• Eric Dumazet's avatar
    net/ipv6: respect rcu grace period before freeing fib6_info · 9b0a8da8
    Eric Dumazet authored
    syzbot reported use after free that is caused by fib6_info being
    freed without a proper RCU grace period.
    
    CPU: 0 PID: 1407 Comm: udevd Not tainted 4.17.0+ #39
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     <IRQ>
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x1b9/0x294 lib/dump_stack.c:113
     print_address_description+0x6c/0x20b mm/kasan/report.c:256
     kasan_report_error mm/kasan/report.c:354 [inline]
     kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
     __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
     __read_once_size include/linux/compiler.h:188 [inline]
     find_rr_leaf net/ipv6/route.c:705 [inline]
     rt6_select net/ipv6/route.c:761 [inline]
     fib6_table_lookup+0x12b7/0x14d0 net/ipv6/route.c:1823
     ip6_pol_route+0x1c2/0x1020 net/ipv6/route.c:1856
     ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2082
     fib6_rule_lookup+0x211/0x6d0 net/ipv6/fib6_rules.c:122
     ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2110
     ip6_route_output include/net/ip6_route.h:82 [inline]
     icmpv6_xrlim_allow net/ipv6/icmp.c:211 [inline]
     icmp6_send+0x147c/0x2da0 net/ipv6/icmp.c:535
     icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
     ip6_link_failure+0xa5/0x790 net/ipv6/route.c:2244
     dst_link_failure include/net/dst.h:427 [inline]
     ndisc_error_report+0xd1/0x1c0 net/ipv6/ndisc.c:695
     neigh_invalidate+0x246/0x550 net/core/neighbour.c:892
     neigh_timer_handler+0xaf9/0xde0 net/core/neighbour.c:978
     call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
     expire_timers kernel/time/timer.c:1363 [inline]
     __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
     run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
     __do_softirq+0x2e0/0xaf5 kernel/softirq.c:284
     invoke_softirq kernel/softirq.c:364 [inline]
     irq_exit+0x1d1/0x200 kernel/softirq.c:404
     exiting_irq arch/x86/include/asm/apic.h:527 [inline]
     smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
     apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
     </IRQ>
    RIP: 0010:strlen+0x5e/0xa0 lib/string.c:482
    Code: 24 00 74 3b 48 bb 00 00 00 00 00 fc ff df 4c 89 e0 48 83 c0 01 48 89 c2 48 89 c1 48 c1 ea 03 83 e1 07 0f b6 14 1a 38 ca 7f 04 <84> d2 75 23 80 38 00 75 de 48 83 c4 08 4c 29 e0 5b 41 5c 5d c3 48
    RSP: 0018:ffff8801af117850 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
    RAX: ffff880197f53bd0 RBX: dffffc0000000000 RCX: 0000000000000000
    RDX: 0000000000000000 RSI: ffffffff81c5b06c RDI: ffff880197f53bc0
    RBP: ffff8801af117868 R08: ffff88019a976540 R09: 0000000000000000
    R10: ffff88019a976540 R11: 0000000000000000 R12: ffff880197f53bc0
    R13: ffff880197f53bc0 R14: ffffffff899e4e90 R15: ffff8801d91c6a00
     strlen include/linux/string.h:267 [inline]
     getname_kernel+0x24/0x370 fs/namei.c:218
     open_exec+0x17/0x70 fs/exec.c:882
     load_elf_binary+0x968/0x5610 fs/binfmt_elf.c:780
     search_binary_handler+0x17d/0x570 fs/exec.c:1653
     exec_binprm fs/exec.c:1695 [inline]
     __do_execve_file.isra.35+0x16fe/0x2710 fs/exec.c:1819
     do_execveat_common fs/exec.c:1866 [inline]
     do_execve fs/exec.c:1883 [inline]
     __do_sys_execve fs/exec.c:1964 [inline]
     __se_sys_execve fs/exec.c:1959 [inline]
     __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
     do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:290
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    RIP: 0033:0x7f1576a46207
    Code: 77 19 f4 48 89 d7 44 89 c0 0f 05 48 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 f7 d8 64 41 89 01 eb df b8 3b 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 02 f3 c3 48 8b 15 00 8c 2d 00 f7 d8 64 89 02
    RSP: 002b:00007ffff2784568 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
    RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f1576a46207
    RDX: 0000000001215b10 RSI: 00007ffff2784660 RDI: 00007ffff2785670
    RBP: 0000000000625500 R08: 000000000000589c R09: 000000000000589c
    R10: 0000000000000000 R11: 0000000000000202 R12: 0000000001215b10
    R13: 0000000000000007 R14: 0000000001204250 R15: 0000000000000005
    
    Allocated by task 12188:
     save_stack+0x43/0xd0 mm/kasan/kasan.c:448
     set_track mm/kasan/kasan.c:460 [inline]
     kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
     kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
     kmalloc include/linux/slab.h:513 [inline]
     kzalloc include/linux/slab.h:706 [inline]
     fib6_info_alloc+0xbb/0x280 net/ipv6/ip6_fib.c:152
     ip6_route_info_create+0x782/0x2b50 net/ipv6/route.c:3013
     ip6_route_add+0x23/0xb0 net/ipv6/route.c:3154
     ipv6_route_ioctl+0x5a5/0x760 net/ipv6/route.c:3660
     inet6_ioctl+0x100/0x1f0 net/ipv6/af_inet6.c:546
     sock_do_ioctl+0xe4/0x3e0 net/socket.c:973
     sock_ioctl+0x30d/0x680 net/socket.c:1097
     vfs_ioctl fs/ioctl.c:46 [inline]
     file_ioctl fs/ioctl.c:500 [inline]
     do_vfs_ioctl+0x1cf/0x16f0 fs/ioctl.c:684
     ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
     __do_sys_ioctl fs/ioctl.c:708 [inline]
     __se_sys_ioctl fs/ioctl.c:706 [inline]
     __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
     do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:290
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    Freed by task 1402:
     save_stack+0x43/0xd0 mm/kasan/kasan.c:448
     set_track mm/kasan/kasan.c:460 [inline]
     __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
     kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
     __cache_free mm/slab.c:3498 [inline]
     kfree+0xd9/0x260 mm/slab.c:3813
     fib6_info_destroy+0x29b/0x350 net/ipv6/ip6_fib.c:207
     fib6_info_release include/net/ip6_fib.h:286 [inline]
     __ip6_del_rt_siblings net/ipv6/route.c:3235 [inline]
     ip6_route_del+0x11c4/0x13b0 net/ipv6/route.c:3316
     ipv6_route_ioctl+0x616/0x760 net/ipv6/route.c:3663
     inet6_ioctl+0x100/0x1f0 net/ipv6/af_inet6.c:546
     sock_do_ioctl+0xe4/0x3e0 net/socket.c:973
     sock_ioctl+0x30d/0x680 net/socket.c:1097
     vfs_ioctl fs/ioctl.c:46 [inline]
     file_ioctl fs/ioctl.c:500 [inline]
     do_vfs_ioctl+0x1cf/0x16f0 fs/ioctl.c:684
     ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
     __do_sys_ioctl fs/ioctl.c:708 [inline]
     __se_sys_ioctl fs/ioctl.c:706 [inline]
     __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
     do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:290
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    The buggy address belongs to the object at ffff8801b5df2580
     which belongs to the cache kmalloc-256 of size 256
    The buggy address is located 8 bytes inside of
     256-byte region [ffff8801b5df2580, ffff8801b5df2680)
    The buggy address belongs to the page:
    page:ffffea0006d77c80 count:1 mapcount:0 mapping:ffff8801da8007c0 index:0xffff8801b5df2e40
    flags: 0x2fffc0000000100(slab)
    raw: 02fffc0000000100 ffffea0006c5cc48 ffffea0007363308 ffff8801da8007c0
    raw: ffff8801b5df2e40 ffff8801b5df2080 0000000100000006 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff8801b5df2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8801b5df2500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
    > ffff8801b5df2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                          ^
     ffff8801b5df2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8801b5df2680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
    
    Fixes: a64efe14 ("net/ipv6: introduce fib6_info struct and helpers")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Cc: David Ahern <dsahern@gmail.com>
    Reported-by: syzbot+9e6d75e3edef427ee888@syzkaller.appspotmail.com
    Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
    Tested-by: default avatarDavid Ahern <dsahern@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    9b0a8da8
Name
Last commit
Last update
Documentation Loading commit data...
LICENSES Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.clang-format Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...