Received: by 2002:a05:7412:b101:b0:e2:908c:2ebd with SMTP id az1csp3416224rdb; Thu, 16 Nov 2023 08:56:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IG+K3KUz/uWh/TheXruNbhMPvWfsKMSiKgxKN/XQF38vYvjP9yr8irndsLLiROi5OoTfuPy X-Received: by 2002:a05:6a21:998d:b0:159:c07d:66f0 with SMTP id ve13-20020a056a21998d00b00159c07d66f0mr3228380pzb.6.1700153816540; Thu, 16 Nov 2023 08:56:56 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1700153816; cv=pass; d=google.com; s=arc-20160816; b=yGC86UaZOUYlPdYstChRAZh5dwIYfkvhkyyomNKRjvahIRd1ltQTVCmu8uVC6+Wwtc e3gIGC1kHQ+G4mSAgdLwNtuB8xLqW7g5qftqEp6SB5lpFk0DIq/WT1umR+3vT0E/714R YAOEqdZ7zk6h+yG3jjCoIcNLd+w6v+MfRvcYWXk9W4+qfDaemTre48ZlNtghCgM6APnY 9Ue4DV+wTup17TiiNk0ODr0M2OVKXy37BErDPYik+X3Jwp4lEM4fMPKW3RG5ru2wAES1 Ve0d8Sc3d5km8p3MtLFBdqslgSook9QmvV/5RnhBijpMvw7rZUkt3odqZbn2FVHS2L0j jpRg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:subject:references:cc:to:user-agent:mime-version :date:message-id:dkim-signature; bh=jF/VM6Ul6I5Q3qO6v36yzMs2LjPy0A7+pMrSCdzjPQY=; fh=sC2IRtbyOFfdGlGJykyOOidjJxKJHWSi6lbMgFgtF6k=; b=tPjomr4HBwnuIQFo+i5FKJjHkDnCz/XKBxOh5d0Q1F+pglEd5HrOUJLuPbSrLAHdCm 5OSvgxyqDi1YTRfMN9KIy7sjoZ8wt8i03ztmYaZUtmshR7uGrckAVquU4lhrXxlipGRX QlhY9BN22QK8iT1H1ytHVO+wuHZRusJUWXama09RkYb1ifYB3OqZJiII94Co2fsa3pKv WiAE8G7UYhFIQJb88wGCLzhDZpDu+4PnPs5QvqeNYEsfFFm9dUcjzkGHEvD0XSqmDuPI 4RB5GAX1q1nEGUFCeEvlHW7pbWTxy8oqYpvUVIuu96OQl33rH5579XsQ/Ppvf6Ig6vq/ FJ3Q== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@siddh.me header.s=zmail header.b=nLGtAtR+; arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me dmarc=pass fromdomain=siddh.me>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siddh.me Return-Path: Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id cq6-20020a056a00330600b006c7c68e991csi6808717pfb.309.2023.11.16.08.56.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Nov 2023 08:56:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@siddh.me header.s=zmail header.b=nLGtAtR+; arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me dmarc=pass fromdomain=siddh.me>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siddh.me Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 7867E80F9CA9; Thu, 16 Nov 2023 08:56:43 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344093AbjKPQ4f (ORCPT + 99 others); Thu, 16 Nov 2023 11:56:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36034 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231135AbjKPQ4d (ORCPT ); Thu, 16 Nov 2023 11:56:33 -0500 Received: from sender-of-o51.zoho.in (sender-of-o51.zoho.in [103.117.158.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E260B7; Thu, 16 Nov 2023 08:56:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700153758; cv=none; d=zohomail.in; s=zohoarc; b=EBFhDQIZ/ojh3iwmVoYLmu7j2lhkfgvGQv9g8VbQOyDP8pjX3ABO3FIHvg6AU30KenHhm408h83yuPNpred96gJF6b1/h7SD/V5IxR13eqQ8WJPhuRiLoM/e05HKFWFXRn9GCUt/e4eRHayqlEQrjnHTZ6WW+fWCzqG+Obhf2fc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.in; s=zohoarc; t=1700153758; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=jF/VM6Ul6I5Q3qO6v36yzMs2LjPy0A7+pMrSCdzjPQY=; b=AB3UXrOjOulybkeopPnvgv3loT6r3KVqRSVaR3zKKzn81GlY47m9WfREfwcSrexzlR7GUgkFRTBAdrJg7H0CP1a+jeXK+UmOIbbMgbk5LMHteH7u6anTb7tH8b7n9nHs4tp2mZzpvTO1pue+JbB2d823l3fI4367i9o+hesqcXQ= ARC-Authentication-Results: i=1; mx.zohomail.in; dkim=pass header.i=siddh.me; spf=pass smtp.mailfrom=code@siddh.me; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1700153758; s=zmail; d=siddh.me; i=code@siddh.me; h=Message-ID:Date:Date:MIME-Version:To:To:Cc:Cc:References:Subject:Subject:From:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=jF/VM6Ul6I5Q3qO6v36yzMs2LjPy0A7+pMrSCdzjPQY=; b=nLGtAtR+WeGYnQeiqkfbAOojEyOxm/e/JnJYKgiTDy41u2VEIe7A5mof6QZAYnJz oewTIoT+OPoeJiJx5MaoXMP79eOh8nautjXS+TIt0Coir96wAIgiZd2EbzBJK/vAKDI x0NADcOS1IAzj1yyI4/m/c55+PKlTyN73/Rc3mxA= Received: from [192.168.1.11] (106.201.112.144 [106.201.112.144]) by mx.zoho.in with SMTPS id 170015375587354.15308217634913; Thu, 16 Nov 2023 22:25:55 +0530 (IST) Message-ID: <7824cf85-178f-4fca-8058-b9a1f49d3113@siddh.me> Date: Thu, 16 Nov 2023 22:25:53 +0530 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: davem@davemloft.net, edumazet@google.com, krzysztof.kozlowski@linaro.org, kuba@kernel.org, pabeni@redhat.com Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com References: <000000000000cb112e0609b419d3@google.com> Subject: Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb Content-Language: en-US, en-GB, hi-IN From: Siddh Raman Pant In-Reply-To: <000000000000cb112e0609b419d3@google.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-ZohoMailClient: External X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Thu, 16 Nov 2023 08:56:43 -0800 (PST) TLDR: Different stages of 1 and 2 can race with each other causing UAF. 1. llcp_sock_sendmsg -> nfc_llcp_send_ui_frame -> loop call (nfc_alloc_send_skb(nfc_dev)) 2. virtual_ncidev_close -> [... -> nfc_llcp_socket_release -> ...] -> [... -> nfc_free_device] --- Hi, I've been trying to fix this bug for some time but ending up getting stuck every now and then. If someone could give more inputs or fix it, it will be really helpful. This bug is due to racing between sendmsg and freeing of nfc_dev. For connectionless transmission, llcp_sock_sendmsg() codepath will eventually call nfc_alloc_send_skb() which takes in an nfc_dev as an argument for calculating the total size for skb allocation. virtual_ncidev_close() codepath eventually releases socket by calling nfc_llcp_socket_release() (which sets the sk->sk_state to LLCP_CLOSED) and afterwards the nfc_dev will be eventually freed. When an ndev gets freed, llcp_sock_sendmsg() will result in an use-after-free as it (1) doesn't have any checks in place for avoiding the datagram sending. (1.1) Checking for LLCP_CLOSED in llcp_sock_sendmsg() does make the racing less likely. For -smp 6 it did not trigger on my PC, leading me to naively think that was the solution until syzbot told me quite some time later that it isn't. (2) calls nfc_llcp_send_ui_frame(), which also has a do-while loop which can race with freeing (a msg with size of 4096 is sent in chunks of 128 in this repro). (2.1) By this I mean just moving the nfc_dev access from nfc_alloc_send_skb to inside this function, be it inside or outside the loop, naturally doesn't work. When an nfc_dev is freed and we happened to get headroom and tailroom, PDU skb seems to be not allocated and ENXIO is returned. I tried to look at other code in net subsystem to get an idea how other places handle it, but accessing device later in the codepath does not seem to not be a norm. So I am starting to think some refactoring of the locking logic may be needed (or maybe RCU protect headroom and tailroom?). I don't know if I'm correct, but anyways where does one start? Thanks, Siddh