>
 <bed69ee.1e8d9.181b528391c.Coremail.duoming@zju.edu.cn> <CANn89iKo-uuF-iQWrfL=pgMu7bEakWHPDAVuLvT-TZ4AujiD=w@mail.gmail.com>
 <55ffc892.1ea21.181b54f4b2f.Coremail.duoming@zju.edu.cn>
In-Reply-To: <55ffc892.1ea21.181b54f4b2f.Coremail.duoming@zju.edu.cn>
From:   Eric Dumazet <edumazet@google.com>
Date:   Thu, 30 Jun 2022 18:07:39 +0200
Message-ID: <CANn89iLBE_kdnznsURLHVuaKqvzJ2nyuzKxz2y8G_29WjccsOA@mail.gmail.com>
Subject: Re: [PATCH net] net: rose: fix UAF bug caused by rose_t0timer_expiry
To:     Duoming Zhou <duoming@zju.edu.cn>
Cc:     linux-hams@vger.kernel.org, netdev <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>,
        David Miller <davem@davemloft.net>,
        Ralf Baechle <ralf@linux-mips.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 30, 2022 at 5:51 PM <duoming@zju.edu.cn> wrote:
>
> Hello,
>
> On Thu, 30 Jun 2022 17:17:10 +0200 Eric Dumazet wrote:
>
> > > > > There are UAF bugs caused by rose_t0timer_expiry(). The
> > > > > root cause is that del_timer() could not stop the timer
> > > > > handler that is running and there is no synchronization.
> > > > > One of the race conditions is shown below:
> > > > >
> > > > >     (thread 1)             |        (thread 2)
> > > > >                            | rose_device_event
> > > > >                            |   rose_rt_device_down
> > > > >                            |     rose_remove_neigh
> > > > > rose_t0timer_expiry        |       rose_stop_t0timer(rose_neigh)
> > > > >   ...                      |         del_timer(&neigh->t0timer)
> > > > >                            |         kfree(rose_neigh) //[1]FREE
> > > > >   neigh->dce_mode //[2]USE |
> > > > >
> > > > > The rose_neigh is deallocated in position [1] and use in
> > > > > position [2].
> > > > >
> > > > > The crash trace triggered by POC is like below:
> > > > >
> > > > > BUG: KASAN: use-after-free in expire_timers+0x144/0x320
> > > > > Write of size 8 at addr ffff888009b19658 by task swapper/0/0
> > > > > ...
> > > > > Call Trace:
> > > > >  <IRQ>
> > > > >  dump_stack_lvl+0xbf/0xee
> > > > >  print_address_description+0x7b/0x440
> > > > >  print_report+0x101/0x230
> > > > >  ? expire_timers+0x144/0x320
> > > > >  kasan_report+0xed/0x120
> > > > >  ? expire_timers+0x144/0x320
> > > > >  expire_timers+0x144/0x320
> > > > >  __run_timers+0x3ff/0x4d0
> > > > >  run_timer_softirq+0x41/0x80
> > > > >  __do_softirq+0x233/0x544
> > > > >  ...
> > > > >
> > > > > This patch changes del_timer() in rose_stop_t0timer() and
> > > > > rose_stop_ftimer() to del_timer_sync() in order that the
> > > > > timer handler could be finished before the resources such as
> > > > > rose_neigh and so on are deallocated. As a result, the UAF
> > > > > bugs could be mitigated.
> > > > >
> > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > > > > Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> > > > > ---
> > > > >  net/rose/rose_link.c | 4 ++--
> > > > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c
> > > > > index 8b96a56d3a4..9734d1264de 100644
> > > > > --- a/net/rose/rose_link.c
> > > > > +++ b/net/rose/rose_link.c
> > > > > @@ -54,12 +54,12 @@ static void rose_start_t0timer(struct rose_neigh *neigh)
> > > > >
> > > > >  void rose_stop_ftimer(struct rose_neigh *neigh)
> > > > >  {
> > > > > -       del_timer(&neigh->ftimer);
> > > > > +       del_timer_sync(&neigh->ftimer);
> > > > >  }
> > > >
> > > > Are you sure this is safe ?
> > > >
> > > > del_timer_sync() could hang if the caller holds a lock that the timer
> > > > function would need to acquire.
> > >
> > > I think this is safe. The rose_ftimer_expiry() is an empty function that is
> > > shown below:
> > >
> > > static void rose_ftimer_expiry(struct timer_list *t)
> > > {
> > > }
> > >
> > > > >
> > > > >  void rose_stop_t0timer(struct rose_neigh *neigh)
> > > > >  {
> > > > > -       del_timer(&neigh->t0timer);
> > > > > +       del_timer_sync(&neigh->t0timer);
> > > > >  }
> > > >
> > > > Same here, please explain why it is safe.
> > >
> > > The rose_stop_t0timer() may hold "rose_node_list_lock" and "rose_neigh_list_lock",
> > > but the timer handler rose_t0timer_expiry() that is shown below does not need
> > > these two locks.
> > >
> > > static void rose_t0timer_expiry(struct timer_list *t)
> > > {
> > >         struct rose_neigh *neigh = from_timer(neigh, t, t0timer);
> > >
> > >         rose_transmit_restart_request(neigh);
> > >
> > >         neigh->dce_mode = 0;
> > >
> > >         rose_start_t0timer(neigh);
> >
> > This will rearm the timer.  del_timer_sync() will not help.
>
> Thank you for your time, but I don't think so.
>
> > Please read the comment in front of del_timer_sync(), in kernel/time/timer.c
>
> I wrote a kernel module to test whether del_timer_sync() could finish a timer handler
> that use mod_timer() to rewind itself. The following is the result.
>
> # insmod del_timer_sync.ko
> [  929.374405] my_timer will be create.
> [  929.374738] the jiffies is :4295595572
> [  930.411581] In my_timer_function
> [  930.411956] the jiffies is 4295596609
> [  935.466643] In my_timer_function
> [  935.467505] the jiffies is 4295601665
> [  940.586538] In my_timer_function
> [  940.586916] the jiffies is 4295606784
> [  945.706579] In my_timer_function
> [  945.706885] the jiffies is 4295611904
>
> #
> # rmmod del_timer_sync.ko
> [  948.507692] the del_timer_sync is :1
> [  948.507692]
> #
> #
>
> The result of the experiment shows that the timer handler could
> be killed after we execute del_timer_sync(), even if the timer could
> rewind itself.


This is not enough to run an experiment to determine a comment is obsolete.

Especially if you are not running the code from interrupts, like rose
protocol might...

If you think the comment is obsolete, please send a patch to amend it.