iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Fedor Pchelkin 9f16eb106a can: j1939: avoid possible use-after-free when j1939_can_rx_register fails 
Syzkaller reports the following failure:

BUG: KASAN: use-after-free in kref_put include/linux/kref.h:64 [inline]
BUG: KASAN: use-after-free in j1939_priv_put+0x25/0xa0 net/can/j1939/main.c:172
Write of size 4 at addr ffff888141c15058 by task swapper/3/0

CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.10.144-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x167 lib/dump_stack.c:118
 print_address_description.constprop.0+0x1c/0x220 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x145/0x190 mm/kasan/generic.c:192
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
 __refcount_sub_and_test include/linux/refcount.h:272 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 kref_put include/linux/kref.h:64 [inline]
 j1939_priv_put+0x25/0xa0 net/can/j1939/main.c:172
 j1939_sk_sock_destruct+0x44/0x90 net/can/j1939/socket.c:374
 __sk_destruct+0x4e/0x820 net/core/sock.c:1784
 rcu_do_batch kernel/rcu/tree.c:2485 [inline]
 rcu_core+0xb35/0x1a30 kernel/rcu/tree.c:2726
 __do_softirq+0x289/0x9a3 kernel/softirq.c:298
 asm_call_irq_on_stack+0x12/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0xaa/0xe0 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:393 [inline]
 __irq_exit_rcu kernel/softirq.c:423 [inline]
 irq_exit_rcu+0x136/0x200 kernel/softirq.c:435
 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1095
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635

Allocated by task 1141:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc9/0xd0 mm/kasan/common.c:461
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:664 [inline]
 j1939_priv_create net/can/j1939/main.c:131 [inline]
 j1939_netdev_start+0x111/0x860 net/can/j1939/main.c:268
 j1939_sk_bind+0x8ea/0xd30 net/can/j1939/socket.c:485
 __sys_bind+0x1f2/0x260 net/socket.c:1645
 __do_sys_bind net/socket.c:1656 [inline]
 __se_sys_bind net/socket.c:1654 [inline]
 __x64_sys_bind+0x6f/0xb0 net/socket.c:1654
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6

Freed by task 1141:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0x112/0x170 mm/kasan/common.c:422
 slab_free_hook mm/slub.c:1542 [inline]
 slab_free_freelist_hook+0xad/0x190 mm/slub.c:1576
 slab_free mm/slub.c:3149 [inline]
 kfree+0xd9/0x3b0 mm/slub.c:4125
 j1939_netdev_start+0x5ee/0x860 net/can/j1939/main.c:300
 j1939_sk_bind+0x8ea/0xd30 net/can/j1939/socket.c:485
 __sys_bind+0x1f2/0x260 net/socket.c:1645
 __do_sys_bind net/socket.c:1656 [inline]
 __se_sys_bind net/socket.c:1654 [inline]
 __x64_sys_bind+0x6f/0xb0 net/socket.c:1654
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6

It can be caused by this scenario:

CPU0					CPU1
j1939_sk_bind(socket0, ndev0, ...)
  j1939_netdev_start()
					j1939_sk_bind(socket1, ndev0, ...)
                                          j1939_netdev_start()
  mutex_lock(&j1939_netdev_lock)
  j1939_priv_set(ndev0, priv)
  mutex_unlock(&j1939_netdev_lock)
					  if (priv_new)
					    kref_get(&priv_new->rx_kref)
					    return priv_new;
					  /* inside j1939_sk_bind() */
					  jsk->priv = priv
  j1939_can_rx_register(priv) // fails
  j1939_priv_set(ndev, NULL)
  kfree(priv)
					j1939_sk_sock_destruct()
					j1939_priv_put() // <- uaf

To avoid this, call j1939_can_rx_register() under j1939_netdev_lock so
that a concurrent thread cannot process j1939_priv before
j1939_can_rx_register() returns.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/r/20230526171910.227615-3-pchelkin@ispras.ru
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2023-06-05 08:26:40 +02:00
..
6lowpan
6lowpan: Remove redundant initialisation.
2023-03-29 08:22:52 +01:00
9p
Including fixes from netfilter.
2023-05-05 19:12:01 -07:00
802
8021q
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
2023-05-17 12:55:39 +01:00
appletalk
atm
atm: hide unused procfs functions
2023-05-17 21:27:30 -07:00
ax25
batman-adv
net: vlan: introduce skb_vlan_eth_hdr()
2023-04-23 14:16:44 +01:00
bluetooth
Bluetooth: Unlink CISes when LE disconnects in hci_conn_del
2023-05-19 15:37:45 -07:00
bpf
bpf: add test_run support for netfilter program type
2023-04-21 11:34:50 -07:00
bpfilter
bridge
bridge: always declare tunnel functions
2023-05-17 21:28:58 -07:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-02 22:22:07 -08:00
can
can: j1939: avoid possible use-after-free when j1939_can_rx_register fails
2023-06-05 08:26:40 +02:00
ceph
Networking changes for 6.3.
2023-02-21 18:24:12 -08:00
core
rtnetlink: add the missing IFLA_GRO_ tb check in validate_linkmsg
2023-06-01 09:59:44 -07:00
dcb
dccp
netfilter: keep conntrack reference until IPsecv6 policy checks are done
2023-03-22 21:50:23 +01:00
devlink
devlink: Fix crash with CONFIG_NET_NS=n
2023-05-16 19:57:52 -07:00
dns_resolver
dsa
net: dsa: tag_ocelot: call only the relevant portion of __skb_vlan_pop() on TX
2023-04-23 14:16:45 +01:00
ethernet
ethtool
ethtool: Fix uninitialized number of lanes
2023-05-03 09:13:20 +01:00
handshake
net/handshake: Enable the SNI extension to work properly
2023-05-24 22:05:24 -07:00
hsr
hsr: ratelimit only when errors are printed
2023-03-16 21:11:03 -07:00
ieee802154
net: ieee802154: remove an unnecessary null pointer check
2023-03-17 09:13:53 +01:00
ife
ipv4
net/ipv4: ping_group_range: allow GID from 2147483648 to 4294967294
2023-06-02 09:55:22 +01:00
ipv6
net/ipv6: convert skip_notify_on_dev_down sysctl to u8
2023-06-02 22:55:43 -07:00
iucv
net/iucv: Fix size of interrupt data
2023-03-16 17:34:40 -07:00
kcm
net/sock: Introduce trace_sk_data_ready()
2023-01-23 11:26:50 +00:00
key
af_key: Reject optional tunnel/BEET mode templates in outbound policies
2023-05-10 07:04:51 +02:00
l2tp
l2tp: generate correct module alias strings
2023-03-31 09:25:12 +01:00
l3mdev
lapb
llc
net: deal with most data-races in sk_wait_event()
2023-05-10 10:03:32 +01:00
mac80211
wifi: mac80211: recalc chanctx mindef before assigning
2023-05-16 10:26:00 -07:00
mac802154
mac802154: Rename kfree_rcu() to kvfree_rcu_mightsleep()
2023-04-05 13:48:04 +00:00
mctp
mctp: remove MODULE_LICENSE in non-modules
2023-03-09 23:06:21 -08:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-15 10:26:37 +00:00
mptcp
mptcp: fix active subflow finalization
2023-06-01 10:04:04 -07:00
ncsi
net/ncsi: clear Tx enable mode when handling a Config required AEN
2023-04-28 09:35:33 +01:00
netfilter
netfilter: nft_set_rbtree: fix null deref on element insertion
2023-05-17 14:18:28 +02:00
netlabel
netlink
net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report
2023-05-31 00:02:24 -07:00
netrom
netrom: fix info-leak in nr_write_internal()
2023-05-25 21:02:29 -07:00
nfc
nfc: change order inside nfc_se_io error path
2023-03-07 13:37:05 -08:00
nsh
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
2023-05-15 08:40:27 +01:00
openvswitch
net: openvswitch: fix race on port output
2023-04-07 19:42:53 -07:00
packet
af_packet: do not use READ_ONCE() in packet_bind()
2023-05-29 22:03:48 -07:00
phonet
net/sock: Introduce trace_sk_data_ready()
2023-01-23 11:26:50 +00:00
psample
qrtr
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
2023-04-13 09:35:30 +02:00
rds
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
2023-02-13 09:33:39 +00:00
rfkill
net: rfkill-gpio: Add explicit include for of.h
2023-04-06 20:36:27 +02:00
rose
net/rose: Fix to not accept on connected socket
2023-01-28 00:19:57 -08:00
rxrpc
rxrpc: Truncate UTS_RELEASE for rxrpc version
2023-05-30 10:01:06 +02:00
sched
net: sched: wrap tc_skip_wrapper with CONFIG_RETPOLINE
2023-06-04 15:49:06 +01:00
sctp
sctp: fix an issue that plpmtu can never go to complete state
2023-05-22 11:05:20 +01:00
smc
net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT
2023-06-03 20:51:04 +01:00
strparser
sunrpc
NFS Client Bugfixes for Linux 6.4-rc
2023-05-22 12:01:13 -07:00
switchdev
tipc
tipc: check the bearer min mtu properly when setting it by netlink
2023-05-15 10:21:20 +01:00
tls
tls: improve lockless access safety of tls_err_abort()
2023-05-26 10:35:58 +01:00
unix
bpf, sockmap: Pass skb ownership through read_skb
2023-05-23 16:09:47 +02:00
vmw_vsock
bpf, sockmap: Pass skb ownership through read_skb
2023-05-23 16:09:47 +02:00
wireless
wifi: cfg80211: Drop entries with invalid BSSIDs in RNR
2023-05-16 10:09:50 -07:00
x25
net/x25: Fix to not accept on connected socket
2023-01-25 09:51:04 +00:00
xdp
bpf-next-for-netdev
2023-04-13 16:43:38 -07:00
xfrm
ipsec-2023-05-16
2023-05-16 20:52:35 -07:00
compat.c
net/compat: Update msg_control_is_user when setting a kernel pointer
2023-04-14 11:09:27 +01:00
devres.c
Kconfig
net/handshake: Add Kunit tests for the handshake consumer API
2023-04-19 18:48:48 -07:00
Kconfig.debug
Makefile
net/handshake: Create a NETLINK service for handling handshake requests
2023-04-19 18:48:48 -07:00
socket.c
net: annotate sk->sk_err write from do_recvmmsg()
2023-05-10 09:58:29 +01:00
sysctl_net.c