leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ff244c6b29
linux/drivers/net
History
Eric Dumazet ff244c6b29 tun: handle register_netdevice() failures properly 
syzkaller reported a double free [1], caused by the fact
that tun driver was not updated properly when priv_destructor
was added.

When/if register_netdevice() fails, priv_destructor() must have been
called already.

[1]
BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20 security/selinux/hooks.c:5023

CPU: 0 PID: 2919 Comm: syzkaller227220 Not tainted 4.13.0-rc4+ #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_address_description+0x7f/0x260 mm/kasan/report.c:252
 kasan_report_double_free+0x55/0x80 mm/kasan/report.c:333
 kasan_slab_free+0xa0/0xc0 mm/kasan/kasan.c:514
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xd3/0x260 mm/slab.c:3820
 selinux_tun_dev_free_security+0x15/0x20 security/selinux/hooks.c:5023
 security_tun_dev_free_security+0x48/0x80 security/security.c:1512
 tun_set_iff drivers/net/tun.c:1884 [inline]
 __tun_chr_ioctl+0x2ce6/0x3d50 drivers/net/tun.c:2064
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2309
 vfs_ioctl fs/ioctl.c:45 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:685
 SYSC_ioctl fs/ioctl.c:700 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x443ff9
RSP: 002b:00007ffc34271f68 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443ff9
RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000003
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401ce0
R13: 0000000000401d70 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 2919:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xaa/0xd0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x101/0x6f0 mm/slab.c:3627
 kmalloc include/linux/slab.h:493 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 selinux_tun_dev_alloc_security+0x49/0x170 security/selinux/hooks.c:5012
 security_tun_dev_alloc_security+0x6d/0xa0 security/security.c:1506
 tun_set_iff drivers/net/tun.c:1839 [inline]
 __tun_chr_ioctl+0x1730/0x3d50 drivers/net/tun.c:2064
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2309
 vfs_ioctl fs/ioctl.c:45 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:685
 SYSC_ioctl fs/ioctl.c:700 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
 entry_SYSCALL_64_fastpath+0x1f/0xbe

Freed by task 2919:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x6e/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xd3/0x260 mm/slab.c:3820
 selinux_tun_dev_free_security+0x15/0x20 security/selinux/hooks.c:5023
 security_tun_dev_free_security+0x48/0x80 security/security.c:1512
 tun_free_netdev+0x13b/0x1b0 drivers/net/tun.c:1563
 register_netdevice+0x8d0/0xee0 net/core/dev.c:7605
 tun_set_iff drivers/net/tun.c:1859 [inline]
 __tun_chr_ioctl+0x1caf/0x3d50 drivers/net/tun.c:2064
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2309
 vfs_ioctl fs/ioctl.c:45 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:685
 SYSC_ioctl fs/ioctl.c:700 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
 entry_SYSCALL_64_fastpath+0x1f/0xbe

The buggy address belongs to the object at ffff8801d2843b40
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [ffff8801d2843b40, ffff8801d2843b60)
The buggy address belongs to the page:
page:ffffea000660cea8 count:1 mapcount:0 mapping:ffff8801d2843000 index:0xffff8801d2843fc1
flags: 0x200000000000100(slab)
raw: 0200000000000100 ffff8801d2843000 ffff8801d2843fc1 000000010000003f
raw: ffffea0006626a40 ffffea00066141a0 ffff8801dbc00100
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d2843a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8801d2843a80: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
>ffff8801d2843b00: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
                                           ^
 ffff8801d2843b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8801d2843c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc

==================================================================

Fixes: cf124db566 ("net: Fix inconsistent teardown and release of private netdev state.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-18 15:55:35 -07:00
..
appletalk
arcnet arcnet: com20020-pci: Fix an error handling path in 'com20020pci_probe()' 2017-07-07 09:29:10 +01:00
bonding bonding: ratelimit failed speed/duplex update warning 2017-08-13 20:01:38 -07:00
caif Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
can net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
cris net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
dsa net: dsa: mediatek: add adjust link support for user ports 2017-08-08 18:01:25 -07:00
ethernet netxen: fix incorrect loop counter decrement 2017-08-18 10:58:33 -07:00
fddi
fjes networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
hamradio networking: add and use skb_put_u8() 2017-06-16 11:48:40 -04:00
hippi networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
hyperv netvsc: fix race on sub channel creation 2017-08-06 21:23:21 -07:00
ieee802154 networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
ipvlan ipvlan: Fix 64-bit statistics seqcount initialization 2017-08-01 20:06:07 -07:00
irda mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled 2017-07-24 16:24:05 -07:00
phy net: phy: Correctly process PHY_HALTED in phy_stop_machine() 2017-07-31 17:27:10 -07:00
plip
ppp ppp: fix xmit recursion detection on ppp channels 2017-08-08 21:06:11 -07:00
slip networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
team team: use a larger struct for mac address 2017-07-29 11:25:05 -07:00
usb qmi_wwan: fix NULL deref on disconnect 2017-08-08 21:14:16 -07:00
vmxnet3 vmxnet3: avoid format strint overflow warning 2017-07-14 09:03:11 -07:00
wan networking: make skb_pull & friends return void pointers 2017-06-16 11:48:39 -04:00
wimax networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
wireless brcmfmac: feature check for multi-scheduled scan fails on bcm4343x devices 2017-08-14 11:09:30 +03:00
xen-netback xen-netback: correctly schedule rate-limited queues 2017-06-22 11:15:42 -04:00
dummy.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
eql.c
geneve.c geneve: maximum value of VNI cannot be used 2017-08-09 22:41:04 -07:00
gtp.c gtp: Initialize 64-bit per-cpu stats correctly 2017-08-01 20:06:07 -07:00
ifb.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
Kconfig
LICENSE.SRC
loopback.c net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
macsec.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
macvlan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
macvtap.c net: add netlink_ext_ack argument to rtnl_link_ops.newlink 2017-06-26 23:13:21 -04:00
Makefile
mdio.c
mii.c net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
netconsole.c netconsole: Remove duplicate "netconsole: " logging prefix 2017-06-13 12:57:40 -04:00
nlmon.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ntb_netdev.c ntb_netdev: set the net_device's parent 2017-07-06 11:30:08 -04:00
rionet.c net: convert sk_buff.users from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
sb1000.c
Space.c
sungem_phy.c drivers/net/sungem: add const to mii_phy_ops structures 2017-06-08 15:32:47 -04:00
tap.c tap: convert a mutex to a spinlock 2017-07-11 13:41:57 -07:00
tun.c tun: handle register_netdevice() failures properly 2017-08-18 15:55:35 -07:00
veth.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
virtio_net.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-07-31 22:36:42 -07:00
vrf.c vrf: fix bug_on triggered by rx when destroying a vrf 2017-07-06 16:46:07 +01:00
vsockmon.c net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
vxlan.c vxlan: fix remcsum when GRO on and CHECKSUM_PARTIAL boundary is outer UDP 2017-08-01 16:09:14 -07:00
xen-netfront.c