Received: by 2002:a05:7412:b130:b0:e2:908c:2ebd with SMTP id az48csp485787rdb; Fri, 17 Nov 2023 04:49:10 -0800 (PST) X-Google-Smtp-Source: AGHT+IHexjTqObBBZS7OyGl6knRFloMstww2WmyUti2+RPLL48M9VfZhYHPfqH/unY3+DtTVbhlM X-Received: by 2002:a05:6a00:a28:b0:6bd:66ce:21d4 with SMTP id p40-20020a056a000a2800b006bd66ce21d4mr20226160pfh.23.1700225350395; Fri, 17 Nov 2023 04:49:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700225350; cv=none; d=google.com; s=arc-20160816; b=CiQgBWkUB70/js/Jwmalxwe6PCaRB84I/DomsfBVlDN6x60ttd4QKPSGHKyAvO4wLn KXcqx1rx8rOhSoTYnbSECM8SmayaRouSZQjTwVd0xDOlRwlsivUNHZOsk3r+Oe1PyeAc oVrKDTc23VEsuyZKn0S1SUyzDtBu3WfblVB1rvVpDF+wla0vCG3YRqYILpcNza7rQz2V ciw9u2w01gM7uYCfUHwnBoYUfM55SSZUc1XTQPVeWBKcVaUp0fKJtyowSh9xwT67zEKR TaK6jwf6UAqRgwk5tdKR7tvVSbhJm2ujKx6tB+lls5JgEoTQO1+tIo+s53mWxUWOk0jR kTRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:autocrypt :from:references:cc:to:content-language:subject:user-agent :mime-version:date:message-id:dkim-signature; bh=1bFhrBcoDdC2v1NgNhvFX0tt6WAIIwqB9ILvwOogMH0=; fh=+ry/nNmcWxUHmyzZTCbqnOQPHouS9AsbdD+hyyOCjHY=; b=yNnGMZ9esFbPoOJfhN+33w0aAU00GEE9qhQsa+t27Z7B2/cZn39Hz01CkQgAGOeaSP aOvC0zfyWvSUi/mmvpzLX3MfjEd3bRk/9uQcEgdwizIFCcrig96CJxSHY+AsNRsTQejQ 7Dfu5yJCINgMs+DsNyb7jhQhtYitop9VG39GQPMVmSkJty7olPePHle3wVkgbtehWipb tkNiHNaOiah9TmLxqSbvX1GzeqWyxm37EIaFvb7dKCgCdFYPAaIRf6tP08FxAB7/70b0 c3WIesxvw9Wg5lTA54NX8iX6nmcaPMR4nOydqHuPEx8kBjFZkyUa8/i7dJxgaLZErW6t BgHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZYtTHoTh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id p123-20020a625b81000000b006c0db523732si1773030pfb.136.2023.11.17.04.49.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Nov 2023 04:49:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZYtTHoTh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id EFFF68298B5C; Fri, 17 Nov 2023 04:49:08 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230383AbjKQMtG (ORCPT + 99 others); Fri, 17 Nov 2023 07:49:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53376 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229436AbjKQMtE (ORCPT ); Fri, 17 Nov 2023 07:49:04 -0500 Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13234D56 for ; Fri, 17 Nov 2023 04:49:01 -0800 (PST) Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-4084095722aso15883645e9.1 for ; Fri, 17 Nov 2023 04:49:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1700225339; x=1700830139; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:autocrypt:from:references:cc :to:content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=1bFhrBcoDdC2v1NgNhvFX0tt6WAIIwqB9ILvwOogMH0=; b=ZYtTHoThGOsJIoo8fHrbA3HIsnZQUDRGXMrSp5xDkRBZHUfy/Lw/id5xVDHOO7WCip kkBV6+R40ozL2tx1loOhkhB4OYliRN+9GA3QiI4YrrCOq/MJqVLSGOFttG48Qn9eVVxT t08ELySeAQJHiEkZllrbqayqIQAKbDyTxTHj4azR7xPgQR1HNb+kZhDPGhje3eIK5lho OfRH/uI8WlEu/Z5cbGCUJCbGY52uWbn1uiv+a16t5wYDZZjzlZBjSB7tlIUKWXuORO9k dHVltVXplILqpPjzCJv3j/E9U66/byu8RLjGw0XYhJuJcmzHKH7yuTCbzVa49QojsFfb LD9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700225339; x=1700830139; h=content-transfer-encoding:in-reply-to:autocrypt:from:references:cc :to:content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1bFhrBcoDdC2v1NgNhvFX0tt6WAIIwqB9ILvwOogMH0=; b=WrIyzkc7UPsRfnfjBYtBnuSdwcJESFamXw33MS8wyl0Fy2v592hHT+k2k3n2ciOwMg vWI2xqRFQ3cgSBlmEHW7wAfZbAW9VS5J69lerkpHKOsbybD1W9du61XmoayUpHxKiNkl 7ACdj162xX0QNh8iXNNofY5u+KXboo2qzrCudz11WmTYUFXHIvch+yb9f5orfB3CqOZd 6xiwKXf8JzP/BT0gPeUqHVeH4KJwMuotoDes0Opo51K0/dRU47/9f4mjYy4a7FFov8rC RwqmawcELSDNwqWbXzIf+xMSrFkLfO1pu2Ipb9k3Z5a42E6t1l9ta9W1TOp4d90KogrO WITQ== X-Gm-Message-State: AOJu0YzhRI530LHv6iOvUFjb78bqWGA4iAcv2mJGewYj6CQS51QpcoLp bLKn64AhueyYmFgH1qXbQsavkw== X-Received: by 2002:a05:6000:1acf:b0:32f:7ae2:4165 with SMTP id i15-20020a0560001acf00b0032f7ae24165mr19379925wry.9.1700225339457; Fri, 17 Nov 2023 04:48:59 -0800 (PST) Received: from [192.168.1.20] ([178.197.218.126]) by smtp.gmail.com with ESMTPSA id d4-20020a5d4f84000000b0032d96dd703bsm2194274wru.70.2023.11.17.04.48.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Nov 2023 04:48:58 -0800 (PST) Message-ID: Date: Fri, 17 Nov 2023 13:48:56 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb Content-Language: en-US To: Siddh Raman Pant , davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com References: <000000000000cb112e0609b419d3@google.com> <7824cf85-178f-4fca-8058-b9a1f49d3113@siddh.me> From: Krzysztof Kozlowski Autocrypt: addr=krzysztof.kozlowski@linaro.org; keydata= xsFNBFVDQq4BEAC6KeLOfFsAvFMBsrCrJ2bCalhPv5+KQF2PS2+iwZI8BpRZoV+Bd5kWvN79 cFgcqTTuNHjAvxtUG8pQgGTHAObYs6xeYJtjUH0ZX6ndJ33FJYf5V3yXqqjcZ30FgHzJCFUu JMp7PSyMPzpUXfU12yfcRYVEMQrmplNZssmYhiTeVicuOOypWugZKVLGNm0IweVCaZ/DJDIH gNbpvVwjcKYrx85m9cBVEBUGaQP6AT7qlVCkrf50v8bofSIyVa2xmubbAwwFA1oxoOusjPIE J3iadrwpFvsZjF5uHAKS+7wHLoW9hVzOnLbX6ajk5Hf8Pb1m+VH/E8bPBNNYKkfTtypTDUCj NYcd27tjnXfG+SDs/EXNUAIRefCyvaRG7oRYF3Ec+2RgQDRnmmjCjoQNbFrJvJkFHlPeHaeS BosGY+XWKydnmsfY7SSnjAzLUGAFhLd/XDVpb1Een2XucPpKvt9ORF+48gy12FA5GduRLhQU vK4tU7ojoem/G23PcowM1CwPurC8sAVsQb9KmwTGh7rVz3ks3w/zfGBy3+WmLg++C2Wct6nM Pd8/6CBVjEWqD06/RjI2AnjIq5fSEH/BIfXXfC68nMp9BZoy3So4ZsbOlBmtAPvMYX6U8VwD TNeBxJu5Ex0Izf1NV9CzC3nNaFUYOY8KfN01X5SExAoVTr09ewARAQABzTRLcnp5c3p0b2Yg S296bG93c2tpIDxrcnp5c3p0b2Yua296bG93c2tpQGxpbmFyby5vcmc+wsGUBBMBCgA+FiEE m9B+DgxR+NWWd7dUG5NDfTtBYpsFAmI+BxMCGwMFCRRfreEFCwkIBwIGFQoJCAsCBBYCAwEC HgECF4AACgkQG5NDfTtBYptgbhAAjAGunRoOTduBeC7V6GGOQMYIT5n3OuDSzG1oZyM4kyvO XeodvvYv49/ng473E8ZFhXfrre+c1olbr1A8pnz9vKVQs9JGVa6wwr/6ddH7/yvcaCQnHRPK mnXyP2BViBlyDWQ71UC3N12YCoHE2cVmfrn4JeyK/gHCvcW3hUW4i5rMd5M5WZAeiJj3rvYh v8WMKDJOtZFXxwaYGbvFJNDdvdTHc2x2fGaWwmXMJn2xs1ZyFAeHQvrp49mS6PBQZzcx0XL5 cU9ZjhzOZDn6Apv45/C/lUJvPc3lo/pr5cmlOvPq1AsP6/xRXsEFX/SdvdxJ8w9KtGaxdJuf rpzLQ8Ht+H0lY2On1duYhmro8WglOypHy+TusYrDEry2qDNlc/bApQKtd9uqyDZ+rx8bGxyY qBP6bvsQx5YACI4p8R0J43tSqWwJTP/R5oPRQW2O1Ye1DEcdeyzZfifrQz58aoZrVQq+innR aDwu8qDB5UgmMQ7cjDSeAQABdghq7pqrA4P8lkA7qTG+aw8Z21OoAyZdUNm8NWJoQy8m4nUP gmeeQPRc0vjp5JkYPgTqwf08cluqO6vQuYL2YmwVBIbO7cE7LNGkPDA3RYMu+zPY9UUi/ln5 dcKuEStFZ5eqVyqVoZ9eu3RTCGIXAHe1NcfcMT9HT0DPp3+ieTxFx6RjY3kYTGLOwU0EVUNc NAEQAM2StBhJERQvgPcbCzjokShn0cRA4q2SvCOvOXD+0KapXMRFE+/PZeDyfv4dEKuCqeh0 hihSHlaxTzg3TcqUu54w2xYskG8Fq5tg3gm4kh1Gvh1LijIXX99ABA8eHxOGmLPRIBkXHqJY oHtCvPc6sYKNM9xbp6I4yF56xVLmHGJ61KaWKf5KKWYgA9kfHufbja7qR0c6H79LIsiYqf92 H1HNq1WlQpu/fh4/XAAaV1axHFt/dY/2kU05tLMj8GjeQDz1fHas7augL4argt4e+jum3Nwt yupodQBxncKAUbzwKcDrPqUFmfRbJ7ARw8491xQHZDsP82JRj4cOJX32sBg8nO2N5OsFJOcd 5IE9v6qfllkZDAh1Rb1h6DFYq9dcdPAHl4zOj9EHq99/CpyccOh7SrtWDNFFknCmLpowhct9 5ZnlavBrDbOV0W47gO33WkXMFI4il4y1+Bv89979rVYn8aBohEgET41SpyQz7fMkcaZU+ok/ +HYjC/qfDxT7tjKXqBQEscVODaFicsUkjheOD4BfWEcVUqa+XdUEciwG/SgNyxBZepj41oVq FPSVE+Ni2tNrW/e16b8mgXNngHSnbsr6pAIXZH3qFW+4TKPMGZ2rZ6zITrMip+12jgw4mGjy 5y06JZvA02rZT2k9aa7i9dUUFggaanI09jNGbRA/ABEBAAHCwXwEGAEKACYCGwwWIQSb0H4O DFH41ZZ3t1Qbk0N9O0FimwUCYDzvagUJFF+UtgAKCRAbk0N9O0Fim9JzD/0auoGtUu4mgnna oEEpQEOjgT7l9TVuO3Qa/SeH+E0m55y5Fjpp6ZToc481za3xAcxK/BtIX5Wn1mQ6+szfrJQ6 59y2io437BeuWIRjQniSxHz1kgtFECiV30yHRgOoQlzUea7FgsnuWdstgfWi6LxstswEzxLZ Sj1EqpXYZE4uLjh6dW292sO+j4LEqPYr53hyV4I2LPmptPE9Rb9yCTAbSUlzgjiyyjuXhcwM qf3lzsm02y7Ooq+ERVKiJzlvLd9tSe4jRx6Z6LMXhB21fa5DGs/tHAcUF35hSJrvMJzPT/+u /oVmYDFZkbLlqs2XpWaVCo2jv8+iHxZZ9FL7F6AHFzqEFdqGnJQqmEApiRqH6b4jRBOgJ+cY qc+rJggwMQcJL9F+oDm3wX47nr6jIsEB5ZftdybIzpMZ5V9v45lUwmdnMrSzZVgC4jRGXzsU EViBQt2CopXtHtYfPAO5nAkIvKSNp3jmGxZw4aTc5xoAZBLo0OV+Ezo71pg3AYvq0a3/oGRG KQ06ztUMRrj8eVtpImjsWCd0bDWRaaR4vqhCHvAG9iWXZu4qh3ipie2Y0oSJygcZT7H3UZxq fyYKiqEmRuqsvv6dcbblD8ZLkz1EVZL6djImH5zc5x8qpVxlA0A0i23v5QvN00m6G9NFF0Le D2GYIS41Kv4Isx2dEFh+/Q== In-Reply-To: <7824cf85-178f-4fca-8058-b9a1f49d3113@siddh.me> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 17 Nov 2023 04:49:09 -0800 (PST) On 16/11/2023 17:55, Siddh Raman Pant wrote: > TLDR: Different stages of 1 and 2 can race with each other causing UAF. > > 1. llcp_sock_sendmsg -> nfc_llcp_send_ui_frame -> loop call (nfc_alloc_send_skb(nfc_dev)) > > 2. virtual_ncidev_close -> [... -> nfc_llcp_socket_release -> ...] -> [... -> nfc_free_device] > > --- > > Hi, > > I've been trying to fix this bug for some time but ending up getting > stuck every now and then. If someone could give more inputs or fix it, > it will be really helpful. > > This bug is due to racing between sendmsg and freeing of nfc_dev. > > For connectionless transmission, llcp_sock_sendmsg() codepath will > eventually call nfc_alloc_send_skb() which takes in an nfc_dev as > an argument for calculating the total size for skb allocation. > > virtual_ncidev_close() codepath eventually releases socket by calling > nfc_llcp_socket_release() (which sets the sk->sk_state to LLCP_CLOSED) > and afterwards the nfc_dev will be eventually freed. > > When an ndev gets freed, llcp_sock_sendmsg() will result in an > use-after-free as it > > (1) doesn't have any checks in place for avoiding the datagram sending. > (1.1) Checking for LLCP_CLOSED in llcp_sock_sendmsg() does make > the racing less likely. For -smp 6 it did not trigger on > my PC, leading me to naively think that was the solution > until syzbot told me quite some time later that it isn't. > > (2) calls nfc_llcp_send_ui_frame(), which also has a do-while loop which > can race with freeing (a msg with size of 4096 is sent in chunks of > 128 in this repro). > (2.1) By this I mean just moving the nfc_dev access from > nfc_alloc_send_skb to inside this function, be it > inside or outside the loop, naturally doesn't work. > > When an nfc_dev is freed and we happened to get headroom and tailroom, > PDU skb seems to be not allocated and ENXIO is returned. > > I tried to look at other code in net subsystem to get an idea how other > places handle it, but accessing device later in the codepath does not > seem to not be a norm. So I am starting to think some refactoring of the > locking logic may be needed (or maybe RCU protect headroom and tailroom?). > > I don't know if I'm correct, but anyways where does one start? Any checks would need to have proper locking. Or at least barriers... Adding checks without locks usually does not solve race conditions. Other start is proper ref counting, so the structures are not released too early. We have several bugs like this in NFC before, so you can take a look at their fixes. Best regards, Krzysztof