Thread (1 message) 1 message, 1 author, 2021-07-17

Re: [syzbot] KASAN: use-after-free Write in sctp_auth_shkey_hold

From: Xin Long <lucien.xin@gmail.com>
Date: 2021-07-17 18:13:26
Also in: linux-sctp, lkml 

On Sat, Jul 17, 2021 at 12:57 AM Hillf Danton [off-list ref] wrote:
On Fri, 16 Jul 2021 16:01:01 -0400 Xin Long wrote:
quoted
On Mon, Jul 12, 2021 at 12:46 AM syzbot wrote:
quoted
Hello,

syzbot found the following issue on:

HEAD commit:    5e437416 Merge branch 'dsa-mv88e6xxx-topaz-fixes'
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14503bac300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4cb84363d46e9fc3
dashboard link: https://syzkaller.appspot.com/bug?extid=b774577370208727d12b

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b774577370208727d12b@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:111 [inline]
BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
Write of size 4 at addr ffff88802053ad58 by task syz-executor.1/31590

CPU: 0 PID: 31590 Comm: syz-executor.1 Not tainted 5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:96
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:111 [inline]
 __refcount_add include/linux/refcount.h:193 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
 sctp_set_owner_w net/sctp/socket.c:131 [inline]
1)      datamsg = sctp_datamsg_from_user(asoc, sinfo, &msg->msg_iter);

Chunks are built with sock lock held(lock_sock(sk);).
quoted
quoted
 sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865
 sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
 sock_sendmsg_nosec net/socket.c:702 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:722
 ____sys_sendmsg+0x331/0x810 net/socket.c:2385
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2439
 __sys_sendmmsg+0x195/0x470 net/socket.c:2525
 __do_sys_sendmmsg net/socket.c:2554 [inline]
 __se_sys_sendmmsg net/socket.c:2551 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2551
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f679ad9b188 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000002 RSI: 0000000020002340 RDI: 0000000000000003
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffc95431f0f R14: 00007f679ad9b300 R15: 0000000000022000

Allocated by task 31590:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 sctp_auth_shkey_create+0x85/0x1f0 net/sctp/auth.c:84
 sctp_auth_asoc_copy_shkeys+0x1e8/0x350 net/sctp/auth.c:363
 sctp_association_init net/sctp/associola.c:257 [inline]
 sctp_association_new+0x1829/0x2250 net/sctp/associola.c:298
 sctp_connect_new_asoc+0x1ac/0x770 net/sctp/socket.c:1088
 __sctp_connect+0x3d0/0xc30 net/sctp/socket.c:1194
 sctp_connect net/sctp/socket.c:4804 [inline]
 sctp_inet_connect+0x15e/0x200 net/sctp/socket.c:4819
 __sys_connect_file+0x155/0x1a0 net/socket.c:1872
 __sys_connect+0x161/0x190 net/socket.c:1889
 __do_sys_connect net/socket.c:1899 [inline]
 __se_sys_connect net/socket.c:1896 [inline]
 __x64_sys_connect+0x6f/0xb0 net/socket.c:1896
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 31590:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:229 [inline]
 slab_free_hook mm/slub.c:1639 [inline]
 slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1664
 slab_free mm/slub.c:3224 [inline]
 kfree+0xeb/0x670 mm/slub.c:4268
 sctp_auth_shkey_destroy net/sctp/auth.c:101 [inline]
 sctp_auth_shkey_release+0x100/0x160 net/sctp/auth.c:107
 sctp_auth_set_key+0x508/0x6d0 net/sctp/auth.c:862
It seems caused by not updating asoc->shkey when the old key is being deleted:
Nope, see 1) and 2).
It's not about lock protection.

asoc->shkey became invalid after 'shkey' (== asoc->shkey)  is released
in sctp_auth_set_key() and all chunks freed its shkey.
the crash is triggered by this invalid asoc->shkey used.

We should fix it by updating asoc->shkey when it's being released,
more accurately:

@@ -860,6 +860,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
        if (replace) {
                list_del_init(&shkey->key_list);
                sctp_auth_shkey_release(shkey);
+               if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
+                       sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
        }

quoted
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 6f8319b..d095247 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -858,6 +858,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
       cur_key->key = key;

       if (replace) {
+               if (asoc && asoc->shkey == shkey)
+                       asoc->shkey = cur_key;
               list_del_init(&shkey->key_list);
               sctp_auth_shkey_release(shkey);
       }

quoted
 sctp_setsockopt_auth_key net/sctp/socket.c:3643 [inline]
2)  lock_sock(sk);

quoted
quoted
 sctp_setsockopt+0x4919/0xa5e0 net/sctp/socket.c:4682
 __sys_setsockopt+0x2db/0x610 net/socket.c:2152
 __do_sys_setsockopt net/socket.c:2163 [inline]
 __se_sys_setsockopt net/socket.c:2160 [inline]
 __x64_sys_setsockopt+0xba/0x150 net/socket.c:2160
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
  




  

    Related discussions
    
  




    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help