Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KASAN: slab-use-after-free Read in ip_mc_drop_socket #376

Closed
cpaasch opened this issue Mar 20, 2023 · 2 comments
Closed

KASAN: slab-use-after-free Read in ip_mc_drop_socket #376

cpaasch opened this issue Mar 20, 2023 · 2 comments

Comments

@cpaasch
Copy link
Member

cpaasch commented Mar 20, 2023

Very likely the same as #371 as it is followed by a refcount warning... Reporting here for completeness.

syzkaller-id: f7fd4b52930a47edb24b4c289b5b682a4271e432

HEAD: de5e8fd

Trace:

MPTCP: addr_signal error, rm_addr=1
MPTCP: addr_signal error, rm_addr=1
==================================================================
BUG: KASAN: slab-use-after-free in ip_mc_drop_socket+0x21d/0x230 net/ipv4/igmp.c:2695
Read of size 8 at addr ffff888028289338 by task syz-executor.0/8217

CPU: 1 PID: 8217 Comm: syz-executor.0 Not tainted 6.3.0-rc1-gde5e8fd0123c #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x6e/0xa0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:319 [inline]
 print_report+0xc5/0x620 mm/kasan/report.c:430
 kasan_report+0xad/0xe0 mm/kasan/report.c:536
 ip_mc_drop_socket+0x21d/0x230 net/ipv4/igmp.c:2695
 inet_release+0x4d/0x1f0 net/ipv4/af_inet.c:416
 __sock_release+0xcf/0x290 net/socket.c:653
 sock_close+0x15/0x20 net/socket.c:1395
 __fput+0x250/0xa20 fs/file_table.c:321
 task_work_run+0x14b/0x230 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x9b9/0x2440 kernel/exit.c:869
 do_group_exit+0xc4/0x280 kernel/exit.c:1019
 get_signal+0x1ee1/0x21e0 kernel/signal.c:2859
 arch_do_signal_or_restart+0x74/0x5c0 arch/x86/kernel/signal.c:306
 exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
 exit_to_user_mode_prepare+0xa2/0x120 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:296
 do_syscall_64+0x46/0x90 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x45c2d9
Code: Unable to access opcode bytes at 0x45c2af.
RSP: 002b:00007f931f509cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000079c058 RCX: 000000000045c2d9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000079c058
RBP: 000000000079c050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000079c05c
R13: 0000000000021000 R14: 0000000000000000 R15: 00007f931f50a700
 </TASK>

Allocated by task 13:
 kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45
 kasan_set_track+0x21/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8b/0x90 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:196 [inline]
 __do_kmalloc_node mm/slab_common.c:967 [inline]
 __kmalloc+0x55/0x160 mm/slab_common.c:980
 kmalloc include/linux/slab.h:584 [inline]
 sk_prot_alloc.constprop.0+0x11c/0x230 net/core/sock.c:2040
 sk_clone_lock+0x47/0x1420 net/core/sock.c:2244
 mptcp_sk_clone+0x23/0x520 net/mptcp/protocol.c:3162
 subflow_syn_recv_sock+0xc04/0x1320 net/mptcp/subflow.c:816
 tcp_get_cookie_sock+0xcd/0x890 net/ipv4/syncookies.c:207
 cookie_v4_check+0x157a/0x20c0 net/ipv4/syncookies.c:448
 tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1670 [inline]
 tcp_v4_do_rcv+0x784/0xa30 net/ipv4/tcp_ipv4.c:1730
 tcp_v4_rcv+0x35e3/0x39c0 net/ipv4/tcp_ipv4.c:2133
 ip_protocol_deliver_rcu+0x6c/0xc30 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x29f/0x3b0 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:302 [inline]
 NF_HOOK include/linux/netfilter.h:296 [inline]
 ip_local_deliver+0x1ba/0x320 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:454 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 NF_HOOK include/linux/netfilter.h:296 [inline]
 ip_rcv+0x39b/0x410 net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5477
 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5591
 process_backlog+0x1af/0x5a0 net/core/dev.c:5919
 __napi_poll+0xb7/0x640 net/core/dev.c:6480
 napi_poll net/core/dev.c:6547 [inline]
 net_rx_action+0x97f/0xd50 net/core/dev.c:6657
 __do_softirq+0x1a5/0x5a0 kernel/softirq.c:571

Freed by task 8211:
 kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45
 kasan_set_track+0x21/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2a/0x50 mm/kasan/generic.c:521
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x146/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:162 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook mm/slub.c:1807 [inline]
 slab_free mm/slub.c:3787 [inline]
 __kmem_cache_free+0x13f/0x280 mm/slub.c:3800
 sk_prot_free net/core/sock.c:2076 [inline]
 __sk_destruct+0x4d7/0x700 net/core/sock.c:2168
 rcu_do_batch kernel/rcu/tree.c:2112 [inline]
 rcu_core+0x5db/0x18c0 kernel/rcu/tree.c:2372
 __do_softirq+0x1a5/0x5a0 kernel/softirq.c:571

Last potentially related work creation:
 kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45
 __kasan_record_aux_stack+0x9f/0xb0 mm/kasan/generic.c:491
 __call_rcu_common.constprop.0+0x6b/0x9f0 kernel/rcu/tree.c:2622
 sk_destruct+0x8e/0xe0 net/core/sock.c:2181
 __sk_free+0xc4/0x3a0 net/core/sock.c:2194
 sk_free+0x78/0xa0 net/core/sock.c:2205
 sock_put include/net/sock.h:1968 [inline]
 mptcp_worker+0x78d/0x1080 net/mptcp/protocol.c:2742
 process_one_work+0x868/0x1220 kernel/workqueue.c:2390
 worker_thread+0xf5/0x1220 kernel/workqueue.c:2537
 kthread+0x2ab/0x360 kernel/kthread.c:376
 ret_from_fork+0x29/0x50 arch/x86/entry/entry_64.S:308

Second to last potentially related work creation:
 kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45
 __kasan_record_aux_stack+0x9f/0xb0 mm/kasan/generic.c:491
 insert_work+0x46/0x310 kernel/workqueue.c:1361
 __queue_work+0x677/0x1070 kernel/workqueue.c:1524
 queue_work_on+0x8e/0xa0 kernel/workqueue.c:1552
 queue_work include/linux/workqueue.h:504 [inline]
 schedule_work include/linux/workqueue.h:565 [inline]
 mptcp_schedule_work+0x102/0x1d0 net/mptcp/protocol.c:882
 subflow_sched_work_if_closed net/mptcp/subflow.c:1213 [inline]
 subflow_sched_work_if_closed net/mptcp/subflow.c:1206 [inline]
 subflow_check_data_avail net/mptcp/subflow.c:1303 [inline]
 mptcp_subflow_data_available+0x240c/0x3ca0 net/mptcp/subflow.c:1367
 subflow_state_change+0x140/0x880 net/mptcp/subflow.c:1798
 tcp_done+0x216/0x3a0 net/ipv4/tcp.c:4656
 tcp_reset+0x10e/0x2b0 net/ipv4/tcp_input.c:4339
 tcp_validate_incoming+0xd4c/0x16d0 net/ipv4/tcp_input.c:5817
 tcp_rcv_established+0x51a/0x1e50 net/ipv4/tcp_input.c:6002
 tcp_v4_do_rcv+0x640/0xa30 net/ipv4/tcp_ipv4.c:1721
 tcp_v4_rcv+0x34d0/0x39c0 net/ipv4/tcp_ipv4.c:2143
 ip_protocol_deliver_rcu+0x6c/0xc30 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x29f/0x3b0 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:302 [inline]
 NF_HOOK include/linux/netfilter.h:296 [inline]
 ip_local_deliver+0x1ba/0x320 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:454 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 NF_HOOK include/linux/netfilter.h:296 [inline]
 ip_rcv+0x39b/0x410 net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5477
 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5591
 process_backlog+0x1af/0x5a0 net/core/dev.c:5919
 __napi_poll+0xb7/0x640 net/core/dev.c:6480
 napi_poll net/core/dev.c:6547 [inline]
 net_rx_action+0x97f/0xd50 net/core/dev.c:6657
 __do_softirq+0x1a5/0x5a0 kernel/softirq.c:571

The buggy address belongs to the object at ffff888028289000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 824 bytes inside of
 freed 2048-byte region [ffff888028289000, ffff888028289800)

The buggy address belongs to the physical page:
page:00000000192be094 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802828a000 pfn:0x28288
head:00000000192be094 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 ffff888100042000 ffffea0004287a10 ffffea0004095210
raw: ffff88802828a000 0000000000080004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888028289200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888028289280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888028289300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff888028289380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888028289400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 8217 at lib/refcount.c:25 refcount_warn_saturate+0x1b4/0x1f0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 8217 Comm: syz-executor.0 Tainted: G    B              6.3.0-rc1-gde5e8fd0123c #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:refcount_warn_saturate+0x1b4/0x1f0 lib/refcount.c:25
Code: 03 31 ff 89 de e8 9c 3f 4f ff 84 db 0f 85 f6 fe ff ff e8 af 47 4f ff 48 c7 c7 40 95 b6 84 c6 05 a1 dc c4 03 01 e8 ac 36 23 ff <0f> 0b e9 d7 fe ff ff e8 90 47 4f ff 48 c7 c7 00 96 b6 84 c6 05 80
RSP: 0018:ffffc9001232f988 EFLAGS: 00010296
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801ff11700 RSI: ffffffff8112d797 RDI: 0000000000000001
RBP: ffff888028289080 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 746e756f63666572 R12: ffff888028289000
R13: ffff88802e485518 R14: 0000000000000000 R15: ffffffff82b610a0
FS:  0000000000000000(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac554b4897 CR3: 00000000172a4003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 __refcount_add include/linux/refcount.h:199 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 sock_hold include/net/sock.h:775 [inline]
 __mptcp_close+0x881/0x9d0 net/mptcp/protocol.c:3051
 mptcp_close+0x24/0xe0 net/mptcp/protocol.c:3072
 inet_release+0xe6/0x1f0 net/ipv4/af_inet.c:429
 __sock_release+0xcf/0x290 net/socket.c:653
 sock_close+0x15/0x20 net/socket.c:1395
 __fput+0x250/0xa20 fs/file_table.c:321
 task_work_run+0x14b/0x230 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x9b9/0x2440 kernel/exit.c:869
 do_group_exit+0xc4/0x280 kernel/exit.c:1019
 get_signal+0x1ee1/0x21e0 kernel/signal.c:2859
 arch_do_signal_or_restart+0x74/0x5c0 arch/x86/kernel/signal.c:306
 exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
 exit_to_user_mode_prepare+0xa2/0x120 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:296
 do_syscall_64+0x46/0x90 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x45c2d9
Code: Unable to access opcode bytes at 0x45c2af.
RSP: 002b:00007f931f509cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000079c058 RCX: 000000000045c2d9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000079c058
RBP: 000000000079c050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000079c05c
R13: 0000000000021000 R14: 0000000000000000 R15: 00007f931f50a700
 </TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 8217 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x1f0 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 8217 Comm: syz-executor.0 Tainted: G    B   W          6.3.0-rc1-gde5e8fd0123c #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:refcount_warn_saturate+0x13c/0x1f0 lib/refcount.c:28
Code: 03 31 ff 89 de e8 14 40 4f ff 84 db 0f 85 6e ff ff ff e8 27 48 4f ff 48 c7 c7 a0 95 b6 84 c6 05 18 dd c4 03 01 e8 24 37 23 ff <0f> 0b e9 4f ff ff ff e8 08 48 4f ff 0f b6 1d fe dc c4 03 31 ff 89
RSP: 0018:ffffc9001232f968 EFLAGS: 00010296
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801ff11700 RSI: ffffffff8112d797 RDI: 0000000000000001
RBP: ffff888028289080 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000063666572 R12: ffff888028289080
R13: ffff88802e485518 R14: 0000000000000000 R15: ffffffff82b610a0
FS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001c690a8 CR3: 0000000103b67001 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 sock_put include/net/sock.h:1967 [inline]
 __mptcp_destroy_sock+0x275/0x380 net/mptcp/protocol.c:2972
 __mptcp_close+0x731/0x9d0 net/mptcp/protocol.c:3057
 mptcp_close+0x24/0xe0 net/mptcp/protocol.c:3072
 inet_release+0xe6/0x1f0 net/ipv4/af_inet.c:429
 __sock_release+0xcf/0x290 net/socket.c:653
 sock_close+0x15/0x20 net/socket.c:1395
 __fput+0x250/0xa20 fs/file_table.c:321
 task_work_run+0x14b/0x230 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x9b9/0x2440 kernel/exit.c:869
 do_group_exit+0xc4/0x280 kernel/exit.c:1019
 get_signal+0x1ee1/0x21e0 kernel/signal.c:2859
 arch_do_signal_or_restart+0x74/0x5c0 arch/x86/kernel/signal.c:306
 exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
 exit_to_user_mode_prepare+0xa2/0x120 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:296
 do_syscall_64+0x46/0x90 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x45c2d9
Code: Unable to access opcode bytes at 0x45c2af.
RSP: 002b:00007f931f509cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000079c058 RCX: 000000000045c2d9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000079c058
RBP: 000000000079c050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000079c05c
R13: 0000000000021000 R14: 0000000000000000 R15: 00007f931f50a700
 </TASK>
---[ end trace 0000000000000000 ]---
TCP: request_sock_subflow_v4: Possible SYN flooding on port 0.0.0.0:20004. Sending cookies.
MPTCP: addr_signal error, rm_addr=1
openvswitch: netlink: Either Ethernet header or EtherType is required.
openvswitch: netlink: Either Ethernet header or EtherType is required.
openvswitch: netlink: Either Ethernet header or EtherType is required.
netlink: 'syz-executor.4': attribute type 11 has an invalid length.
netlink: 'syz-executor.4': attribute type 11 has an invalid length.
netlink: 'syz-executor.4': attribute type 11 has an invalid length.
dvmrp0: entered allmulticast mode
xt_NFQUEUE: number of total queues is 0
IPVS: set_ctl: invalid protocol: 136 10.1.1.2:20000
xt_NFQUEUE: number of total queues is 0
IPVS: set_ctl: invalid protocol: 136 10.1.1.2:20000
xt_NFQUEUE: number of total queues is 0
IPVS: set_ctl: invalid protocol: 136 10.1.1.2:20000

Kconfig:
Kconfig_k9_kasan.txt

No reproducer.

@pabeni
Copy link

pabeni commented Mar 27, 2023

even this one looks like being closely related to #371

@cpaasch
Copy link
Member Author

cpaasch commented Apr 25, 2023

No more happening. Closing.

@cpaasch cpaasch closed this as completed Apr 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants