leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f7225172f2
linux/net
History
David Ahern f7225172f2 net/ipv6: prevent use after free in ip6_route_mpath_notify 
syzbot reported a use-after-free:

BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 net/ipv6/route.c:4180
Read of size 4 at addr ffff8801bf789cf0 by task syz-executor756/4555

CPU: 1 PID: 4555 Comm: syz-executor756 Not tainted 4.17.0-rc7+ #78
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 ip6_route_mpath_notify+0xe9/0x100 net/ipv6/route.c:4180
 ip6_route_multipath_add+0x615/0x1910 net/ipv6/route.c:4303
 inet6_rtm_newroute+0xe3/0x160 net/ipv6/route.c:4391
 ...

Allocated by task 4555:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
 dst_alloc+0xbb/0x1d0 net/core/dst.c:104
 __ip6_dst_alloc+0x35/0xa0 net/ipv6/route.c:361
 ip6_dst_alloc+0x29/0xb0 net/ipv6/route.c:376
 ip6_route_info_create+0x4d4/0x3a30 net/ipv6/route.c:2834
 ip6_route_multipath_add+0xc7e/0x1910 net/ipv6/route.c:4240
 inet6_rtm_newroute+0xe3/0x160 net/ipv6/route.c:4391
 ...

Freed by task 4555:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
 dst_destroy+0x267/0x3c0 net/core/dst.c:140
 dst_release_immediate+0x71/0x9e net/core/dst.c:205
 fib6_add+0xa40/0x1650 net/ipv6/ip6_fib.c:1305
 __ip6_ins_rt+0x6c/0x90 net/ipv6/route.c:1011
 ip6_route_multipath_add+0x513/0x1910 net/ipv6/route.c:4267
 inet6_rtm_newroute+0xe3/0x160 net/ipv6/route.c:4391
 ...

The problem is that rt_last can point to a deleted route if the insert
fails.

One reproducer is to insert a route and then add a multipath route that
has a duplicate nexthop.e.g,:
    $ ip -6 ro add vrf red 2001:db8:101::/64 nexthop via 2001:db8:1::2
    $ ip -6 ro append vrf red 2001:db8:101::/64 nexthop via 2001:db8:1::4 nexthop via 2001:db8:1::2

Fix by not setting rt_last until the it is verified the insert succeeded.

Fixes: 3b1137fe74 ("net: ipv6: Change notifications for multipath add to RTA_MULTIPATH")
Cc: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-05 09:56:04 -04:00
..
6lowpan
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-06-03 09:31:58 -04:00
802
8021q vlan: Add extack messages for link create 2018-05-17 17:08:55 -04:00
appletalk net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
atm net: atm: Fix potential Spectre v1 2018-05-04 12:52:47 -04:00
ax25 net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
bluetooth Bluetooth: Re-use kstrtobool_from_user() 2018-05-30 08:16:04 +02:00
bpf bpf: making bpf_prog_test run aware of possible data_end ptr change 2018-04-18 23:34:16 +02:00
bpfilter bpfilter: fix a build err 2018-05-29 15:20:21 -04:00
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-06-03 09:31:58 -04:00
caif net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN" 2018-04-19 13:37:10 -04:00
can net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ceph libceph: add osd_req_op_extent_osd_data_bvecs() 2018-05-10 10:15:05 +02:00
core net: do not allow changing SO_REUSEADDR/SO_REUSEPORT on bound sockets 2018-06-04 17:14:22 -04:00
dcb net/dcb: Add dcbnl buffer attribute 2018-05-24 14:22:59 -07:00
dccp dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() 2018-05-22 13:55:20 -04:00
decnet net: fib_rules: add extack support 2018-04-23 10:21:24 -04:00
dns_resolver KEYS: DNS: limit the length of option strings 2018-04-17 15:17:41 -04:00
dsa dsa: port: Ignore bridge VLAN events 2018-05-31 14:13:43 -04:00
ethernet net: core: rework basic flow dissection helper 2018-05-08 00:02:36 -04:00
hsr
ieee802154 net: ieee802154: 6lowpan: fix frag reassembly 2018-04-23 20:56:24 +02:00
ife net: sched: ife: check on metadata length 2018-04-22 21:12:00 -04:00
ipv4 net-tcp: extend tcp_tw_reuse sysctl to enable loopback only optimization 2018-06-04 17:13:35 -04:00
ipv6 net/ipv6: prevent use after free in ip6_route_mpath_notify 2018-06-05 09:56:04 -04:00
iucv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-23 11:31:58 -04:00
kcm kcm: Fix use-after-free caused by clonned sockets 2018-06-01 10:28:07 -04:00
key af_key: Always verify length of provided sadb_key 2018-04-09 07:06:38 +02:00
l2tp l2tp: fix refcount leakage on PPPoL2TP sockets 2018-06-05 09:40:18 -04:00
l3mdev
lapb
llc llc: better deal with too small mtu 2018-05-08 00:11:40 -04:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
mac802154 net/mac802154: disambiguate mac80215 vs mac802154 trace events 2018-03-28 22:55:18 +02:00
mpls net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ncsi net/ncsi: Avoid GFP_KERNEL in response handler 2018-06-03 10:42:07 -04:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-06-03 09:31:58 -04:00
netlabel netlabel: If PF_INET6, check sk_buff ip header version 2018-02-14 14:01:41 -05:00
netlink net/netlink: make sure the headers line up actual value output 2018-05-04 13:00:57 -04:00
netrom net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
nfc net: remove unnecessary genlmsg_cancel() calls 2018-05-29 09:53:38 -04:00
nsh nsh: fix infinite loop 2018-05-04 12:54:38 -04:00
openvswitch openvswitch: Support conntrack zone limit 2018-05-25 16:45:19 -04:00
packet net/packet: refine check for priv area size 2018-06-04 11:31:53 -04:00
phonet net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
psample
qrtr net: qrtr: Expose tunneling endpoint to user space 2018-04-27 15:06:10 -04:00
rds Merge candidates for 4.17-rc 2018-06-02 09:55:44 -07:00
rfkill rfkill: Create rfkill-none LED trigger 2018-05-23 11:26:45 +02:00
rose net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
rxrpc rxrpc: Fix handling of call quietly cancelled out on server 2018-06-04 16:06:26 -04:00
sched net: sched: return error code when tcf proto is not found 2018-06-04 17:31:44 -04:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
smc net/smc: fix error return code in smc_setsockopt() 2018-06-03 10:38:28 -04:00
strparser strparser: Do not call mod_delayed_work with a timeout of LONG_MAX 2018-04-22 21:09:16 -04:00
sunrpc Merge candidates for 4.17-rc 2018-06-02 09:55:44 -07:00
switchdev
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-11 20:53:22 -04:00
tls Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-21 16:01:54 -04:00
unix af_unix: remove redundant lockdep class 2018-04-04 11:13:40 -04:00
vmw_vsock VSOCK: make af_vsock.ko removable again 2018-04-17 09:44:30 -04:00
wimax
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
x25 net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
xdp xsk: convert atomic_t to refcount_t 2018-05-22 10:25:06 +02:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-06-03 09:31:58 -04:00
compat.c net: support compat 64-bit time in {s,g}etsockopt 2018-04-27 19:46:06 -04:00
Kconfig net: Introduce generic failover module 2018-05-28 22:59:54 -04:00
Makefile net: add skeleton of bpfilter kernel module 2018-05-23 13:23:40 -04:00
socket.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2018-04-05 11:56:35 -07:00
sysctl_net.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00