Skip to main content

Browse the archive

Revision d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae authored by Kuniyuki Iwashima on 01 April 2024, 21:10:04 UTC, committed by Jakub Kicinski on 03 April 2024, 02:10:57 UTC 
ipv6: Fix infinite recursion in fib6_dump_done().
 
syzkaller reported infinite recursive calls of fib6_dump_done() during
netlink socket destruction.  [1]

From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then
the response was generated.  The following recvmmsg() resumed the dump
for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due
to the fault injection.  [0]

  12:01:34 executing program 3:
  r0 = socket$nl_route(0x10, 0x3, 0x0)
  sendmsg$nl_route(r0, ... snip ...)
  recvmmsg(r0, ... snip ...) (fail_nth: 8)

Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call
of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped
receiving the response halfway through, and finally netlink_sock_destruct()
called nlk_sk(sk)->cb.done().

fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it
is still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by
nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling
itself recursively and hitting the stack guard page.

To avoid the issue, let's set the destructor after kzalloc().

[0]:
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl (lib/dump_stack.c:117)
 should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)
 should_failslab (mm/slub.c:3733)
 kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)
 inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)
 rtnl_dump_all (net/core/rtnetlink.c:4029)
 netlink_dump (net/netlink/af_netlink.c:2269)
 netlink_recvmsg (net/netlink/af_netlink.c:1988)
 ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)
 ___sys_recvmsg (net/socket.c:2846)
 do_recvmmsg (net/socket.c:2943)
 __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)

[1]:
BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)
stack guard page: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Workqueue: events netlink_sock_destruct_work
RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)
Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d980000 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3
RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358
RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000
R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68
FS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
 <#DF>
 </#DF>
 <TASK>
 fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
 fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
 ...
 fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
 fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
 netlink_sock_destruct (net/netlink/af_netlink.c:401)
 __sk_destruct (net/core/sock.c:2177 (discriminator 2))
 sk_destruct (net/core/sock.c:2224)
 __sk_free (net/core/sock.c:2235)
 sk_free (net/core/sock.c:2246)
 process_one_work (kernel/workqueue.c:3259)
 worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)
 kthread (kernel/kthread.c:388)
 ret_from_fork (arch/x86/kernel/process.c:153)
 ret_from_fork_asm (arch/x86/entry/entry_64.S:256)
Modules linked in:

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240401211003.25274-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent 5d872c9
Raw File
objdiff 
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0-only

# objdiff - a small script for validating that a commit or series of commits
# didn't change object code.
#
# Copyright 2014, Jason Cooper <jason@lakedaemon.net>
#

# usage example:
#
# $ git checkout COMMIT_A
# $ <your fancy build command here>
# $ ./scripts/objdiff record path/to/*.o
#
# $ git checkout COMMIT_B
# $ <your fancy build command here>
# $ ./scripts/objdiff record path/to/*.o
#
# $ ./scripts/objdiff diff COMMIT_A COMMIT_B
# $

# And to clean up (everything is in .objdiff/*)
# $ ./scripts/objdiff clean all
#
# Note: 'make mrproper' will also remove .objdiff

SRCTREE=$(cd $(git rev-parse --show-toplevel 2>/dev/null); pwd)

if [ -z "$SRCTREE" ]; then
	echo >&2 "ERROR: Not a git repository."
	exit 1
fi

TMPD=$SRCTREE/.objdiff

usage() {
	echo >&2 "Usage: $0 <command> <args>"
	echo >&2 "  record    <list of object files or directories>"
	echo >&2 "  diff      <commitA> <commitB>"
	echo >&2 "  clean     all | <commit>"
	exit 1
}

get_output_dir() {
	dir=${1%/*}

	if [ "$dir" = "$1" ]; then
		dir=.
	fi

	dir=$(cd $dir; pwd)

	echo $TMPD/$CMT${dir#$SRCTREE}
}

do_objdump() {
	dir=$(get_output_dir $1)
	base=${1##*/}
	stripped=$dir/${base%.o}.stripped
	dis=$dir/${base%.o}.dis

	[ ! -d "$dir" ] && mkdir -p $dir

	# remove addresses for a cleaner diff
	# http://dummdida.tumblr.com/post/60924060451/binary-diff-between-libc-from-scientificlinux-and
	$STRIP -g $1 -R __bug_table -R .note -R .comment -o $stripped
	$OBJDUMP -D $stripped | sed -e "s/^[[:space:]]\+[0-9a-f]\+//" -e "s:^$stripped:$1:" > $dis
}

dorecord() {
	[ $# -eq 0 ] && usage

	FILES="$*"

	CMT="`git rev-parse --short HEAD`"

	STRIP="${CROSS_COMPILE}strip"
	OBJDUMP="${CROSS_COMPILE}objdump"

	for d in $FILES; do
		if [ -d "$d" ]; then
			for f in $(find $d -name '*.o')
			do
				do_objdump $f
			done
		else
			do_objdump $d
		fi
	done
}

dodiff() {
	[ $# -ne 2 ] && [ $# -ne 0 ] && usage

	if [ $# -eq 0 ]; then
		SRC="`git rev-parse --short HEAD^`"
		DST="`git rev-parse --short HEAD`"
	else
		SRC="`git rev-parse --short $1`"
		DST="`git rev-parse --short $2`"
	fi

	DIFF="`which colordiff`"

	if [ ${#DIFF} -eq 0 ] || [ ! -x "$DIFF" ]; then
		DIFF="`which diff`"
	fi

	SRCD="$TMPD/$SRC"
	DSTD="$TMPD/$DST"

	if [ ! -d "$SRCD" ]; then
		echo >&2 "ERROR: $SRCD doesn't exist"
		exit 1
	fi

	if [ ! -d "$DSTD" ]; then
		echo >&2 "ERROR: $DSTD doesn't exist"
		exit 1
	fi

	$DIFF -Nurd $SRCD $DSTD
}

doclean() {
	[ $# -eq 0 ] && usage
	[ $# -gt 1 ] && usage

	if [ "x$1" = "xall" ]; then
		rm -rf $TMPD/*
	else
		CMT="`git rev-parse --short $1`"

		if [ -d "$TMPD/$CMT" ]; then
			rm -rf $TMPD/$CMT
		else
			echo >&2 "$CMT not found"
		fi
	fi
}

[ $# -eq 0 ] &&	usage

case "$1" in
	record)
		shift
		dorecord $*
		;;
	diff)
		shift
		dodiff $*
		;;
	clean)
		shift
		doclean $*
		;;
	*)
		echo >&2 "Unrecognized command '$1'"
		exit 1
		;;
esac
back to top