leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
77f22f92df
linux/drivers
History
Yang Yingliang 77f22f92df tun: fix use-after-free when register netdev failed 
I got a UAF repport in tun driver when doing fuzzy test:

[  466.269490] ==================================================================
[  466.271792] BUG: KASAN: use-after-free in tun_chr_read_iter+0x2ca/0x2d0
[  466.271806] Read of size 8 at addr ffff888372139250 by task tun-test/2699
[  466.271810]
[  466.271824] CPU: 1 PID: 2699 Comm: tun-test Not tainted 5.3.0-rc1-00001-g5a9433db2614-dirty #427
[  466.271833] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[  466.271838] Call Trace:
[  466.271858]  dump_stack+0xca/0x13e
[  466.271871]  ? tun_chr_read_iter+0x2ca/0x2d0
[  466.271890]  print_address_description+0x79/0x440
[  466.271906]  ? vprintk_func+0x5e/0xf0
[  466.271920]  ? tun_chr_read_iter+0x2ca/0x2d0
[  466.271935]  __kasan_report+0x15c/0x1df
[  466.271958]  ? tun_chr_read_iter+0x2ca/0x2d0
[  466.271976]  kasan_report+0xe/0x20
[  466.271987]  tun_chr_read_iter+0x2ca/0x2d0
[  466.272013]  do_iter_readv_writev+0x4b7/0x740
[  466.272032]  ? default_llseek+0x2d0/0x2d0
[  466.272072]  do_iter_read+0x1c5/0x5e0
[  466.272110]  vfs_readv+0x108/0x180
[  466.299007]  ? compat_rw_copy_check_uvector+0x440/0x440
[  466.299020]  ? fsnotify+0x888/0xd50
[  466.299040]  ? __fsnotify_parent+0xd0/0x350
[  466.299064]  ? fsnotify_first_mark+0x1e0/0x1e0
[  466.304548]  ? vfs_write+0x264/0x510
[  466.304569]  ? ksys_write+0x101/0x210
[  466.304591]  ? do_preadv+0x116/0x1a0
[  466.304609]  do_preadv+0x116/0x1a0
[  466.309829]  do_syscall_64+0xc8/0x600
[  466.309849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  466.309861] RIP: 0033:0x4560f9
[  466.309875] Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[  466.309889] RSP: 002b:00007ffffa5166e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000127
[  466.322992] RAX: ffffffffffffffda RBX: 0000000000400460 RCX: 00000000004560f9
[  466.322999] RDX: 0000000000000003 RSI: 00000000200008c0 RDI: 0000000000000003
[  466.323007] RBP: 00007ffffa516700 R08: 0000000000000004 R09: 0000000000000000
[  466.323014] R10: 0000000000000000 R11: 0000000000000206 R12: 000000000040cb10
[  466.323021] R13: 0000000000000000 R14: 00000000006d7018 R15: 0000000000000000
[  466.323057]
[  466.323064] Allocated by task 2605:
[  466.335165]  save_stack+0x19/0x80
[  466.336240]  __kasan_kmalloc.constprop.8+0xa0/0xd0
[  466.337755]  kmem_cache_alloc+0xe8/0x320
[  466.339050]  getname_flags+0xca/0x560
[  466.340229]  user_path_at_empty+0x2c/0x50
[  466.341508]  vfs_statx+0xe6/0x190
[  466.342619]  __do_sys_newstat+0x81/0x100
[  466.343908]  do_syscall_64+0xc8/0x600
[  466.345303]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  466.347034]
[  466.347517] Freed by task 2605:
[  466.348471]  save_stack+0x19/0x80
[  466.349476]  __kasan_slab_free+0x12e/0x180
[  466.350726]  kmem_cache_free+0xc8/0x430
[  466.351874]  putname+0xe2/0x120
[  466.352921]  filename_lookup+0x257/0x3e0
[  466.354319]  vfs_statx+0xe6/0x190
[  466.355498]  __do_sys_newstat+0x81/0x100
[  466.356889]  do_syscall_64+0xc8/0x600
[  466.358037]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  466.359567]
[  466.360050] The buggy address belongs to the object at ffff888372139100
[  466.360050]  which belongs to the cache names_cache of size 4096
[  466.363735] The buggy address is located 336 bytes inside of
[  466.363735]  4096-byte region [ffff888372139100, ffff88837213a100)
[  466.367179] The buggy address belongs to the page:
[  466.368604] page:ffffea000dc84e00 refcount:1 mapcount:0 mapping:ffff8883df1b4f00 index:0x0 compound_mapcount: 0
[  466.371582] flags: 0x2fffff80010200(slab|head)
[  466.372910] raw: 002fffff80010200 dead000000000100 dead000000000122 ffff8883df1b4f00
[  466.375209] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[  466.377778] page dumped because: kasan: bad access detected
[  466.379730]
[  466.380288] Memory state around the buggy address:
[  466.381844]  ffff888372139100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.384009]  ffff888372139180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.386131] >ffff888372139200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.388257]                                                  ^
[  466.390234]  ffff888372139280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.392512]  ffff888372139300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.394667] ==================================================================

tun_chr_read_iter() accessed the memory which freed by free_netdev()
called by tun_set_iff():

        CPUA                                           CPUB
  tun_set_iff()
    alloc_netdev_mqs()
    tun_attach()
                                                  tun_chr_read_iter()
                                                    tun_get()
                                                    tun_do_read()
                                                      tun_ring_recv()
    register_netdevice() <-- inject error
    goto err_detach
    tun_detach_all() <-- set RCV_SHUTDOWN
    free_netdev() <-- called from
                     err_free_dev path
      netdev_freemem() <-- free the memory
                        without check refcount
      (In this path, the refcount cannot prevent
       freeing the memory of dev, and the memory
       will be used by dev_put() called by
       tun_chr_read_iter() on CPUB.)
                                                     (Break from tun_ring_recv(),
                                                     because RCV_SHUTDOWN is set)
                                                   tun_put()
                                                     dev_put() <-- use the memory
                                                                   freed by netdev_freemem()

Put the publishing of tfile->tun after register_netdevice(),
so tun_get() won't get the tun pointer that freed by
err_detach path if register_netdevice() failed.

Fixes: eb0fb363f9 ("tuntap: attach queue 0 before registering netdevice")
Reported-by: Hulk Robot <hulkci@huawei.com>
Suggested-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-09-12 11:17:26 +01:00
..
accessibility
acpi drivers/acpi/scan.c: document why we don't need the device_hotplug_lock 2019-08-03 07:02:01 -07:00
amba Driver Core and debugfs changes for 5.3-rc1 2019-07-12 12:24:03 -07:00
android binder: prevent transactions to context manager from its own process. 2019-07-24 11:02:28 +02:00
ata libata: add SG safety checks in SFF pio transfers 2019-08-07 12:23:57 -06:00
atm Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105 2019-08-19 18:15:18 -07:00
auxdisplay auxdisplay: ht16k33: Make ht16k33_fb_fix and ht16k33_fb_var constant 2019-08-20 11:48:54 +02:00
base soundwire fixes for v5.3-rc5 2019-08-16 12:35:56 +02:00
bcma
block rbd: restore zeroing past the overlap when reading from parent 2019-08-28 12:34:11 +02:00
bluetooth Bluetooth: bpa10x: change return value 2019-09-04 16:11:46 +02:00
bus Hisilicon fixes for v5.3-rc 2019-08-29 17:23:52 +02:00
cdrom
char tpm: tpm_ibm_vtpm: Fix unallocated banks 2019-08-05 00:55:00 +03:00
clk clk: Fix potential NULL dereference in clk_fetch_parent_index() 2019-08-16 10:30:21 -07:00
clocksource RISC-V: Remove per cpu clocksource 2019-08-06 14:37:58 -07:00
connector connector: remove redundant input callback from cn_dev 2019-07-21 13:31:14 -07:00
counter Staging / IIO driver update for 5.3-rc1 2019-07-11 15:36:02 -07:00
cpufreq cpufreq: dev_pm_qos_update_request() can return 1 on success 2019-08-10 13:39:47 +02:00
cpuidle Merge branch 'pm-cpufreq' 2019-07-18 09:49:30 +02:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-08-30 18:56:08 -07:00
dax Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
dca
devfreq
dio
dma Wimplicit-fallthrough patches for 5.3-rc6 2019-08-22 11:26:10 -07:00
dma-buf Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
edac EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec 2019-06-27 10:24:47 -07:00
eisa
extcon
firewire firewire: mark expected switch fall-throughs 2019-07-25 20:09:37 -05:00
firmware Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-08-18 09:36:51 -07:00
fpga FPGA Manager fixes for 5.3 2019-08-28 22:26:47 +02:00
fsi fsi: scom: Don't abort operations for minor errors 2019-08-28 22:59:18 +02:00
gnss
gpio gpio: Fix irqchip initialization order 2019-08-23 11:00:43 +02:00
gpu drm/i915 fixes for v5.3-rc7: 2019-08-30 10:55:29 +10:00
hid HID: wacom: correct misreported EKR ring values 2019-08-20 10:40:40 +02:00
hsi
hv Drivers: hv: vmbus: Fix virt_to_hvpfn() for X86_PAE 2019-08-20 12:49:57 -04:00
hwmon hwmon: (lm75) Fixup tmp75b clr_mask 2019-08-07 14:50:49 -07:00
hwspinlock hwspinlock: add the 'in_atomic' API 2019-06-29 21:08:14 -07:00
hwtracing intel_th: pci: Add Tiger Lake support 2019-08-28 22:29:02 +02:00
i2c i2c: mediatek: disable zero-length transfers for mt8183 2019-08-30 15:06:17 +02:00
i3c * Drop support for 10-bit I2C addresses 2019-07-09 09:04:31 -07:00
ide It's been a relatively busy cycle for docs: 2019-07-09 12:34:26 -07:00
idle
iio iio: adc: max9611: Fix temperature reading in probe 2019-08-05 17:42:24 +01:00
infiniband RDMA/siw: Fix IPv6 addr_list locking 2019-08-28 10:29:19 -04:00
input Input: hyperv-keyboard: Use in-place iterator API in the channel callback 2019-08-20 11:28:04 -04:00
interconnect
iommu dma-direct: fix zone selection after an unaddressable CMA allocation 2019-08-21 07:14:10 +09:00
ipack TTY / Serial driver updates for 5.3-rc1 2019-07-11 15:38:21 -07:00
irqchip irqchip fixes for 5.3 2019-08-01 20:21:00 +02:00
isdn isdn/capi: check message length in capi_write() 2019-09-07 17:44:25 +02:00
leds LED updates for 5.3-rc1 2019-07-09 08:59:39 -07:00
lightnvm
macintosh drivers/macintosh/smu.c: Mark expected switch fall-through 2019-07-31 21:44:45 +10:00
mailbox - stm32: race fix by adding a spinlock 2019-07-14 16:36:51 -07:00
mcb
md dm table: fix invalid memory accesses with too high sector number 2019-08-23 10:11:42 -04:00
media dmaengine fixes for v5.3-rc5 2019-08-16 08:59:33 -07:00
memory Kbuild updates for v5.3 (2nd) 2019-07-20 09:34:55 -07:00
memstick MMC core: 2019-07-11 18:11:21 -07:00
message SCSI misc on 20190709 2019-07-11 15:14:01 -07:00
mfd - Bug Fixes 2019-08-27 10:47:01 -07:00
misc vmw_balloon: Fix offline page marking with compaction 2019-08-28 22:57:07 +02:00
mmc mmc: sdhci-cadence: enable v4_mode to fix ADMA 64-bit addressing 2019-08-30 09:17:53 +02:00
mtd mtd: hyperbus: fix dependency and build error 2019-08-29 14:31:23 +02:00
mux
net tun: fix use-after-free when register netdev failed 2019-09-12 11:17:26 +01:00
nfc NFC: st95hf: fix spelling mistake "receieve" -> "receive" 2019-09-11 15:07:07 +01:00
ntb NTB/msi: remove incorrect MODULE defines 2019-08-05 15:42:27 -04:00
nubus
nvdimm libnvdimm fixes v5.3-rc2 2019-07-27 08:25:51 -07:00
nvme nvme: Add quirk for LiteON CL1 devices running FW 22301111 2019-08-20 11:02:10 -06:00
nvmem nvmem: Use the same permissions for eeprom as for nvmem 2019-07-30 18:22:20 +02:00
of of: irq: fix a trivial typo in a doc comment 2019-08-14 20:12:16 -06:00
opp pci-v5.3-changes 2019-07-15 20:44:49 -07:00
oprofile vfs: Convert oprofilefs to use the new mount API 2019-07-04 22:01:59 -04:00
parisc
parport It's been a relatively busy cycle for docs: 2019-07-09 12:34:26 -07:00
pci pci-v5.3-fixes-1 2019-08-22 14:04:47 -07:00
pcmcia pcmcia: db1xxx_ss: Mark expected switch fall-throughs 2019-08-09 19:53:04 -05:00
perf drivers/perf: arm_pmu: Fix failure path in PM notifier 2019-07-29 11:43:48 +01:00
phy phy: for 5.3 2019-07-01 15:04:59 +02:00
pinctrl pinctrl: aspeed: Make aspeed_pinmux_ips static 2019-07-29 23:35:31 +02:00
platform chrome-platform fixes for v5.3-rc6 2019-08-22 11:17:20 -07:00
pnp docs: driver-api: add a series of orphaned documents 2019-07-15 11:03:02 -03:00
power power: supply: ab8500_charger: Mark expected switch fall-through 2019-08-20 19:43:33 -05:00
powercap powercap: Invoke powercap_init() and rapl_init() earlier 2019-07-22 11:23:00 +02:00
pps drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl 2019-07-16 19:23:24 -07:00
ps3
ptp
pwm pwm: Fallback to the static lookup-list when acpi_pwm_get fails 2019-08-08 13:17:38 +02:00
rapidio Merge branch 'akpm' (patches from Andrew) 2019-07-17 08:58:04 -07:00
ras
regulator regulator: of: Add of_node_put() before return in function 2019-08-01 14:07:46 +01:00
remoteproc remoteproc updates for v5.3 2019-07-17 11:44:41 -07:00
reset ARM: SoC-related driver updates 2019-07-19 17:13:56 -07:00
rpmsg
rtc RTC for 5.3 2019-07-17 10:03:50 -07:00
s390 s390/qeth: reject oversized SNMP requests 2019-08-24 16:34:08 -07:00
sbus
scsi SCSI fixes on 20190824 2019-08-24 11:26:51 -07:00
sfi
sh
siox
slimbus
sn
soc soc: ixp4xx: Protect IXP4xx SoC drivers by ARCH_IXP4XX || COMPILE_TEST 2019-08-29 17:34:38 +02:00
soundwire soundwire: fix regmap dependencies and align with other serial links 2019-08-09 10:20:40 +05:30
spi spi: Fixes for v5.3 2019-08-05 11:49:02 -07:00
spmi
ssb ssb/gpio: Remove unnecessary WARN_ON from driver_gpio 2019-06-25 08:05:34 +03:00
staging staging: comedi: dt3000: Fix rounding up of timer divisor 2019-08-12 16:46:12 +02:00
target scsi: target: tcmu: avoid use-after-free after command timeout 2019-08-14 21:58:55 -04:00
tc
tee
thermal int340X/processor_thermal_device: Fix proc_thermal_rapl_remove() 2019-07-23 09:36:07 +02:00
thunderbolt Driver Core and debugfs changes for 5.3-rc1 2019-07-12 12:24:03 -07:00
tty kgdboc: disable the console lock when in kgdb 2019-07-30 17:39:39 +02:00
uio
usb USB: cdc-wdm: fix race between write and disconnect due to flag abuse 2019-08-28 22:48:38 +02:00
uwb
vfio VFIO updates for v5.3-rc1 2019-07-17 11:23:13 -07:00
vhost vhost: disable metadata prefetch optimization 2019-07-26 07:49:29 -04:00
video Wimplicit-fallthrough patches for 5.3-rc6 2019-08-22 11:26:10 -07:00
virt
virtio Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
visorbus bus_find_device: Unify the match callback with class_find_device 2019-06-24 05:22:31 +02:00
vlynq
vme
w1 docs: driver-api: add a series of orphaned documents 2019-07-15 11:03:02 -03:00
watchdog Wimplicit-fallthrough patches for 5.3-rc6 2019-08-22 11:26:10 -07:00
xen xen: fixes for 5.3-rc3 2019-08-02 15:26:48 -07:00
zorro
Kconfig
Makefile