• Mao Wenan's avatar
    net: crypto set sk to NULL when af_alg_release. · 9060cb71
    Mao Wenan authored
    KASAN has found use-after-free in sockfs_setattr.
    The existed commit 6d8c50dc ("socket: close race condition between sock_close()
    and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
    that crypto module forgets to set the sk to NULL after af_alg_release.
    
    KASAN report details as below:
    BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
    Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
    
    CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    1.10.2-1ubuntu1 04/01/2014
    Call Trace:
     dump_stack+0xca/0x13e
     print_address_description+0x79/0x330
     ? vprintk_func+0x5e/0xf0
     kasan_report+0x18a/0x2e0
     ? sockfs_setattr+0x120/0x150
     sockfs_setattr+0x120/0x150
     ? sock_register+0x2d0/0x2d0
     notify_change+0x90c/0xd40
     ? chown_common+0x2ef/0x510
     chown_common+0x2ef/0x510
     ? chmod_common+0x3b0/0x3b0
     ? __lock_is_held+0xbc/0x160
     ? __sb_start_write+0x13d/0x2b0
     ? __mnt_want_write+0x19a/0x250
     do_fchownat+0x15c/0x190
     ? __ia32_sys_chmod+0x80/0x80
     ? trace_hardirqs_on_thunk+0x1a/0x1c
     __x64_sys_fchownat+0xbf/0x160
     ? lockdep_hardirqs_on+0x39a/0x5e0
     do_syscall_64+0xc8/0x580
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    RIP: 0033:0x462589
    Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
    f7 48 89 d6 48 89
    ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
    48 c7 c1 bc ff ff
    ff f7 d8 64 89 01 48
    RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
    RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
    RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
    RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
    R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
    
    Allocated by task 4185:
     kasan_kmalloc+0xa0/0xd0
     __kmalloc+0x14a/0x350
     sk_prot_alloc+0xf6/0x290
     sk_alloc+0x3d/0xc00
     af_alg_accept+0x9e/0x670
     hash_accept+0x4a3/0x650
     __sys_accept4+0x306/0x5c0
     __x64_sys_accept4+0x98/0x100
     do_syscall_64+0xc8/0x580
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    Freed by task 4184:
     __kasan_slab_free+0x12e/0x180
     kfree+0xeb/0x2f0
     __sk_destruct+0x4e6/0x6a0
     sk_destruct+0x48/0x70
     __sk_free+0xa9/0x270
     sk_free+0x2a/0x30
     af_alg_release+0x5c/0x70
     __sock_release+0xd3/0x280
     sock_close+0x1a/0x20
     __fput+0x27f/0x7f0
     task_work_run+0x136/0x1b0
     exit_to_usermode_loop+0x1a7/0x1d0
     do_syscall_64+0x461/0x580
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    Syzkaller reproducer:
    r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
    0xffffffffffffffff, 0x0)
    r1 = socket$alg(0x26, 0x5, 0x0)
    getrusage(0x0, 0x0)
    bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
    'sha256-ssse3\x00'}, 0x80)
    r2 = accept(r1, 0x0, 0x0)
    r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
    r4 = dup3(r3, r0, 0x0)
    fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
    
    Fixes: 6d8c50dc ("socket: close race condition between sock_close() and sockfs_setattr()")
    Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    9060cb71
Name
Last commit
Last update
..
asymmetric_keys Loading commit data...
async_tx Loading commit data...
842.c Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
ablkcipher.c Loading commit data...
acompress.c Loading commit data...
adiantum.c Loading commit data...
aead.c Loading commit data...
aegis.h Loading commit data...
aegis128.c Loading commit data...
aegis128l.c Loading commit data...
aegis256.c Loading commit data...
aes_generic.c Loading commit data...
aes_ti.c Loading commit data...
af_alg.c Loading commit data...
ahash.c Loading commit data...
akcipher.c Loading commit data...
algapi.c Loading commit data...
algboss.c Loading commit data...
algif_aead.c Loading commit data...
algif_hash.c Loading commit data...
algif_rng.c Loading commit data...
algif_skcipher.c Loading commit data...
ansi_cprng.c Loading commit data...
anubis.c Loading commit data...
api.c Loading commit data...
arc4.c Loading commit data...
authenc.c Loading commit data...
authencesn.c Loading commit data...
blkcipher.c Loading commit data...
blowfish_common.c Loading commit data...
blowfish_generic.c Loading commit data...
camellia_generic.c Loading commit data...
cast5_generic.c Loading commit data...
cast6_generic.c Loading commit data...
cast_common.c Loading commit data...
cbc.c Loading commit data...
ccm.c Loading commit data...
cfb.c Loading commit data...
chacha20poly1305.c Loading commit data...
chacha_generic.c Loading commit data...
cipher.c Loading commit data...
cmac.c Loading commit data...
compress.c Loading commit data...
crc32_generic.c Loading commit data...
crc32c_generic.c Loading commit data...
crct10dif_common.c Loading commit data...
crct10dif_generic.c Loading commit data...
cryptd.c Loading commit data...
crypto_engine.c Loading commit data...
crypto_null.c Loading commit data...
crypto_user_base.c Loading commit data...
crypto_user_stat.c Loading commit data...
crypto_wq.c Loading commit data...
ctr.c Loading commit data...
cts.c Loading commit data...
deflate.c Loading commit data...
des_generic.c Loading commit data...
dh.c Loading commit data...
dh_helper.c Loading commit data...
drbg.c Loading commit data...
ecb.c Loading commit data...
ecc.c Loading commit data...
ecc.h Loading commit data...
ecc_curve_defs.h Loading commit data...
ecdh.c Loading commit data...
ecdh_helper.c Loading commit data...
echainiv.c Loading commit data...
fcrypt.c Loading commit data...
fips.c Loading commit data...
gcm.c Loading commit data...
gf128mul.c Loading commit data...
ghash-generic.c Loading commit data...
hash_info.c Loading commit data...
hmac.c Loading commit data...
internal.h Loading commit data...
jitterentropy-kcapi.c Loading commit data...
jitterentropy.c Loading commit data...
keywrap.c Loading commit data...
khazad.c Loading commit data...
kpp.c Loading commit data...
lrw.c Loading commit data...
lz4.c Loading commit data...
lz4hc.c Loading commit data...
lzo.c Loading commit data...
md4.c Loading commit data...
md5.c Loading commit data...
memneq.c Loading commit data...
michael_mic.c Loading commit data...
morus1280.c Loading commit data...
morus640.c Loading commit data...
nhpoly1305.c Loading commit data...
ofb.c Loading commit data...
pcbc.c Loading commit data...
pcrypt.c Loading commit data...
poly1305_generic.c Loading commit data...
proc.c Loading commit data...
ripemd.h Loading commit data...
rmd128.c Loading commit data...
rmd160.c Loading commit data...
rmd256.c Loading commit data...
rmd320.c Loading commit data...
rng.c Loading commit data...
rsa-pkcs1pad.c Loading commit data...
rsa.c Loading commit data...
rsa_helper.c Loading commit data...
rsaprivkey.asn1 Loading commit data...
rsapubkey.asn1 Loading commit data...
salsa20_generic.c Loading commit data...
scatterwalk.c Loading commit data...
scompress.c Loading commit data...
seed.c Loading commit data...
seqiv.c Loading commit data...
serpent_generic.c Loading commit data...
sha1_generic.c Loading commit data...
sha256_generic.c Loading commit data...
sha3_generic.c Loading commit data...
sha512_generic.c Loading commit data...
shash.c Loading commit data...
simd.c Loading commit data...
skcipher.c Loading commit data...
sm3_generic.c Loading commit data...
sm4_generic.c Loading commit data...
streebog_generic.c Loading commit data...
tcrypt.c Loading commit data...
tcrypt.h Loading commit data...
tea.c Loading commit data...
testmgr.c Loading commit data...
testmgr.h Loading commit data...
tgr192.c Loading commit data...
twofish_common.c Loading commit data...
twofish_generic.c Loading commit data...
vmac.c Loading commit data...
wp512.c Loading commit data...
xcbc.c Loading commit data...
xor.c Loading commit data...
xts.c Loading commit data...
zstd.c Loading commit data...