leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
719c7d563c
linux/net
History
YueHaibing 719c7d563c ipvs: Fix use-after-free in ip_vs_in 
BUG: KASAN: use-after-free in ip_vs_in.part.29+0xe8/0xd20 [ip_vs]
Read of size 4 at addr ffff8881e9b26e2c by task sshd/5603

CPU: 0 PID: 5603 Comm: sshd Not tainted 4.19.39+ #30
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Call Trace:
 dump_stack+0x71/0xab
 print_address_description+0x6a/0x270
 kasan_report+0x179/0x2c0
 ip_vs_in.part.29+0xe8/0xd20 [ip_vs]
 ip_vs_in+0xd8/0x170 [ip_vs]
 nf_hook_slow+0x5f/0xe0
 __ip_local_out+0x1d5/0x250
 ip_local_out+0x19/0x60
 __tcp_transmit_skb+0xba1/0x14f0
 tcp_write_xmit+0x41f/0x1ed0
 ? _copy_from_iter_full+0xca/0x340
 __tcp_push_pending_frames+0x52/0x140
 tcp_sendmsg_locked+0x787/0x1600
 ? tcp_sendpage+0x60/0x60
 ? inet_sk_set_state+0xb0/0xb0
 tcp_sendmsg+0x27/0x40
 sock_sendmsg+0x6d/0x80
 sock_write_iter+0x121/0x1c0
 ? sock_sendmsg+0x80/0x80
 __vfs_write+0x23e/0x370
 vfs_write+0xe7/0x230
 ksys_write+0xa1/0x120
 ? __ia32_sys_read+0x50/0x50
 ? __audit_syscall_exit+0x3ce/0x450
 do_syscall_64+0x73/0x200
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7ff6f6147c60
Code: 73 01 c3 48 8b 0d 28 12 2d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 5d 73 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83
RSP: 002b:00007ffd772ead18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000034 RCX: 00007ff6f6147c60
RDX: 0000000000000034 RSI: 000055df30a31270 RDI: 0000000000000003
RBP: 000055df30a31270 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffd772ead70 R11: 0000000000000246 R12: 00007ffd772ead74
R13: 00007ffd772eae20 R14: 00007ffd772eae24 R15: 000055df2f12ddc0

Allocated by task 6052:
 kasan_kmalloc+0xa0/0xd0
 __kmalloc+0x10a/0x220
 ops_init+0x97/0x190
 register_pernet_operations+0x1ac/0x360
 register_pernet_subsys+0x24/0x40
 0xffffffffc0ea016d
 do_one_initcall+0x8b/0x253
 do_init_module+0xe3/0x335
 load_module+0x2fc0/0x3890
 __do_sys_finit_module+0x192/0x1c0
 do_syscall_64+0x73/0x200
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 6067:
 __kasan_slab_free+0x130/0x180
 kfree+0x90/0x1a0
 ops_free_list.part.7+0xa6/0xc0
 unregister_pernet_operations+0x18b/0x1f0
 unregister_pernet_subsys+0x1d/0x30
 ip_vs_cleanup+0x1d/0xd2f [ip_vs]
 __x64_sys_delete_module+0x20c/0x300
 do_syscall_64+0x73/0x200
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8881e9b26600 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 2092 bytes inside of 4096-byte region [ffff8881e9b26600, ffff8881e9b27600)
The buggy address belongs to the page:
page:ffffea0007a6c800 count:1 mapcount:0 mapping:ffff888107c0e600 index:0x0 compound_mapcount: 0
flags: 0x17ffffc0008100(slab|head)
raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff888107c0e600
raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

while unregistering ipvs module, ops_free_list calls
__ip_vs_cleanup, then nf_unregister_net_hooks be called to
do remove nf hook entries. It need a RCU period to finish,
however net->ipvs is set to NULL immediately, which will
trigger NULL pointer dereference when a packet is hooked
and handled by ip_vs_in where net->ipvs is dereferenced.

Another scene is ops_free_list call ops_free to free the
net_generic directly while __ip_vs_cleanup finished, then
calling ip_vs_in will triggers use-after-free.

This patch moves nf_unregister_net_hooks from __ip_vs_cleanup()
to __ip_vs_dev_cleanup(),  where rcu_barrier() is called by
unregister_pernet_device -> unregister_pernet_operations,
that will do the needed grace period.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: efe4160618 ("ipvs: convert to use pernet nf_hook api")
Suggested-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2019-05-21 18:31:09 +02:00
..
6lowpan 6lowpan: Off by one handling ->nexthdr 2019-04-23 19:09:58 +02:00
9p 9p/net: fix memory leak in p9_client_create 2019-03-13 11:50:04 +01:00
802
8021q vlan: disable SIOCSHWTSTAMP in container 2019-05-09 09:31:16 -07:00
appletalk Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-05-02 22:14:21 -04:00
atm net: atm: clean up a range check 2019-05-05 10:25:52 -07:00
ax25 net: ax25: fix misuse of %x 2019-04-21 10:37:26 -07:00
batman-adv This feature/cleanup patchset includes the following patches: 2019-05-09 09:44:17 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-05-07 22:03:58 -07:00
bpf bpf: Introduce bpf sk local storage 2019-04-27 09:07:04 -07:00
bpfilter bpfilter: re-add header search paths to tools include to fix build error 2019-02-23 13:34:40 -08:00
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2019-05-13 08:55:15 -07:00
caif net: caif: fix the value of size argument of snprintf 2019-05-17 11:31:15 -07:00
can netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
ceph mm/gup: change GUP fast to use flags rather than a write 'bool' 2019-05-14 09:47:46 -07:00
core net: avoid weird emergency message 2019-05-16 14:25:58 -07:00
dcb netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
dccp net: dccp : proto: remove Unneeded variable "err" 2019-05-12 13:21:30 -07:00
decnet netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
dns_resolver dns: remove redundant zero length namelen check 2019-04-11 14:01:08 -07:00
dsa net: dsa: Initialize DSA_SKB_CB(skb)->deferred_xmit variable 2019-05-12 13:19:46 -07:00
ethernet net: ethernet: support of_get_mac_address new ERR_PTR error 2019-05-07 12:22:47 -07:00
hsr genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
ieee802154 genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
ife
ipv4 netfilter: nft_fib: Fix existence check support 2019-05-21 16:10:38 +02:00
ipv6 netfilter: nft_fib: Fix existence check support 2019-05-21 16:10:38 +02:00
iucv
kcm kcm: switch order of device registration to fix a crash 2019-04-01 14:59:20 -07:00
key xfrm: clean up xfrm protocol checks 2019-03-26 08:35:36 +01:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-05-07 17:22:09 -07:00
l3mdev
lapb
llc llc: Check address length before reading address field 2019-04-12 10:25:03 -07:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-05-02 22:14:21 -04:00
mac802154
mpls netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
ncsi genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
netfilter ipvs: Fix use-after-free in ip_vs_in 2019-05-21 18:31:09 +02:00
netlabel genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
netlink genetlink: do not validate dump requests if there is no policy 2019-05-04 01:27:10 -04:00
netrom net: rework SIOCGSTAMP ioctl handling 2019-04-19 14:07:40 -07:00
nfc genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
nsh
openvswitch openvswitch: Replace removed NF_NAT_NEEDED with IS_ENABLED(CONFIG_NF_NAT) 2019-05-08 09:43:15 -07:00
packet packet: Fix error path in packet_init 2019-05-09 13:45:46 -07:00
phonet netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
psample genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
qrtr net: qrtr: use protocol endiannes variable 2019-05-11 09:59:48 -07:00
rds mm/gup: change GUP fast to use flags rather than a write 'bool' 2019-05-14 09:47:46 -07:00
rfkill *: convert stream-like files from nonseekable_open -> stream_open 2019-05-06 17:46:41 +03:00
rose Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-04-25 23:52:29 -04:00
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-05-02 22:14:21 -04:00
sched net/sched: avoid double free on matchall reoffload 2019-05-08 16:34:58 -07:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-05-07 22:03:58 -07:00
smc 5.2 Merge Window pull request 2019-05-09 09:02:46 -07:00
strparser net: strparser: make it explicitly non-modular 2019-04-22 21:50:54 -07:00
sunrpc NFS client updates for Linux 5.2 2019-05-09 14:33:15 -07:00
switchdev switchdev: Remove unused transaction item queue 2019-03-01 21:35:19 -08:00
tipc Revert "tipc: fix modprobe tipc failed after switch order of device registration" 2019-05-17 12:15:05 -07:00
tls net/tls: handle errors from padding_length() 2019-05-09 16:37:39 -07:00
unix datagram: remove rendundant 'peeked' argument 2019-04-08 09:51:54 -07:00
vmw_vsock vsock/virtio: Initialize core virtio vsock before registering the driver 2019-05-18 10:50:28 -07:00
wimax genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-05-07 22:03:58 -07:00
x25 net: rework SIOCGSTAMP ioctl handling 2019-04-19 14:07:40 -07:00
xdp mm/gup: replace get_user_pages_longterm() with FOLL_LONGTERM 2019-05-14 09:47:45 -07:00
xfrm xfrm: ressurrect "Fix uninitialized memory read in _decode_session4" 2019-05-16 14:14:47 -07:00
compat.c net: rework SIOCGSTAMP ioctl handling 2019-04-19 14:07:40 -07:00
Kconfig net: devlink: select NET_DEVLINK from drivers 2019-03-24 14:55:31 -04:00
Makefile net: split out functions related to registering inflight socket files 2019-02-28 08:24:23 -07:00
socket.c net: use indirect calls helpers at the socket layer 2019-05-05 10:38:04 -07:00
sysctl_net.c