Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp158070imn; Wed, 27 Jul 2022 02:41:52 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uw6wzYDa9i9+uPRSUw/hG7ryYSAGjcAskBUgZQQ6z+Ipky2or3YcPIuRLJpVVnLA3nOc5Y X-Received: by 2002:a17:903:240a:b0:16d:b222:f8b2 with SMTP id e10-20020a170903240a00b0016db222f8b2mr2294824plo.117.1658914912745; Wed, 27 Jul 2022 02:41:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658914912; cv=none; d=google.com; s=arc-20160816; b=OCrSCqDN42DXxPkOBEzmkhrsKgc7lAt6HsMAgLpUH5oKqw+0ki6N4mVhXETuYZtDHg ZVWDpXwpOz7/l9V2uYy+Ut9tA7qhRrwZsc14JyDb4GwL5dviHInMLKfBEJcY4RfAziSG tHy8GMwO/8GieLe7LnA/v/Txxka4b+/9sMagTrjLfr97G9Tvhk3XhKb4u/xRfLQiwToY kHYMnLAwTJSGRPQNHASTIb+3aaaomCyjMZfgJJhBqzYFv221poj954EQ60NYPKMTH+kI Z86wLuIKYh35DVgW049qxQ0VCfkXvOwBmxkBhrdFb+wCkahyWc446dmHeTRFBok5GT59 Y92w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=uxe4w00xbyVy1eoQof1qx3XDnYO6UerDvzrfyTN6VPI=; b=MAjflUjc/+k42tjSZ1bxmODe5T1DMAyrjeELK2IUSiihY+bDSGkoTjel2bggCzW3Id fnX2e2O7AD1jwbPAdqY0lpUTQ+bjmEHCUuSRZGbG/WXj9WG7qTG3QEBibvLP6WkrI2yf wCe+IJa755wx8rNn0SBAlO3CW1X22vemrl17QChYXg115Ce5dEKWhzQXNefK/706SuEA pNM+1phCPjwLDS3eMQun2LSFGwThvpZvGNg1i0wzmyNmCNcd1APfhBAUUIjAybZGihwR mPhWLi9LAQpsP4LAYtmOLT/U4R2RoUaFegTy85on0ITYd7VCkzJ+8W8yatX+cWsFZeoQ INQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y11-20020a17090322cb00b0016d69207784si3734401plg.162.2022.07.27.02.41.37; Wed, 27 Jul 2022 02:41:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231529AbiG0JOp (ORCPT + 99 others); Wed, 27 Jul 2022 05:14:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56140 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231767AbiG0JN7 (ORCPT ); Wed, 27 Jul 2022 05:13:59 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77F78474E2; Wed, 27 Jul 2022 02:11:18 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.55]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4Lt7K923Syz9sv0; Wed, 27 Jul 2022 17:10:05 +0800 (CST) Received: from [10.174.179.200] (10.174.179.200) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Wed, 27 Jul 2022 17:11:15 +0800 Subject: Re: [PATCH net v2] ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr To: David Ahern , Eric Dumazet CC: David Miller , Hideaki YOSHIFUJI , Jakub Kicinski , Paolo Abeni , netdev , LKML References: <20220726115028.3055296-1-william.xuanziyang@huawei.com> <48fd2345-ef86-da0d-c471-c576aa93d9f5@kernel.org> From: "Ziyang Xuan (William)" Message-ID: Date: Wed, 27 Jul 2022 17:11:14 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <48fd2345-ef86-da0d-c471-c576aa93d9f5@kernel.org> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.179.200] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On 7/26/22 6:13 AM, Eric Dumazet wrote: >> On Tue, Jul 26, 2022 at 1:50 PM Ziyang Xuan >> wrote: >>> >>> Change net device's MTU to smaller than IPV6_MIN_MTU or unregister >>> device while matching route. That may trigger null-ptr-deref bug >>> for ip6_ptr probability as following. >>> >>> ========================================================= >>> BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134 >>> Read of size 4 at addr 0000000000000308 by task ping6/263 >>> >>> CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14 >>> Call trace: >>> dump_backtrace+0x1a8/0x230 >>> show_stack+0x20/0x70 >>> dump_stack_lvl+0x68/0x84 >>> print_report+0xc4/0x120 >>> kasan_report+0x84/0x120 >>> __asan_load4+0x94/0xd0 >>> find_match.part.0+0x70/0x134 >>> __find_rr_leaf+0x408/0x470 >>> fib6_table_lookup+0x264/0x540 >>> ip6_pol_route+0xf4/0x260 >>> ip6_pol_route_output+0x58/0x70 >>> fib6_rule_lookup+0x1a8/0x330 >>> ip6_route_output_flags_noref+0xd8/0x1a0 >>> ip6_route_output_flags+0x58/0x160 >>> ip6_dst_lookup_tail+0x5b4/0x85c >>> ip6_dst_lookup_flow+0x98/0x120 >>> rawv6_sendmsg+0x49c/0xc70 >>> inet_sendmsg+0x68/0x94 >>> >>> Reproducer as following: >>> Firstly, prepare conditions: >>> $ip netns add ns1 >>> $ip netns add ns2 >>> $ip link add veth1 type veth peer name veth2 >>> $ip link set veth1 netns ns1 >>> $ip link set veth2 netns ns2 >>> $ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1 >>> $ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2 >>> $ip netns exec ns1 ifconfig veth1 up >>> $ip netns exec ns2 ifconfig veth2 up >>> $ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1 >>> $ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1 >>> >>> Secondly, execute the following two commands in two ssh windows >>> respectively: >>> $ip netns exec ns1 sh >>> $while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done >>> >>> $ip netns exec ns1 sh >>> $while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done >>> >>> It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly, >>> then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check. >>> >>> cpu0 cpu1 >>> fib6_table_lookup >>> __find_rr_leaf >>> addrconf_notify [ NETDEV_CHANGEMTU ] >>> addrconf_ifdown >>> RCU_INIT_POINTER(dev->ip6_ptr, NULL) >>> find_match >>> ip6_ignore_linkdown >>> >>> So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to >>> fix the null-ptr-deref bug. >>> >>> Fixes: 6d3d07b45c86 ("ipv6: Refactor fib6_ignore_linkdown") >> >> If we need to backport, I guess dcd1f572954f ("net/ipv6: Remove fib6_idev") >> already had the bug. > > Yes, that is the right Fixes commit. OK > >> >>> Signed-off-by: Ziyang Xuan >>> >>> --- >>> v2: >>> - Use NULL check in ip6_ignore_linkdown() but synchronize_net() in >>> addrconf_ifdown() >>> - Add timing analysis of the problem >>> >>> --- >>> include/net/addrconf.h | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/include/net/addrconf.h b/include/net/addrconf.h >>> index f7506f08e505..c04f359655b8 100644 >>> --- a/include/net/addrconf.h >>> +++ b/include/net/addrconf.h >>> @@ -405,6 +405,9 @@ static inline bool ip6_ignore_linkdown(const struct net_device *dev) >>> { >>> const struct inet6_dev *idev = __in6_dev_get(dev); >>> >>> + if (unlikely(!idev)) >>> + return true; >>> + > > Reviewed-by: David Ahern > >> >> Note that we might read a non NULL pointer here, but read it again >> later in rt6_score_route(), >> since another thread could switch the pointer under us ? >> Yes, this patch just cover the problem I'm having. I have checked the codes in kernel, there are some scenarios using __in6_dev_get() without NULL check and rtnl_lock. There is a possibility of null-ptr-deref bug. I will give a patch to fix them later. > > for silly MTU games yes, that could happen. > . >