New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 621977 link

Starred by 3 users
Status: Started
Owner:
glider@chromium.org
Last visit > 30 days ago
Cc:
dvyukov@chromium.org
drinkcat@chromium.org
sonnyrao@chromium.org
edumazet@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

KASAN reports a use-after-free in sock_setsockopt()

Project Member Reported by glider@chromium.org, Jun 21 2016 
I get the following report when running the attached program on an amd64-generic kernel with KASAN enabled:

==================================================================
BUG: KASAN: use-after-free in sock_setsockopt+0x664/0xabb at addr ffff880025b17598
Read of size 4 by task oob-38/18725
CPU: 0 PID: 18725 Comm: oob-38 Tainted: G    B          3.18.0 #14
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff880025b17a00 000000008d5e8bb5 ffff8800191cfdc8 ffffffff81b56867
 0000000000004925 fffffffff0567011 ffff880035253180 ffffed0004b62eb3
 ffff8800191cfe48 ffffffff811c7338 0000000000000296 1ffff10004b62eb3
Call Trace:
 [<     inline     >] __dump_stack /mnt/host/source/src/third_party/kernel/v3.18/lib/dump_stack.c:15
 [<ffffffff81b56867>] dump_stack+0x74/0xb3 /mnt/host/source/src/third_party/kernel/v3.18/lib/dump_stack.c:50
 [<     inline     >] object_err /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/report.c:139
 [<     inline     >] print_address_description /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/report.c:179
 [<     inline     >] kasan_report_error /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/report.c:276
 [<ffffffff811c7338>] kasan_report+0x30f/0x56a /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/report.c:299
 [<     inline     >] ? debug_spin_unlock /mnt/host/source/src/third_party/kernel/v3.18/kernel/locking/spinlock_debug.c:103
 [<ffffffff810bf509>] ? do_raw_spin_unlock+0xbb/0xcd /mnt/host/source/src/third_party/kernel/v3.18/kernel/locking/spinlock_debug.c:158
 [<     inline     >] check_memory_region /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:285
 [<ffffffff811c6657>] __asan_load4+0x23/0x6c /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:672
 [<ffffffff819a68e4>] sock_setsockopt+0x664/0xabb /mnt/host/source/src/third_party/kernel/v3.18/net/core/sock.c:850
 [<ffffffff8199af52>] ? sockfd_lookup_light+0xd8/0xea /mnt/host/source/src/third_party/kernel/v3.18/net/socket.c:465
 [<ffffffff8199b10a>] SYSC_setsockopt+0xa5/0x131 /mnt/host/source/src/third_party/kernel/v3.18/net/socket.c:1895
 [<ffffffff8199f86c>] SyS_setsockopt+0x3f/0x41 /mnt/host/source/src/third_party/kernel/v3.18/net/socket.c:1878
 [<ffffffff81b5e41c>] system_call_fastpath+0x1c/0x21 /mnt/host/source/src/third_party/kernel/v3.18/arch/x86/kernel/entry_64.S:436
Object at ffff880025b17540, in cache RAWv6
Object freed, allocated with size 1216 bytes
Allocation:
PID = 15810
 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 /mnt/host/source/src/third_party/kernel/v3.18/arch/x86/kernel/stacktrace.c:64
 [<ffffffff811c6109>] save_stack+0x46/0xce /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:450
 [<     inline     >] set_track /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:462
 [<ffffffff811c6963>] kasan_kmalloc+0xa6/0xb8 /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:532
 [<ffffffff811c6cf3>] kasan_slab_alloc+0x12/0x14 /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:482
 [<ffffffff811c49fe>] kmem_cache_alloc+0x87/0xee /mnt/host/source/src/third_party/kernel/v3.18/mm/slab.c:3385
 [<ffffffff819a30ae>] sk_prot_alloc+0x58/0x1e7 /mnt/host/source/src/third_party/kernel/v3.18/net/core/sock.c:1291
 [<ffffffff819a3802>] sk_alloc+0x33/0xf6 /mnt/host/source/src/third_party/kernel/v3.18/net/core/sock.c:1365
 [<ffffffff81ae7aee>] inet6_create+0x1a5/0x5c2 /mnt/host/source/src/third_party/kernel/v3.18/net/ipv6/af_inet6.c:187
 [<ffffffff8199b724>] __sock_create+0x1c0/0x2b5 /mnt/host/source/src/third_party/kernel/v3.18/net/socket.c:1305
 [<ffffffff8199b87d>] sock_create+0x64/0x6f /mnt/host/source/src/third_party/kernel/v3.18/net/socket.c:1345
 [<ffffffff8199b923>] SYSC_socket+0x5a/0xfe /mnt/host/source/src/third_party/kernel/v3.18/net/socket.c:1375
 [<ffffffff8199f589>] SyS_socket+0x2f/0x31 /mnt/host/source/src/third_party/kernel/v3.18/net/socket.c:1355
 [<ffffffff81b5e41c>] system_call_fastpath+0x1c/0x21 /mnt/host/source/src/third_party/kernel/v3.18/arch/x86/kernel/entry_64.S:436
Deallocation:
PID = 15810
 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 /mnt/host/source/src/third_party/kernel/v3.18/arch/x86/kernel/stacktrace.c:64
 [<ffffffff811c6109>] save_stack+0x46/0xce /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:450
 [<     inline     >] set_track /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:462
 [<ffffffff811c6d57>] kasan_slab_free+0x62/0x7e /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:501
 [<ffffffff811c4ce8>] __cache_free.isra.51+0x37/0x138 /mnt/host/source/src/third_party/kernel/v3.18/mm/slab.c:3345
 [<ffffffff811c4e23>] kmem_cache_free+0x3a/0x81 /mnt/host/source/src/third_party/kernel/v3.18/mm/slab.c:3537
 [<     inline     >] sk_prot_free /mnt/host/source/src/third_party/kernel/v3.18/net/core/sock.c:1336
 [<ffffffff819a4e9f>] __sk_free+0x1fb/0x21f /mnt/host/source/src/third_party/kernel/v3.18/net/core/sock.c:1409
 [<ffffffff819a4ef3>] sk_free+0x30/0x39 /mnt/host/source/src/third_party/kernel/v3.18/net/core/sock.c:1420
 [<ffffffff819a4f24>] sock_put+0x28/0x31 /mnt/host/source/src/third_party/kernel/v3.18/include/net/sock.h:1664
 [<ffffffff819a5459>] sk_common_release+0x19c/0x1a4 /mnt/host/source/src/third_party/kernel/v3.18/net/core/sock.c:2588
 [<ffffffff81b18d0a>] rawv6_close+0x41/0x45 /mnt/host/source/src/third_party/kernel/v3.18/net/ipv6/raw.c:1173
 [<ffffffff81a9531c>] inet_release+0x12f/0x142 /mnt/host/source/src/third_party/kernel/v3.18/net/ipv4/af_inet.c:431
 [<ffffffff81ae7681>] inet6_release+0x4c/0x5e /mnt/host/source/src/third_party/kernel/v3.18/net/ipv6/af_inet6.c:420
 [<ffffffff8199b3c3>] sock_release+0x53/0x112 /mnt/host/source/src/third_party/kernel/v3.18/net/socket.c:574
 [<ffffffff8199b49e>] sock_close+0x1c/0x22 /mnt/host/source/src/third_party/kernel/v3.18/net/socket.c:1158
 [<ffffffff811cfaaa>] __fput+0x1c9/0x321 /mnt/host/source/src/third_party/kernel/v3.18/fs/file_table.c:208
 [<ffffffff811cfc71>] ____fput+0x1f/0x21 /mnt/host/source/src/third_party/kernel/v3.18/fs/file_table.c:244
 [<ffffffff8108bab0>] task_work_run+0xf9/0x12c /mnt/host/source/src/third_party/kernel/v3.18/kernel/task_work.c:123
 [<     inline     >] exit_task_work /mnt/host/source/src/third_party/kernel/v3.18/include/linux/task_work.h:21
 [<ffffffff810658cc>] do_exit+0x6a4/0x11f6 /mnt/host/source/src/third_party/kernel/v3.18/kernel/exit.c:762
 [<ffffffff81067f03>] do_group_exit+0x9d/0x184 /mnt/host/source/src/third_party/kernel/v3.18/kernel/exit.c:892
 [<     inline     >] SYSC_exit_group /mnt/host/source/src/third_party/kernel/v3.18/kernel/exit.c:903
 [<ffffffff8106800d>] __wake_up_parent+0x0/0x45 /mnt/host/source/src/third_party/kernel/v3.18/kernel/exit.c:901
 [<ffffffff81b5e41c>] system_call_fastpath+0x1c/0x21 /mnt/host/source/src/third_party/kernel/v3.18/arch/x86/kernel/entry_64.S:436
Memory state around the buggy address:
 ffff880025b17480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff880025b17500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff880025b17580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff880025b17600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880025b17680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

This bug has been reported by Dmitry at https://lkml.org/lkml/2015/12/16/568 and fixed by Cong Wang's https://github.com/torvalds/linux/commit/ac5cc977991d2dce85fc734a6c71ddb33f6fe3c1
oob-38.c
705 bytes View Download
Project Member

Comment 1 by bugdroid1@chromium.org, Jun 22 2016

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/9e59f3d75e19fe49369ce88f128c3d5bac5b8d01

commit 9e59f3d75e19fe49369ce88f128c3d5bac5b8d01
Author: WANG Cong <xiyou.wangcong@gmail.com>
Date: Thu Dec 17 07:39:04 2015

UPSTREAM: net: check both type and procotol for tcp sockets

Dmitry reported the following out-of-bound access:

Call Trace:
 [<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
mm/kasan/report.c:294
 [<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
 [<     inline     >] SYSC_setsockopt net/socket.c:1746
 [<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
 [<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

This is because we mistake a raw socket as a tcp socket.
We should check both sk->sk_type and sk->sk_protocol to ensure
it is a tcp socket.

Willem points out __skb_complete_tx_timestamp() needs to fix as well.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

BUG=chromium:621977
TEST=no KASAN report

(cherry picked from commit ac5cc977991d2dce85fc734a6c71ddb33f6fe3c1)
Signed-off-by: Alexander Potapenko <glider@google.com>

Change-Id: I8ca9202bd8707afd52667c11811dee3bbdd869b6
Reviewed-on: https://chromium-review.googlesource.com/354411
Commit-Ready: Alexander Potapenko <glider@chromium.org>
Tested-by: Alexander Potapenko <glider@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>

[modify] https://crrev.com/9e59f3d75e19fe49369ce88f128c3d5bac5b8d01/net/core/skbuff.c
[modify] https://crrev.com/9e59f3d75e19fe49369ce88f128c3d5bac5b8d01/net/core/sock.c

Comment 2 by zalcorn@chromium.org, Dec 27 2017

Components: OS>Kernel

Sign in to add a comment