Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-09-22 07:53:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
7d9b1b578d
linux/net/ipv6
History
Eric Dumazet 7d9b1b578d ip6mr: fix use-after-free in ip6mr_sk_done() 
Apparently addrconf_exit_net() is called before igmp6_net_exit()
and ndisc_net_exit() at netns dismantle time:

 net_namespace: call ip6table_mangle_net_exit()
 net_namespace: call ip6_tables_net_exit()
 net_namespace: call ipv6_sysctl_net_exit()
 net_namespace: call ioam6_net_exit()
 net_namespace: call seg6_net_exit()
 net_namespace: call ping_v6_proc_exit_net()
 net_namespace: call tcpv6_net_exit()
 ip6mr_sk_done sk=ffffa354c78a74c0
 net_namespace: call ipv6_frags_exit_net()
 net_namespace: call addrconf_exit_net()
 net_namespace: call ip6addrlbl_net_exit()
 net_namespace: call ip6_flowlabel_net_exit()
 net_namespace: call ip6_route_net_exit_late()
 net_namespace: call fib6_rules_net_exit()
 net_namespace: call xfrm6_net_exit()
 net_namespace: call fib6_net_exit()
 net_namespace: call ip6_route_net_exit()
 net_namespace: call ipv6_inetpeer_exit()
 net_namespace: call if6_proc_net_exit()
 net_namespace: call ipv6_proc_exit_net()
 net_namespace: call udplite6_proc_exit_net()
 net_namespace: call raw6_exit_net()
 net_namespace: call igmp6_net_exit()
 ip6mr_sk_done sk=ffffa35472b2a180
 ip6mr_sk_done sk=ffffa354c78a7980
 net_namespace: call ndisc_net_exit()
 ip6mr_sk_done sk=ffffa35472b2ab00
 net_namespace: call ip6mr_net_exit()
 net_namespace: call inet6_net_exit()

This was fine because ip6mr_sk_done() would not reach the point decreasing
net->ipv6.devconf_all->mc_forwarding until my patch in ip6mr_sk_done().

To fix this without changing struct pernet_operations ordering,
we can clear net->ipv6.devconf_dflt and net->ipv6.devconf_all
when they are freed from addrconf_exit_net()

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
BUG: KASAN: use-after-free in ip6mr_sk_done+0x11b/0x410 net/ipv6/ip6mr.c:1578
Read of size 4 at addr ffff88801ff08688 by task kworker/u4:4/963

CPU: 0 PID: 963 Comm: kworker/u4:4 Not tainted 5.17.0-rc2-syzkaller-00650-g5a8fb33e5305 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
 ip6mr_sk_done+0x11b/0x410 net/ipv6/ip6mr.c:1578
 rawv6_close+0x58/0x80 net/ipv6/raw.c:1201
 inet_release+0x12e/0x280 net/ipv4/af_inet.c:428
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478
 __sock_release net/socket.c:650 [inline]
 sock_release+0x87/0x1b0 net/socket.c:678
 inet_ctl_sock_destroy include/net/inet_common.h:65 [inline]
 igmp6_net_exit+0x6b/0x170 net/ipv6/mcast.c:3173
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:168
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:600
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Fixes: f2f2325ec7 ("ip6mr: ip6mr_sk_done() can exit early in common cases")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-02-07 12:07:45 +00:00
..
ila net: ipv6: check return value of rhashtable_init 2021-09-28 12:59:24 +01:00
netfilter netfilter: Remove flowtable relics 2022-01-27 00:00:20 +01:00
addrconf_core.c ipv6: add net device refcount tracker to struct inet6_dev 2021-12-06 16:05:11 -08:00
addrconf.c ip6mr: fix use-after-free in ip6mr_sk_done() 2022-02-07 12:07:45 +00:00
addrlabel.c
af_inet6.c net: bpf: Handle return value of BPF_CGROUP_RUN_PROG_INET{4,6}_POST_BIND() 2022-01-06 17:08:35 -08:00
ah6.c ipv6: ah6: use swap() to make code cleaner 2021-11-18 12:00:15 +00:00
anycast.c
calipso.c cipso,calipso: resolve a number of problems with the DOI refcounts 2021-03-04 15:26:57 -08:00
datagram.c
esp6_offload.c net: move gro definitions to include/net/gro.h 2021-11-16 13:16:54 +00:00
esp6.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2022-01-06 11:54:20 +00:00
exthdrs_core.c
exthdrs_offload.c
exthdrs.c ipv6: partially inline ipv6_fixup_options 2022-01-27 19:46:11 -08:00
fib6_notifier.c
fib6_rules.c fib: rules: remove duplicated nla policies 2021-12-16 07:18:35 -08:00
fou6.c
icmp.c ipv6: do not use per netns icmp sockets 2022-01-25 11:25:21 +00:00
inet6_connection_sock.c
inet6_hashtables.c bpf: Add ingress_ifindex to bpf_sk_lookup 2021-11-10 16:29:58 -08:00
ioam6_iptunnel.c ipv6: ioam: Insertion frequency in lwtunnel output 2022-02-04 20:24:45 -08:00
ioam6.c ipv6: ioam: Support for Queue depth data field 2022-01-02 12:15:13 +00:00
ip6_checksum.c
ip6_fib.c ipv6: annotate accesses to fn->fn_sernum 2022-01-20 20:18:37 -08:00
ip6_flowlabel.c
ip6_gre.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-09 17:00:17 -08:00
ip6_icmp.c net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-02-23 11:29:52 -08:00
ip6_input.c ipv6: make mc_forwarding atomic 2022-02-05 15:20:34 +00:00
ip6_offload.c ipv6: gro: flush instead of assuming different flows on hop_limit mismatch 2022-01-25 13:05:11 +00:00
ip6_offload.h
ip6_output.c ipv6: optimise dst refcounting on cork init 2022-01-27 19:46:11 -08:00
ip6_tunnel.c ip6_tunnel: allow routing IPv4 traffic in NBMA mode 2022-01-25 10:49:25 +00:00
ip6_udp_tunnel.c
ip6_vti.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-12-30 12:12:12 -08:00
ip6mr.c ip6mr: fix use-after-free in ip6mr_sk_done() 2022-02-07 12:07:45 +00:00
ipcomp6.c xfrm: remove hdr_offset indirection 2021-06-11 14:48:50 +02:00
ipv6_sockglue.c net-ipv6: changes to ->tclass (via IPV6_TCLASS) should sk_dst_reset() 2021-11-24 18:57:23 -08:00
Kconfig ipv6: ioam: Add support for the ip6ip6 encapsulation 2021-10-04 12:53:35 +01:00
Makefile net: ipv6: use ipv6-y directly instead of ipv6-objs 2021-09-28 13:13:40 +01:00
mcast_snoop.c net: bridge: mcast: fix broken length + header check for MRDv6 Adv. 2021-04-27 14:02:06 -07:00
mcast.c ipv6: change return type from int to void for mld_process_v2 2021-09-02 11:29:55 +01:00
mip6.c xfrm: ipv6: move mip6_rthdr_offset into xfrm core 2021-06-11 14:48:50 +02:00
ndisc.c net: ndisc: introduce ndisc_evict_nocarrier sysctl parameter 2021-11-01 19:57:14 -07:00
netfilter.c netfilter: Dissect flow after packet mangling 2021-04-18 22:04:16 +02:00
output_core.c ipv6: use prandom_u32() for ID generation 2021-05-31 22:12:08 -07:00
ping.c net: bpf: Handle return value of BPF_CGROUP_RUN_PROG_INET{4,6}_POST_BIND() 2022-01-06 17:08:35 -08:00
proc.c
protocol.c
raw.c ipv6: raw: check passed optlen before reading 2021-12-29 12:32:56 -08:00
reassembly.c ipv6: record frag_max_size in atomic fragments in input path 2021-05-21 15:02:25 -07:00
route.c ipv6: annotate accesses to fn->fn_sernum 2022-01-20 20:18:37 -08:00
rpl_iptunnel.c net: ipv6: rpl_iptunnel: simplify the return expression of rpl_do_srh() 2020-12-08 16:22:54 -08:00
rpl.c
seg6_hmac.c net: ipv6: check return value of rhashtable_init 2021-09-28 12:59:24 +01:00
seg6_iptunnel.c seg6: fix the iif in the IPv6 socket control block 2021-12-09 07:55:42 -08:00
seg6_local.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
seg6.c icmp: ICMPV6: Examine invoking packet for Segment Route Headers. 2022-01-04 12:17:35 +00:00
sit.c sit: allow encapsulated IPv6 traffic to be delivered locally 2022-01-12 13:56:07 -08:00
syncookies.c net: align static siphash keys 2021-11-16 19:07:54 -08:00
sysctl_net_ipv6.c ipv6: ioam: Data plane support for Pre-allocated Trace 2021-07-21 08:14:33 -07:00
tcp_ipv6.c tcp: allocate tcp_death_row outside of struct netns_ipv4 2022-01-26 19:00:31 -08:00
tcpv6_offload.c net: move gro definitions to include/net/gro.h 2021-11-16 13:16:54 +00:00
tunnel6.c
udp_impl.h
udp_offload.c gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2021-11-24 17:21:42 -08:00
udp.c ipv6: optimise dst refcounting on cork init 2022-01-27 19:46:11 -08:00
udplite.c
xfrm6_input.c
xfrm6_output.c net: ipv6: fix return value of ip6_skb_dst_mtu 2021-07-02 11:57:01 -07:00
xfrm6_policy.c xfrm: use net device refcount tracker helpers 2021-12-09 11:51:45 -08:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c xfrm: remove description from xfrm_type struct 2021-06-09 09:38:52 +02:00