KASAN: use-after-free Read in ax25_fillin_cb

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 8fe28cb58bcb Linux 4.20
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11502b15400000
kernel config: https://syzkaller.appspot.com/x/.config?x=7d581260bae0899a
dashboard link: https://syzkaller.appspot.com/bug?extid=ae6bb869cbed29b29040
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1114eac3400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ae6bb8...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KASAN: use-after-free in ax25_fillin_cb_from_dev
net/ax25/af_ax25.c:450 [inline]
BUG: KASAN: use-after-free in ax25_fillin_cb+0x6d5/0x810
net/ax25/af_ax25.c:477
Read of size 4 at addr ffff8881ccecc438 by task syz-executor5/11370

CPU: 1 PID: 11370 Comm: syz-executor5 Not tainted 4.20.0 #387
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113
print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
ax25_fillin_cb_from_dev net/ax25/af_ax25.c:450 [inline]
ax25_fillin_cb+0x6d5/0x810 net/ax25/af_ax25.c:477
ax25_setsockopt+0x92a/0xa20 net/ax25/af_ax25.c:663
__sys_setsockopt+0x1ba/0x3c0 net/socket.c:1902
__do_sys_setsockopt net/socket.c:1913 [inline]
__se_sys_setsockopt net/socket.c:1910 [inline]
__x64_sys_setsockopt+0xbe/0x150 net/socket.c:1910
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457759
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f540c347c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457759
RDX: 0000000000000019 RSI: 0000000000000101 RDI: 0000000000000005
RBP: 000000000073bfa0 R08: 0000000000000010 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 00007f540c3486d4
R13: 00000000004cb2d8 R14: 00000000004d8910 R15: 00000000ffffffff

Allocated by task 11344:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
kmalloc include/linux/slab.h:546 [inline]
kzalloc include/linux/slab.h:741 [inline]
ax25_dev_device_up+0x47/0x4d0 net/ax25/ax25_dev.c:57
ax25_device_event+0x208/0x2e0 net/ax25/af_ax25.c:126
notifier_call_chain+0x17e/0x380 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1733
call_netdevice_notifiers net/core/dev.c:1751 [inline]
__dev_notify_flags+0x17a/0x480 net/core/dev.c:7545
dev_change_flags+0xfd/0x150 net/core/dev.c:7581
dev_ifsioc+0x7d6/0xa80 net/core/dev_ioctl.c:237
dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:488
sock_do_ioctl+0x1f6/0x420 net/socket.c:973
sock_ioctl+0x313/0x690 net/socket.c:1074
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 11339:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3817
ax25_dev_device_down+0x164/0x2f0 net/ax25/ax25_dev.c:129
ax25_device_event+0x1f6/0x2e0 net/ax25/af_ax25.c:131
notifier_call_chain+0x17e/0x380 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1733
call_netdevice_notifiers net/core/dev.c:1751 [inline]
__dev_notify_flags+0x29b/0x480 net/core/dev.c:7547
dev_change_flags+0xfd/0x150 net/core/dev.c:7581
dev_ifsioc+0x7d6/0xa80 net/core/dev_ioctl.c:237
dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:488
sock_do_ioctl+0x1f6/0x420 net/socket.c:973
sock_ioctl+0x313/0x690 net/socket.c:1074
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881ccecc400
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes inside of
192-byte region [ffff8881ccecc400, ffff8881ccecc4c0)
The buggy address belongs to the page:
page:ffffea000733b300 count:1 mapcount:0 mapping:ffff8881da800040 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea000733b1c8 ffffea000734aac8 ffff8881da800040
raw: 0000000000000000 ffff8881ccecc000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8881ccecc300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881ccecc380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8881ccecc400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881ccecc480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8881ccecc500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Joerg Reuter]

On Fri, Dec 28, 2018 at 02:51:04PM -0800, syzbot wrote:

> BUG: KASAN: use-after-free in ax25_fillin_cb_from_dev net/ax25/af_ax25.c:450
> [inline]
> BUG: KASAN: use-after-free in ax25_fillin_cb+0x6d5/0x810
> net/ax25/af_ax25.c:477
> Read of size 4 at addr ffff8881ccecc438 by task syz-executor5/11370

Not good... Why do things like this always pop up when I'm traveling?

> ax25_fillin_cb_from_dev net/ax25/af_ax25.c:450 [inline]
> ax25_fillin_cb+0x6d5/0x810 net/ax25/af_ax25.c:477
> ax25_setsockopt+0x92a/0xa20 net/ax25/af_ax25.c:663

That's here:
// ...
case SO_BINDTODEVICE:
// ...
dev = dev_get_by_name(&init_net, devname);
if (!dev) {
res = -ENODEV;
break;
}

ax25->ax25_dev = ax25_dev_ax25dev(dev);
ax25_fillin_cb(ax25, ax25->ax25_dev);
dev_put(dev);
break;

Thus, dev is not NULL, and neither is dev->ax25_ptr.

> Freed by task 11339:
> [..]

> ax25_dev_device_down+0x164/0x2f0 net/ax25/ax25_dev.c:129
> ax25_device_event+0x1f6/0x2e0 net/ax25/af_ax25.c:131
> notifier_call_chain+0x17e/0x380 kernel/notifier.c:93

ax25_dev_device_down() has this:

if ((s = ax25_dev_list) == ax25_dev) {
ax25_dev_list = s->next;
spin_unlock_bh(&ax25_dev_lock);
dev_put(dev);
kfree(ax25_dev);
return;
}

while (s != NULL && s->next != NULL) {
if (s->next == ax25_dev) {
s->next = ax25_dev->next;
spin_unlock_bh(&ax25_dev_lock);
dev_put(dev);
kfree(ax25_dev); // <==== here
return;
}

s = s->next;
}
spin_unlock_bh(&ax25_dev_lock);
dev->ax25_ptr = NULL;

I hope I didn't write this... *shudders*

Anyway, we are indeed missing to set dev->ax25_ptr to NULL if we're at
the head or somewhere on the ax25_dev_list, probably because it will be
cleaned up on removal of dev anyway. Unfortunately, in the meantime
either someone could call setsockopt() on an existing socket, or the
setsockopt() call got interrupted. From my POV the SO_BINDTODEVICE needs
to get protected by this:

spin_lock_bh(&ax25_dev_lock);
ax25->ax25_dev = ax25_dev_ax25dev(dev);
if (ax25->ax25_dev != NULL) {
ax25_fillin_cb(ax25, ax25->ax25_dev);
dev_put(dev);
}
spin_unlock_bh(&ax25_dev_lock);

and ax25_dev_device_down() needs to be rewritten and ensure
that dev->ax25_ptr gets set to NULL after each kfree(ax25_dev)

Unfortunately, I'm on a low bandwidth connection right now. I'd be
grateful if someone could create a patch. This is likely not a high
impact issue (unpriviliged users can't set up or tear down interfaces),
still it may cause hard to find memory corruptions.

- Joerg (yes, I'm still alive)

--
Joerg Reuter http://yaina.de/jreuter
And I make my way to where the warm scent of soil fills the evening air.
Everything is waiting quietly out there.... (Anne Clark)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in ax25_fillin_cb

8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
==================================================================

BUG: KASAN: use-after-free in ax25_fillin_cb_from_dev
net/ax25/af_ax25.c:450 [inline]
BUG: KASAN: use-after-free in ax25_fillin_cb+0x6d5/0x810
net/ax25/af_ax25.c:477

Read of size 4 at addr ffff8881ccbc3a38 by task syz-executor1/9733

CPU: 1 PID: 9733 Comm: syz-executor1 Not tainted 4.20.0+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113
print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432

ax25_fillin_cb_from_dev net/ax25/af_ax25.c:450 [inline]
ax25_fillin_cb+0x6d5/0x810 net/ax25/af_ax25.c:477

ax25_setsockopt+0x92f/0xa10 net/ax25/af_ax25.c:665

__sys_setsockopt+0x1ba/0x3c0 net/socket.c:1902
__do_sys_setsockopt net/socket.c:1913 [inline]
__se_sys_setsockopt net/socket.c:1910 [inline]
__x64_sys_setsockopt+0xbe/0x150 net/socket.c:1910
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457759
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f1d916b8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036

RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457759
RDX: 0000000000000019 RSI: 0000000000000101 RDI: 0000000000000005

RBP: 000000000073c040 R08: 0000000000000010 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 00007f1d916b96d4

R13: 00000000004cb2d8 R14: 00000000004d8910 R15: 00000000ffffffff

Allocated by task 9727:

save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
kmalloc include/linux/slab.h:546 [inline]
kzalloc include/linux/slab.h:741 [inline]
ax25_dev_device_up+0x47/0x4d0 net/ax25/ax25_dev.c:57
ax25_device_event+0x208/0x2e0 net/ax25/af_ax25.c:126
notifier_call_chain+0x17e/0x380 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401

call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739
call_netdevice_notifiers_extack net/core/dev.c:1751 [inline]
call_netdevice_notifiers net/core/dev.c:1765 [inline]
__dev_notify_flags+0x17a/0x480 net/core/dev.c:7605
dev_change_flags+0x109/0x160 net/core/dev.c:7643
dev_ifsioc+0x7da/0xa80 net/core/dev_ioctl.c:237

dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:488
sock_do_ioctl+0x1f6/0x420 net/socket.c:973
sock_ioctl+0x313/0x690 net/socket.c:1074
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 9727:

save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3817

ax25_dev_device_down+0x164/0x2f0 net/ax25/ax25_dev.c:129
ax25_device_event+0x1f6/0x2e0 net/ax25/af_ax25.c:131
notifier_call_chain+0x17e/0x380 kernel/notifier.c:93

__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401

call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739
call_netdevice_notifiers_extack net/core/dev.c:1751 [inline]
call_netdevice_notifiers net/core/dev.c:1765 [inline]
__dev_notify_flags+0x29b/0x480 net/core/dev.c:7607
dev_change_flags+0x109/0x160 net/core/dev.c:7643
dev_ifsioc+0x7da/0xa80 net/core/dev_ioctl.c:237

dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:488
sock_do_ioctl+0x1f6/0x420 net/socket.c:973
sock_ioctl+0x313/0x690 net/socket.c:1074
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881ccbc3a00

which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes inside of

192-byte region [ffff8881ccbc3a00, ffff8881ccbc3ac0)

The buggy address belongs to the page:

page:ffffea000732f0c0 count:1 mapcount:0 mapping:ffff8881da800040 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea000732be48 ffffea0007329808 ffff8881da800040
raw: 0000000000000000 ffff8881ccbc3000 0000000100000010 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8881ccbc3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881ccbc3980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
> ffff8881ccbc3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881ccbc3a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8881ccbc3b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


Tested on:

commit: a8aaf1ad2c5c netrom: fix locking in nr_find_socket()
git tree: https://github.com/congwang/linux.git syzbot
console output: https://syzkaller.appspot.com/x/log.txt?x=105c5b00c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=422dcd050f9513b9

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+ae6bb8...@syzkaller.appspotmail.com

Tested on:

commit: dbee966d9366 net/wan: fix a double free in x25_asy_open_tt..

git tree: https://github.com/congwang/linux.git syzbot

kernel config: https://syzkaller.appspot.com/x/.config?x=422dcd050f9513b9
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

Note: testing is done by a robot and is best-effort only.

[Cong Wang]

Hi, Joerg

On Sat, Dec 29, 2018 at 2:06 PM Joerg Reuter <jre...@yaina.de> wrote:
> Unfortunately, I'm on a low bandwidth connection right now. I'd be
> grateful if someone could create a patch. This is likely not a high
> impact issue (unpriviliged users can't set up or tear down interfaces),
> still it may cause hard to find memory corruptions.

I already sent a patch:
http://patchwork.ozlabs.org/patch/1019386/

Sorry for forgetting to Cc more people.

Thanks.