From patchwork Wed Dec 13 01:57:36 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Levin, Alexander \(Sasha Levin\)" X-Patchwork-Id: 121714 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp4914201qgn; Tue, 12 Dec 2017 18:37:13 -0800 (PST) X-Google-Smtp-Source: ACJfBosVcm4uSNo5GWSdSnRwDBIwnHlgMASkbEDjWu/o4WK3Zo1ZKzZkFID6l2ndJs0ABpEp/QL5 X-Received: by 10.99.191.1 with SMTP id v1mr3888858pgf.93.1513132633217; Tue, 12 Dec 2017 18:37:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1513132633; cv=none; d=google.com; s=arc-20160816; b=gELMFparRyRa6DuhqfStagdj/TuvyqnlEfSAYkJEevChspNXF+8CGqvYykcHK92y45 pKeSlQhVjhXwKv7WqFai1+PmR3rHANTqH4uScFzodOBrs7Dy74wTIphDf8wYT1UiGcXs 0L/kTrLV6gsUHjcmNDcvtWQCfuDHAPNlCcroF6YwtZbGMjFVYRWK/rzE9BjOw22vrWlI 7hjUGbVe5RUZMTkFT0YNOA4UUFUFjl9U0ixagr1+2KwMo4xrIQqHkvcMxDpCsKYMs1Ag n47sH/yZFDo9M9C7iR160QoJL3ML5yFwK3ymxaefDYmnwEJZK5IHMXXOkWakF7KeFrow 6jmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:to:cc:from:dkim-signature :dkim-signature:dkim-signature:arc-authentication-results; bh=692Nbh3VJMWEBp6cX/tx2q/gkf6bqu5Aw1zuKLK/7L8=; b=mB6yjAp0KFL6WTlv6Sy22xrHfc6a3AwGkRCg0tam3FozwPtn2lRrZsKkQ5cikUy6iJ byYp3NrzPxutZFa1I/d1KYmafA1imXnriSQcrawXdnbmZHmWPzzvhPbvWfQkqEgwehGk LCZ9Y9nINPUqd5i0tTfm8iZtVS8/EYu+GqW8BKJDUyaoMDnQ4awQHdldycHLfVJS738e 9E2UIPuanDjfYvPWJ2eejtSx7JdK+1Q+VJEPPOJxDuVOqJKr3oRVgaE9/K72elj2a5+j neQH/+wbP6tlpz5Ss9lGH1jDIp3GzNLCGmiL2mk7p9/iIsxdY6r9TRK0JjADgv5t3BOI sziw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@verizon.com header.s=corp header.b=D0z56k34; dkim=fail header.i=@verizon.com header.s=corp header.b=IpIS93Jq; dkim=fail header.i=@verizon.com header.s=corp header.b=REY3fKmz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=NONE dis=NONE) header.from=verizon.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a72si441557pge.529.2017.12.12.18.37.12; Tue, 12 Dec 2017 18:37:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@verizon.com header.s=corp header.b=D0z56k34; dkim=fail header.i=@verizon.com header.s=corp header.b=IpIS93Jq; dkim=fail header.i=@verizon.com header.s=corp header.b=REY3fKmz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=NONE dis=NONE) header.from=verizon.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753605AbdLMChJ (ORCPT + 10 others); Tue, 12 Dec 2017 21:37:09 -0500 Received: from fldsmtpe03.verizon.com ([140.108.26.142]:44470 "EHLO fldsmtpe03.verizon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753299AbdLMB7E (ORCPT ); Tue, 12 Dec 2017 20:59:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=verizon.com; i=@verizon.com; q=dns/txt; s=corp; t=1513130344; x=1544666344; h=from:cc:to:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=puTFqryI5b4n9GRvYzBBc8TC4lwpCT0Qf7ZqA8jbFtQ=; b=D0z56k34zjFSYdA9DUgNADhcpt2dw3udWeN0Y1U6olHa82mvAFmyNW3r jHdDaha+lC1nKFculjign3+6+BTnCG90P/OLX9bIPHCMs3zCkX9IimJ8r MFaq8wDx1MOBKo18GwqJ5Vm+p9Kie1ENmbGUH8ONzSkKUy5kG3QmFB9fa M=; Received: from unknown (HELO fldsmtpi01.verizon.com) ([166.68.71.143]) by fldsmtpe03.verizon.com with ESMTP; 13 Dec 2017 01:58:57 +0000 Received: from rogue-10-255-192-101.rogue.vzwcorp.com (HELO atlantis.verizonwireless.com) ([10.255.192.101]) by fldsmtpi01.verizon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 13 Dec 2017 01:58:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=verizon.com; i=@verizon.com; q=dns/txt; s=corp; t=1513130300; x=1544666300; h=from:cc:to:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=puTFqryI5b4n9GRvYzBBc8TC4lwpCT0Qf7ZqA8jbFtQ=; b=IpIS93Jqp2W8RX+DRep/SDUjYRr9kZeFvMyOVlD9R3FvGp3qgLS7VvZa S6H1Gx/gqXnY+ppiIHAQRcrCm6ey0DG5kvGNc0zadiIu+RD9V72fgmEqa 0gI6p8BndiQWYkUrsphcVydXFi3umUkHLz4nPpGyasspvsGcxaYKaf+BS U=; Received: from surveyor.tdc.vzwcorp.com (HELO eris.verizonwireless.com) ([10.254.88.83]) by atlantis.verizonwireless.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 12 Dec 2017 20:58:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=verizon.com; i=@verizon.com; q=dns/txt; s=corp; t=1513130300; x=1544666300; h=to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:from:cc; bh=puTFqryI5b4n9GRvYzBBc8TC4lwpCT0Qf7ZqA8jbFtQ=; b=REY3fKmzEUm+rxAoQYI9pdaPcN1jVhq04G4RjyxsxXlmwoNZNhNxZSjQ iNA1vn+DTYNX/MiQw6rX9wqv0e4DF1OMXcpHbkt/Qvg278sd3fUNg2KIq 0CMx1lk/JRCWS31n+b+Ed57jrV1NBdkIMlDNuIN45g/iam0o7GhK33X0e Q=; From: alexander.levin@verizon.com Cc: Mark Rutland , Alexey Kuznetsov , "David S . Miller" , "Hideaki YOSHIFUJI" , James Morris , Patrick McHardy , "netdev@vger.kernel.org" , alexander.levin@verizon.com X-Host: surveyor.tdc.vzwcorp.com Received: from ohtwi1exh002.uswin.ad.vzwcorp.com ([10.144.218.44]) by eris.verizonwireless.com with ESMTP/TLS/AES128-SHA256; 13 Dec 2017 01:58:19 +0000 Received: from OMZP1LUMXCA17.uswin.ad.vzwcorp.com (144.8.22.195) by OHTWI1EXH002.uswin.ad.vzwcorp.com (10.144.218.44) with Microsoft SMTP Server (TLS) id 14.3.248.2; Tue, 12 Dec 2017 20:58:19 -0500 Received: from OMZP1LUMXCA17.uswin.ad.vzwcorp.com (144.8.22.195) by OMZP1LUMXCA17.uswin.ad.vzwcorp.com (144.8.22.195) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 12 Dec 2017 19:58:18 -0600 Received: from OMZP1LUMXCA17.uswin.ad.vzwcorp.com ([144.8.22.195]) by OMZP1LUMXCA17.uswin.ad.vzwcorp.com ([144.8.22.195]) with mapi id 15.00.1263.000; Tue, 12 Dec 2017 19:58:18 -0600 To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: [PATCH AUTOSEL for 4.9 057/100] net: ipconfig: fix ic_close_devs() use-after-free Thread-Topic: [PATCH AUTOSEL for 4.9 057/100] net: ipconfig: fix ic_close_devs() use-after-free Thread-Index: AQHTc7W/5FHLqLUa0kGlm9x5J8SnHg== Date: Wed, 13 Dec 2017 01:57:36 +0000 Message-ID: <20171213015722.6722-32-alexander.levin@verizon.com> References: <20171213015722.6722-1-alexander.levin@verizon.com> In-Reply-To: <20171213015722.6722-1-alexander.levin@verizon.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.144.60.250] MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mark Rutland [ Upstream commit ffefb6f4d6ad699a2b5484241bc46745a53235d0 ] Our chosen ic_dev may be anywhere in our list of ic_devs, and we may free it before attempting to close others. When we compare d->dev and ic_dev->dev, we're potentially dereferencing memory returned to the allocator. This causes KASAN to scream for each subsequent ic_dev we check. As there's a 1-1 mapping between ic_devs and netdevs, we can instead compare d and ic_dev directly, which implicitly handles the !ic_dev case, and avoids the use-after-free. The ic_dev pointer may be stale, but we will not dereference it. Original splat: [ 6.487446] ================================================================== [ 6.494693] BUG: KASAN: use-after-free in ic_close_devs+0xc4/0x154 at addr ffff800367efa708 [ 6.503013] Read of size 8 by task swapper/0/1 [ 6.507452] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 4.11.0-rc3-00002-gda42158 #8 [ 6.514993] Hardware name: AppliedMicro Mustang/Mustang, BIOS 3.05.05-beta_rc Jan 27 2016 [ 6.523138] Call trace: [ 6.525590] [] dump_backtrace+0x0/0x570 [ 6.530976] [] show_stack+0x20/0x30 [ 6.536017] [] dump_stack+0x120/0x188 [ 6.541231] [] kasan_object_err+0x24/0xa0 [ 6.546790] [] kasan_report_error+0x244/0x738 [ 6.552695] [] __asan_report_load8_noabort+0x54/0x80 [ 6.559204] [] ic_close_devs+0xc4/0x154 [ 6.564590] [] ip_auto_config+0x2ed4/0x2f1c [ 6.570321] [] do_one_initcall+0xcc/0x370 [ 6.575882] [] kernel_init_freeable+0x5f8/0x6c4 [ 6.581959] [] kernel_init+0x18/0x190 [ 6.587171] [] ret_from_fork+0x10/0x40 [ 6.592468] Object at ffff800367efa700, in cache kmalloc-128 size: 128 [ 6.598969] Allocated: [ 6.601324] PID = 1 [ 6.603427] save_stack_trace_tsk+0x0/0x418 [ 6.607603] save_stack_trace+0x20/0x30 [ 6.611430] kasan_kmalloc+0xd8/0x188 [ 6.615087] ip_auto_config+0x8c4/0x2f1c [ 6.619002] do_one_initcall+0xcc/0x370 [ 6.622832] kernel_init_freeable+0x5f8/0x6c4 [ 6.627178] kernel_init+0x18/0x190 [ 6.630660] ret_from_fork+0x10/0x40 [ 6.634223] Freed: [ 6.636233] PID = 1 [ 6.638334] save_stack_trace_tsk+0x0/0x418 [ 6.642510] save_stack_trace+0x20/0x30 [ 6.646337] kasan_slab_free+0x88/0x178 [ 6.650167] kfree+0xb8/0x478 [ 6.653131] ic_close_devs+0x130/0x154 [ 6.656875] ip_auto_config+0x2ed4/0x2f1c [ 6.660875] do_one_initcall+0xcc/0x370 [ 6.664705] kernel_init_freeable+0x5f8/0x6c4 [ 6.669051] kernel_init+0x18/0x190 [ 6.672534] ret_from_fork+0x10/0x40 [ 6.676098] Memory state around the buggy address: [ 6.680880] ffff800367efa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 6.688078] ffff800367efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 6.695276] >ffff800367efa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 6.702469] ^ [ 6.705952] ffff800367efa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 6.713149] ffff800367efa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 6.720343] ================================================================== [ 6.727536] Disabling lock debugging due to kernel taint Signed-off-by: Mark Rutland Cc: Alexey Kuznetsov Cc: David S. Miller Cc: Hideaki YOSHIFUJI Cc: James Morris Cc: Patrick McHardy Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv4/ipconfig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.11.0 diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c index 071a785c65eb..b23464d9c538 100644 --- a/net/ipv4/ipconfig.c +++ b/net/ipv4/ipconfig.c @@ -306,7 +306,7 @@ static void __init ic_close_devs(void) while ((d = next)) { next = d->next; dev = d->dev; - if ((!ic_dev || dev != ic_dev->dev) && !netdev_uses_dsa(dev)) { + if (d != ic_dev && !netdev_uses_dsa(dev)) { pr_debug("IP-Config: Downing %s\n", dev->name); dev_change_flags(dev, d->flags); }