net: heap-out-of-bounds in sock_setsockopt

71 views
Skip to first unread message

Dmitry Vyukov

unread,
Dec 16, 2015, 2:35:09 PM12/16/15
to Willem de Bruijn, David S. Miller, Eric Dumazet, Eric W. Biederman, Mel Gorman, Craig Gallek, Ying Xue, Hannes Frederic Sowa, Edward Jee, Julia Lawall, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
Hello,

The following program triggers heap-out-of-bounds access in sock_setsockopt:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/in6.h>

#define SOF_TIMESTAMPING_OPT_ID (1<<7)

int main()
{
int fd = socket(PF_INET6, SOCK_RAW, IPPROTO_TCP);
struct sockaddr_in6 sa = {};
sa.sin6_family = AF_INET6;
sa.sin6_port = htons(13277);
inet_pton(AF_INET6, "::1", &sa.sin6_addr);
connect(fd, (struct sockaddr*)&sa, sizeof(sa));
int opt = SOF_TIMESTAMPING_OPT_ID;
setsockopt(fd, SOL_SOCKET, SO_TIMESTAMPING, &opt, sizeof(opt));
return 0;
}


BUG: KASAN: slab-out-of-bounds in sock_setsockopt+0x1284/0x13d0 at
addr ffff88006563ec10
Read of size 4 by task syzkaller_execu/4755
=============================================================================
BUG RAWv6 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in sk_prot_alloc+0x69/0x340 age=17 cpu=3 pid=4755
[< none >] kmem_cache_alloc+0x244/0x2c0 mm/slub.c:2607
[< none >] sk_prot_alloc+0x69/0x340 net/core/sock.c:1343
[< none >] sk_alloc+0x3a/0x6b0 net/core/sock.c:1418
[< none >] inet6_create+0x2c4/0xfd0 net/ipv6/af_inet6.c:170
[< none >] __sock_create+0x37c/0x640 net/socket.c:1162
[< inline >] sock_create net/socket.c:1202
[< inline >] SYSC_socket net/socket.c:1232
[< none >] SyS_socket+0xef/0x1b0 net/socket.c:1212
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

Call Trace:
[<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
mm/kasan/report.c:294
[<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
[< inline >] SYSC_setsockopt net/socket.c:1746
[<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
[<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185


On commit edb42dc7bc0da0125ceacab810a553ce1f0cac8d (Dec 15).

Cong Wang

unread,
Dec 16, 2015, 3:22:36 PM12/16/15
to Dmitry Vyukov, Willem de Bruijn, David S. Miller, Eric Dumazet, Eric W. Biederman, Mel Gorman, Craig Gallek, Ying Xue, Hannes Frederic Sowa, Edward Jee, Julia Lawall, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
Hmm, we should exclude the raw socket case, something like the
following, but I am not sure if the check is too strict or not, also
not sure if we should return an error for this raw socket case.

diff --git a/net/core/sock.c b/net/core/sock.c
index 765be83..c26e80a 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -872,7 +872,7 @@ int sock_setsockopt(struct socket *sock, int
level, int optname,

if (val & SOF_TIMESTAMPING_OPT_ID &&
!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
- if (sk->sk_protocol == IPPROTO_TCP) {
+ if (sk->sk_protocol == IPPROTO_TCP &&
sk->sk_type == SOCK_STREAM) {
if (sk->sk_state != TCP_ESTABLISHED) {
ret = -EINVAL;
break;

Eric Dumazet

unread,
Dec 16, 2015, 4:07:31 PM12/16/15
to Cong Wang, Dmitry Vyukov, Willem de Bruijn, David S. Miller, Eric W. Biederman, Mel Gorman, Craig Gallek, Ying Xue, Hannes Frederic Sowa, Edward Jee, Julia Lawall, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
On Wed, Dec 16, 2015 at 12:22 PM, Cong Wang <cw...@twopensource.com> wrote:

> Hmm, we should exclude the raw socket case, something like the
> following, but I am not sure if the check is too strict or not, also
> not sure if we should return an error for this raw socket case.
>
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 765be83..c26e80a 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -872,7 +872,7 @@ int sock_setsockopt(struct socket *sock, int
> level, int optname,
>
> if (val & SOF_TIMESTAMPING_OPT_ID &&
> !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
> - if (sk->sk_protocol == IPPROTO_TCP) {
> + if (sk->sk_protocol == IPPROTO_TCP &&
> sk->sk_type == SOCK_STREAM) {
> if (sk->sk_state != TCP_ESTABLISHED) {
> ret = -EINVAL;
> break;

This looks right, please post this officially ;)

tcp_sk(sk) only works for TCP sockets , and the test must include
sk->sk_type == SOCK_STREAM

Willem de Bruijn

unread,
Dec 16, 2015, 5:59:15 PM12/16/15
to Cong Wang, Dmitry Vyukov, Willem de Bruijn, David S. Miller, Eric Dumazet, Eric W. Biederman, Mel Gorman, Craig Gallek, Ying Xue, Hannes Frederic Sowa, Edward Jee, Julia Lawall, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
>
> Hmm, we should exclude the raw socket case, something like the
> following, but I am not sure if the check is too strict or not, also
> not sure if we should return an error for this raw socket case.

No, SOF_TIMESTAMPING_OPT_ID with SOCK_RAW/IPPROTO_TCP
is legitimate. It should fall through to initializing sk->sk_tskey to zero.
Only stream sockets should use the special case where numbering
is bytestream and computed by subtracting the seqno from the seqno
at the time that the option is enabled.

>
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 765be83..c26e80a 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -872,7 +872,7 @@ int sock_setsockopt(struct socket *sock, int
> level, int optname,
>
> if (val & SOF_TIMESTAMPING_OPT_ID &&
> !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
> - if (sk->sk_protocol == IPPROTO_TCP) {
> + if (sk->sk_protocol == IPPROTO_TCP &&
> sk->sk_type == SOCK_STREAM) {
> if (sk->sk_state != TCP_ESTABLISHED) {
> ret = -EINVAL;
> break;

I made the same error when later returning the tskey in
__skb_tstamp_tx:

if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
serr->ee.ee_data = skb_shinfo(skb)->tskey;
if (sk->sk_protocol == IPPROTO_TCP)
serr->ee.ee_data -= sk->sk_tskey;
}

This has no effect if sk->sk_tskey is initialized to 0 with your patch. Still,
it should not treat SOCK_RAW as a TCP sock here, either. Please
add this if you're about to send the patch. Or I can send it separately,
if you prefer. Thanks for the quick fix.
Reply all
Reply to author
Forward
0 new messages