[Linux-kernel-mentees] [PATCH net] ipvs: Fix uninit-value in do_ip_vs_set_ctl()

[Peilin Ye]

#syz test: https://github.com/google/kmsan.git master

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+23b5f9...@syzkaller.appspotmail.com

Tested on:

commit: ce8056d1 wip: changed copy_from_user where instrumented
git tree: https://github.com/google/kmsan.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=eaeb41c4b116ed1a
dashboard link: https://syzkaller.appspot.com/bug?extid=23b5f9e7caf61d9a3898
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
patch: https://syzkaller.appspot.com/x/patch.diff?x=125f231a900000

Note: testing is done by a robot and is best-effort only.

[Peilin Ye]

do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
zero. Fix it.

Reported-and-tested-by: syzbot+23b5f9...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
Signed-off-by: Peilin Ye <yepei...@gmail.com>
---
net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 412656c34f20..c050b6a42786 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2418,7 +2418,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
{
struct net *net = sock_net(sk);
int ret;
- unsigned char arg[MAX_SET_ARGLEN];
+ unsigned char arg[MAX_SET_ARGLEN] = {};
struct ip_vs_service_user *usvc_compat;
struct ip_vs_service_user_kern usvc;
struct ip_vs_service *svc;
--
2.25.1

[Cong Wang]

On Mon, Aug 10, 2020 at 3:10 PM Peilin Ye <yepei...@gmail.com> wrote:
>
> do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> zero. Fix it.

Which exact 'cmd' is it here?

I _guess_ it is one of those uninitialized in set_arglen[], which is 0.
But if that is the case, should it be initialized to
sizeof(struct ip_vs_service_user) instead because ip_vs_copy_usvc_compat()
is called anyway. Or, maybe we should just ban len==0 case.

In either case, it does not look like you fix it correctly.

Thanks.

[Peilin Ye]

On Mon, Aug 10, 2020 at 08:57:19PM -0700, Cong Wang wrote:
> On Mon, Aug 10, 2020 at 3:10 PM Peilin Ye <yepei...@gmail.com> wrote:
> >
> > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> > zero. Fix it.
>
> Which exact 'cmd' is it here?
>
> I _guess_ it is one of those uninitialized in set_arglen[], which is 0.

Yes, it was `IP_VS_SO_SET_NONE`, implicitly initialized to zero.

> But if that is the case, should it be initialized to
> sizeof(struct ip_vs_service_user) instead because ip_vs_copy_usvc_compat()
> is called anyway. Or, maybe we should just ban len==0 case.

I see. I think the latter would be easier, but we cannot ban all of
them, since the function does something with `IP_VS_SO_SET_FLUSH`, which
is a `len == 0` case.

Maybe we do something like this?

@@ -2432,6 +2432,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)

if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
return -EINVAL;
+ if (len == 0 && cmd != IP_VS_SO_SET_FLUSH)
+ return -EINVAL;
if (len != set_arglen[CMDID(cmd)]) {
IP_VS_DBG(1, "set_ctl: len %u != %u\n",
len, set_arglen[CMDID(cmd)]);
@@ -2547,9 +2549,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
break;
case IP_VS_SO_SET_DELDEST:
ret = ip_vs_del_dest(svc, &udest);
- break;
- default:
- ret = -EINVAL;
}

out_unlock:

Thank you,
Peilin Ye

[Peilin Ye]

[Julian Anastasov]

Hello,

On Tue, 11 Aug 2020, Peilin Ye wrote:

> On Mon, Aug 10, 2020 at 08:57:19PM -0700, Cong Wang wrote:
> > On Mon, Aug 10, 2020 at 3:10 PM Peilin Ye <yepei...@gmail.com> wrote:
> > >
> > > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> > > zero. Fix it.
> >
> > Which exact 'cmd' is it here?
> >
> > I _guess_ it is one of those uninitialized in set_arglen[], which is 0.
>
> Yes, it was `IP_VS_SO_SET_NONE`, implicitly initialized to zero.
>
> > But if that is the case, should it be initialized to
> > sizeof(struct ip_vs_service_user) instead because ip_vs_copy_usvc_compat()
> > is called anyway. Or, maybe we should just ban len==0 case.
>
> I see. I think the latter would be easier, but we cannot ban all of
> them, since the function does something with `IP_VS_SO_SET_FLUSH`, which
> is a `len == 0` case.
>
> Maybe we do something like this?

Yes, only IP_VS_SO_SET_FLUSH uses len 0. We can go with
this change but you do not need to target net tree, as the
problem is not fatal net-next works too. What happens is
that we may lookup services with random search keys which
is harmless.

Another option is to add new block after this one:

} else if (cmd == IP_VS_SO_SET_TIMEOUT) {
/* Set timeout values for (tcp tcpfin udp) */
ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg);
goto out_unlock;
}

such as:

} else if (!len) {
/* No more commands with len=0 below */
ret = -EINVAL;
goto out_unlock;
}

It give more chance for future commands to use len=0
but the drawback is that the check happens under mutex. So, I'm
fine with both versions, it is up to you to decide :)

> @@ -2432,6 +2432,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
>
> if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
> return -EINVAL;
> + if (len == 0 && cmd != IP_VS_SO_SET_FLUSH)
> + return -EINVAL;
> if (len != set_arglen[CMDID(cmd)]) {
> IP_VS_DBG(1, "set_ctl: len %u != %u\n",
> len, set_arglen[CMDID(cmd)]);
> @@ -2547,9 +2549,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
> break;
> case IP_VS_SO_SET_DELDEST:
> ret = ip_vs_del_dest(svc, &udest);
> - break;
> - default:
> - ret = -EINVAL;
> }
>
> out_unlock:

Regards

--
Julian Anastasov <j...@ssi.bg>

[Peilin Ye]

On Tue, Aug 11, 2020 at 09:58:46AM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Tue, 11 Aug 2020, Peilin Ye wrote:
>
> > On Mon, Aug 10, 2020 at 08:57:19PM -0700, Cong Wang wrote:
> > > On Mon, Aug 10, 2020 at 3:10 PM Peilin Ye <yepei...@gmail.com> wrote:
> > > >
> > > > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> > > > zero. Fix it.
> > >
> > > Which exact 'cmd' is it here?
> > >
> > > I _guess_ it is one of those uninitialized in set_arglen[], which is 0.
> >
> > Yes, it was `IP_VS_SO_SET_NONE`, implicitly initialized to zero.
> >
> > > But if that is the case, should it be initialized to
> > > sizeof(struct ip_vs_service_user) instead because ip_vs_copy_usvc_compat()
> > > is called anyway. Or, maybe we should just ban len==0 case.
> >
> > I see. I think the latter would be easier, but we cannot ban all of
> > them, since the function does something with `IP_VS_SO_SET_FLUSH`, which
> > is a `len == 0` case.
> >
> > Maybe we do something like this?
>
> Yes, only IP_VS_SO_SET_FLUSH uses len 0. We can go with
> this change but you do not need to target net tree, as the
> problem is not fatal net-next works too. What happens is
> that we may lookup services with random search keys which
> is harmless.

I see, I'll target net-next instead.

> Another option is to add new block after this one:
>
> } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
> /* Set timeout values for (tcp tcpfin udp) */
> ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg);
> goto out_unlock;
> }
>
> such as:
>
> } else if (!len) {
> /* No more commands with len=0 below */
> ret = -EINVAL;
> goto out_unlock;
> }
>
> It give more chance for future commands to use len=0
> but the drawback is that the check happens under mutex. So, I'm
> fine with both versions, it is up to you to decide :)

Ah, this seems much cleaner. I'll send v2 soon, thank you!

Peilin Ye

[Peilin Ye]

do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
zero. Fix it.

Reported-by: syzbot+23b5f9...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
Suggested-by: Julian Anastasov <j...@ssi.bg>

Signed-off-by: Peilin Ye <yepei...@gmail.com>
---

Changes in v2:
- Target net-next tree. (Suggested by Julian Anastasov <j...@ssi.bg>)
- Reject all `len == 0` requests except `IP_VS_SO_SET_FLUSH`, instead
of initializing `arg`. (Suggested by Cong Wang
<xiyou.w...@gmail.com>, Julian Anastasov <j...@ssi.bg>)

net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 412656c34f20..beeafa42aad7 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2471,6 +2471,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)

/* Set timeout values for (tcp tcpfin udp) */
ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg);
goto out_unlock;

+ } else if (!len) {
+ /* No more commands with len == 0 below */
+ ret = -EINVAL;
+ goto out_unlock;
}

usvc_compat = (struct ip_vs_service_user *)arg;
@@ -2547,9 +2551,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)

break;
case IP_VS_SO_SET_DELDEST:
ret = ip_vs_del_dest(svc, &udest);
- break;
- default:
- ret = -EINVAL;
}

out_unlock:

--
2.25.1

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+23b5f9...@syzkaller.appspotmail.com

Tested on:

commit: ce8056d1 wip: changed copy_from_user where instrumented
git tree: https://github.com/google/kmsan.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=eaeb41c4b116ed1a
dashboard link: https://syzkaller.appspot.com/bug?extid=23b5f9e7caf61d9a3898
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

patch: https://syzkaller.appspot.com/x/patch.diff?x=158573c2900000

[Julian Anastasov]

Hello,

On Tue, 11 Aug 2020, Peilin Ye wrote:

> do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> zero. Fix it.
>
> Reported-by: syzbot+23b5f9...@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
> Suggested-by: Julian Anastasov <j...@ssi.bg>
> Signed-off-by: Peilin Ye <yepei...@gmail.com>

Looks good to me, thanks!

Acked-by: Julian Anastasov <j...@ssi.bg>

[Simon Horman]

On Tue, Aug 11, 2020 at 01:29:04PM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Tue, 11 Aug 2020, Peilin Ye wrote:
>
> > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> > zero. Fix it.
> >
> > Reported-by: syzbot+23b5f9...@syzkaller.appspotmail.com
> > Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
> > Suggested-by: Julian Anastasov <j...@ssi.bg>
> > Signed-off-by: Peilin Ye <yepei...@gmail.com>
>
> Looks good to me, thanks!
>
> Acked-by: Julian Anastasov <j...@ssi.bg>

Pablo, could you consider this for nf-next or should we repost when
net-next re-opens?

Reviewed-by: Simon Horman <ho...@verge.net.au>

[Pablo Neira Ayuso]

No worries, it will sit in netfilter's patchwork until net-next
reopens.

[Pablo Neira Ayuso]

On Tue, Aug 11, 2020 at 03:46:40AM -0400, Peilin Ye wrote:
> do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> zero. Fix it.

Applied to nf-next, thanks.