Revision 9cc02ede696272c5271a401e4f27c262359bc2f6 authored by Duoming Zhou on 29 June 2022, 00:26:40 UTC, committed by Paolo Abeni on 30 June 2022, 09:07:30 UTC
There are UAF bugs in rose_heartbeat_expiry(), rose_timer_expiry() and rose_idletimer_expiry(). The root cause is that del_timer() could not stop the timer handler that is running and the refcount of sock is not managed properly. One of the UAF bugs is shown below: (thread 1) | (thread 2) | rose_bind | rose_connect | rose_start_heartbeat rose_release | (wait a time) case ROSE_STATE_0 | rose_destroy_socket | rose_heartbeat_expiry rose_stop_heartbeat | sock_put(sk) | ... sock_put(sk) // FREE | | bh_lock_sock(sk) // USE The sock is deallocated by sock_put() in rose_release() and then used by bh_lock_sock() in rose_heartbeat_expiry(). Although rose_destroy_socket() calls rose_stop_heartbeat(), it could not stop the timer that is running. The KASAN report triggered by POC is shown below: BUG: KASAN: use-after-free in _raw_spin_lock+0x5a/0x110 Write of size 4 at addr ffff88800ae59098 by task swapper/3/0 ... Call Trace: <IRQ> dump_stack_lvl+0xbf/0xee print_address_description+0x7b/0x440 print_report+0x101/0x230 ? irq_work_single+0xbb/0x140 ? _raw_spin_lock+0x5a/0x110 kasan_report+0xed/0x120 ? _raw_spin_lock+0x5a/0x110 kasan_check_range+0x2bd/0x2e0 _raw_spin_lock+0x5a/0x110 rose_heartbeat_expiry+0x39/0x370 ? rose_start_heartbeat+0xb0/0xb0 call_timer_fn+0x2d/0x1c0 ? rose_start_heartbeat+0xb0/0xb0 expire_timers+0x1f3/0x320 __run_timers+0x3ff/0x4d0 run_timer_softirq+0x41/0x80 __do_softirq+0x233/0x544 irq_exit_rcu+0x41/0xa0 sysvec_apic_timer_interrupt+0x8c/0xb0 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1b/0x20 RIP: 0010:default_idle+0xb/0x10 RSP: 0018:ffffc9000012fea0 EFLAGS: 00000202 RAX: 000000000000bcae RBX: ffff888006660f00 RCX: 000000000000bcae RDX: 0000000000000001 RSI: ffffffff843a11c0 RDI: ffffffff843a1180 RBP: dffffc0000000000 R08: dffffc0000000000 R09: ffffed100da36d46 R10: dfffe9100da36d47 R11: ffffffff83cf0950 R12: 0000000000000000 R13: 1ffff11000ccc1e0 R14: ffffffff8542af28 R15: dffffc0000000000 ... Allocated by task 146: __kasan_kmalloc+0xc4/0xf0 sk_prot_alloc+0xdd/0x1a0 sk_alloc+0x2d/0x4e0 rose_create+0x7b/0x330 __sock_create+0x2dd/0x640 __sys_socket+0xc7/0x270 __x64_sys_socket+0x71/0x80 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 152: kasan_set_track+0x4c/0x70 kasan_set_free_info+0x1f/0x40 ____kasan_slab_free+0x124/0x190 kfree+0xd3/0x270 __sk_destruct+0x314/0x460 rose_release+0x2fa/0x3b0 sock_close+0xcb/0x230 __fput+0x2d9/0x650 task_work_run+0xd6/0x160 exit_to_user_mode_loop+0xc7/0xd0 exit_to_user_mode_prepare+0x4e/0x80 syscall_exit_to_user_mode+0x20/0x40 do_syscall_64+0x4f/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This patch adds refcount of sock when we use functions such as rose_start_heartbeat() and so on to start timer, and decreases the refcount of sock when timer is finished or deleted by functions such as rose_stop_heartbeat() and so on. As a result, the UAF bugs could be mitigated. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Tested-by: Duoming Zhou <duoming@zju.edu.cn> Link: https://lore.kernel.org/r/20220629002640.5693-1-duoming@zju.edu.cn Signed-off-by: Paolo Abeni <pabeni@redhat.com>
1 parent f8ebb3a
sg_pool.c
// SPDX-License-Identifier: GPL-2.0-only
#include <linux/module.h>
#include <linux/scatterlist.h>
#include <linux/mempool.h>
#include <linux/slab.h>
#define SG_MEMPOOL_NR ARRAY_SIZE(sg_pools)
#define SG_MEMPOOL_SIZE 2
struct sg_pool {
size_t size;
char *name;
struct kmem_cache *slab;
mempool_t *pool;
};
#define SP(x) { .size = x, "sgpool-" __stringify(x) }
#if (SG_CHUNK_SIZE < 32)
#error SG_CHUNK_SIZE is too small (must be 32 or greater)
#endif
static struct sg_pool sg_pools[] = {
SP(8),
SP(16),
#if (SG_CHUNK_SIZE > 32)
SP(32),
#if (SG_CHUNK_SIZE > 64)
SP(64),
#if (SG_CHUNK_SIZE > 128)
SP(128),
#if (SG_CHUNK_SIZE > 256)
#error SG_CHUNK_SIZE is too large (256 MAX)
#endif
#endif
#endif
#endif
SP(SG_CHUNK_SIZE)
};
#undef SP
static inline unsigned int sg_pool_index(unsigned short nents)
{
unsigned int index;
BUG_ON(nents > SG_CHUNK_SIZE);
if (nents <= 8)
index = 0;
else
index = get_count_order(nents) - 3;
return index;
}
static void sg_pool_free(struct scatterlist *sgl, unsigned int nents)
{
struct sg_pool *sgp;
sgp = sg_pools + sg_pool_index(nents);
mempool_free(sgl, sgp->pool);
}
static struct scatterlist *sg_pool_alloc(unsigned int nents, gfp_t gfp_mask)
{
struct sg_pool *sgp;
sgp = sg_pools + sg_pool_index(nents);
return mempool_alloc(sgp->pool, gfp_mask);
}
/**
* sg_free_table_chained - Free a previously mapped sg table
* @table: The sg table header to use
* @nents_first_chunk: size of the first_chunk SGL passed to
* sg_alloc_table_chained
*
* Description:
* Free an sg table previously allocated and setup with
* sg_alloc_table_chained().
*
* @nents_first_chunk has to be same with that same parameter passed
* to sg_alloc_table_chained().
*
**/
void sg_free_table_chained(struct sg_table *table,
unsigned nents_first_chunk)
{
if (table->orig_nents <= nents_first_chunk)
return;
if (nents_first_chunk == 1)
nents_first_chunk = 0;
__sg_free_table(table, SG_CHUNK_SIZE, nents_first_chunk, sg_pool_free,
table->orig_nents);
}
EXPORT_SYMBOL_GPL(sg_free_table_chained);
/**
* sg_alloc_table_chained - Allocate and chain SGLs in an sg table
* @table: The sg table header to use
* @nents: Number of entries in sg list
* @first_chunk: first SGL
* @nents_first_chunk: number of the SGL of @first_chunk
*
* Description:
* Allocate and chain SGLs in an sg table. If @nents@ is larger than
* @nents_first_chunk a chained sg table will be setup. @first_chunk is
* ignored if nents_first_chunk <= 1 because user expects the SGL points
* non-chain SGL.
*
**/
int sg_alloc_table_chained(struct sg_table *table, int nents,
struct scatterlist *first_chunk, unsigned nents_first_chunk)
{
int ret;
BUG_ON(!nents);
if (first_chunk && nents_first_chunk) {
if (nents <= nents_first_chunk) {
table->nents = table->orig_nents = nents;
sg_init_table(table->sgl, nents);
return 0;
}
}
/* User supposes that the 1st SGL includes real entry */
if (nents_first_chunk <= 1) {
first_chunk = NULL;
nents_first_chunk = 0;
}
ret = __sg_alloc_table(table, nents, SG_CHUNK_SIZE,
first_chunk, nents_first_chunk,
GFP_ATOMIC, sg_pool_alloc);
if (unlikely(ret))
sg_free_table_chained(table, nents_first_chunk);
return ret;
}
EXPORT_SYMBOL_GPL(sg_alloc_table_chained);
static __init int sg_pool_init(void)
{
int i;
for (i = 0; i < SG_MEMPOOL_NR; i++) {
struct sg_pool *sgp = sg_pools + i;
int size = sgp->size * sizeof(struct scatterlist);
sgp->slab = kmem_cache_create(sgp->name, size, 0,
SLAB_HWCACHE_ALIGN, NULL);
if (!sgp->slab) {
printk(KERN_ERR "SG_POOL: can't init sg slab %s\n",
sgp->name);
goto cleanup_sdb;
}
sgp->pool = mempool_create_slab_pool(SG_MEMPOOL_SIZE,
sgp->slab);
if (!sgp->pool) {
printk(KERN_ERR "SG_POOL: can't init sg mempool %s\n",
sgp->name);
goto cleanup_sdb;
}
}
return 0;
cleanup_sdb:
for (i = 0; i < SG_MEMPOOL_NR; i++) {
struct sg_pool *sgp = sg_pools + i;
mempool_destroy(sgp->pool);
kmem_cache_destroy(sgp->slab);
}
return -ENOMEM;
}
static __exit void sg_pool_exit(void)
{
int i;
for (i = 0; i < SG_MEMPOOL_NR; i++) {
struct sg_pool *sgp = sg_pools + i;
mempool_destroy(sgp->pool);
kmem_cache_destroy(sgp->slab);
}
}
module_init(sg_pool_init);
module_exit(sg_pool_exit);
Computing file changes ...