• YueHaibing's avatar
    ipvs: Fix use-after-free in ip_vs_in · 72634d7f
    YueHaibing authored
    [ Upstream commit 719c7d563c17b150877cee03a4b812a424989dfa ]
    
    BUG: KASAN: use-after-free in ip_vs_in.part.29+0xe8/0xd20 [ip_vs]
    Read of size 4 at addr ffff8881e9b26e2c by task sshd/5603
    
    CPU: 0 PID: 5603 Comm: sshd Not tainted 4.19.39+ #30
    Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
    Call Trace:
     dump_stack+0x71/0xab
     print_address_description+0x6a/0x270
     kasan_report+0x179/0x2c0
     ip_vs_in.part.29+0xe8/0xd20 [ip_vs]
     ip_vs_in+0xd8/0x170 [ip_vs]
     nf_hook_slow+0x5f/0xe0
     __ip_local_out+0x1d5/0x250
     ip_local_out+0x19/0x60
     __tcp_transmit_skb+0xba1/0x14f0
     tcp_write_xmit+0x41f/0x1ed0
     ? _copy_from_iter_full+0xca/0x340
     __tcp_push_pending_frames+0x52/0x140
     tcp_sendmsg_locked+0x787/0x1600
     ? tcp_sendpage+0x60/0x60
     ? inet_sk_set_state+0xb0/0xb0
     tcp_sendmsg+0x27/0x40
     sock_sendmsg+0x6d/0x80
     sock_write_iter+0x121/0x1c0
     ? sock_sendmsg+0x80/0x80
     __vfs_write+0x23e/0x370
     vfs_write+0xe7/0x230
     ksys_write+0xa1/0x120
     ? __ia32_sys_read+0x50/0x50
     ? __audit_syscall_exit+0x3ce/0x450
     do_syscall_64+0x73/0x200
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x7ff6f6147c60
    Code: 73 01 c3 48 8b 0d 28 12 2d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 5d 73 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83
    RSP: 002b:00007ffd772ead18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
    RAX: ffffffffffffffda RBX: 0000000000000034 RCX: 00007ff6f6147c60
    RDX: 0000000000000034 RSI: 000055df30a31270 RDI: 0000000000000003
    RBP: 000055df30a31270 R08: 0000000000000000 R09: 0000000000000000
    R10: 00007ffd772ead70 R11: 0000000000000246 R12: 00007ffd772ead74
    R13: 00007ffd772eae20 R14: 00007ffd772eae24 R15: 000055df2f12ddc0
    
    Allocated by task 6052:
     kasan_kmalloc+0xa0/0xd0
     __kmalloc+0x10a/0x220
     ops_init+0x97/0x190
     register_pernet_operations+0x1ac/0x360
     register_pernet_subsys+0x24/0x40
     0xffffffffc0ea016d
     do_one_initcall+0x8b/0x253
     do_init_module+0xe3/0x335
     load_module+0x2fc0/0x3890
     __do_sys_finit_module+0x192/0x1c0
     do_syscall_64+0x73/0x200
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Freed by task 6067:
     __kasan_slab_free+0x130/0x180
     kfree+0x90/0x1a0
     ops_free_list.part.7+0xa6/0xc0
     unregister_pernet_operations+0x18b/0x1f0
     unregister_pernet_subsys+0x1d/0x30
     ip_vs_cleanup+0x1d/0xd2f [ip_vs]
     __x64_sys_delete_module+0x20c/0x300
     do_syscall_64+0x73/0x200
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    The buggy address belongs to the object at ffff8881e9b26600 which belongs to the cache kmalloc-4096 of size 4096
    The buggy address is located 2092 bytes inside of 4096-byte region [ffff8881e9b26600, ffff8881e9b27600)
    The buggy address belongs to the page:
    page:ffffea0007a6c800 count:1 mapcount:0 mapping:ffff888107c0e600 index:0x0 compound_mapcount: 0
    flags: 0x17ffffc0008100(slab|head)
    raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff888107c0e600
    raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    
    while unregistering ipvs module, ops_free_list calls
    __ip_vs_cleanup, then nf_unregister_net_hooks be called to
    do remove nf hook entries. It need a RCU period to finish,
    however net->ipvs is set to NULL immediately, which will
    trigger NULL pointer dereference when a packet is hooked
    and handled by ip_vs_in where net->ipvs is dereferenced.
    
    Another scene is ops_free_list call ops_free to free the
    net_generic directly while __ip_vs_cleanup finished, then
    calling ip_vs_in will triggers use-after-free.
    
    This patch moves nf_unregister_net_hooks from __ip_vs_cleanup()
    to __ip_vs_dev_cleanup(),  where rcu_barrier() is called by
    unregister_pernet_device -> unregister_pernet_operations,
    that will do the needed grace period.
    Reported-by: 's avatarHulk Robot <hulkci@huawei.com>
    Fixes: efe41606 ("ipvs: convert to use pernet nf_hook api")
    Suggested-by: 's avatarJulian Anastasov <ja@ssi.bg>
    Signed-off-by: 's avatarYueHaibing <yuehaibing@huawei.com>
    Acked-by: 's avatarJulian Anastasov <ja@ssi.bg>
    Signed-off-by: 's avatarSimon Horman <horms@verge.net.au>
    Signed-off-by: 's avatarPablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
    72634d7f
Name
Last commit
Last update
..
ipset Loading commit data...
ipvs Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
core.c Loading commit data...
nf_conntrack_acct.c Loading commit data...
nf_conntrack_amanda.c Loading commit data...
nf_conntrack_broadcast.c Loading commit data...
nf_conntrack_core.c Loading commit data...
nf_conntrack_ecache.c Loading commit data...
nf_conntrack_expect.c Loading commit data...
nf_conntrack_extend.c Loading commit data...
nf_conntrack_ftp.c Loading commit data...
nf_conntrack_h323_asn1.c Loading commit data...
nf_conntrack_h323_main.c Loading commit data...
nf_conntrack_h323_types.c Loading commit data...
nf_conntrack_helper.c Loading commit data...
nf_conntrack_irc.c Loading commit data...
nf_conntrack_l3proto_generic.c Loading commit data...
nf_conntrack_labels.c Loading commit data...
nf_conntrack_netbios_ns.c Loading commit data...
nf_conntrack_netlink.c Loading commit data...
nf_conntrack_pptp.c Loading commit data...
nf_conntrack_proto.c Loading commit data...
nf_conntrack_proto_dccp.c Loading commit data...
nf_conntrack_proto_generic.c Loading commit data...
nf_conntrack_proto_gre.c Loading commit data...
nf_conntrack_proto_sctp.c Loading commit data...
nf_conntrack_proto_tcp.c Loading commit data...
nf_conntrack_proto_udp.c Loading commit data...
nf_conntrack_sane.c Loading commit data...
nf_conntrack_seqadj.c Loading commit data...
nf_conntrack_sip.c Loading commit data...
nf_conntrack_snmp.c Loading commit data...
nf_conntrack_standalone.c Loading commit data...
nf_conntrack_tftp.c Loading commit data...
nf_conntrack_timeout.c Loading commit data...
nf_conntrack_timestamp.c Loading commit data...
nf_dup_netdev.c Loading commit data...
nf_internals.h Loading commit data...
nf_log.c Loading commit data...
nf_log_common.c Loading commit data...
nf_log_netdev.c Loading commit data...
nf_nat_amanda.c Loading commit data...
nf_nat_core.c Loading commit data...
nf_nat_ftp.c Loading commit data...
nf_nat_helper.c Loading commit data...
nf_nat_irc.c Loading commit data...
nf_nat_proto_common.c Loading commit data...
nf_nat_proto_dccp.c Loading commit data...
nf_nat_proto_sctp.c Loading commit data...
nf_nat_proto_tcp.c Loading commit data...
nf_nat_proto_udp.c Loading commit data...
nf_nat_proto_unknown.c Loading commit data...
nf_nat_redirect.c Loading commit data...
nf_nat_sip.c Loading commit data...
nf_nat_tftp.c Loading commit data...
nf_queue.c Loading commit data...
nf_sockopt.c Loading commit data...
nf_synproxy_core.c Loading commit data...
nf_tables_api.c Loading commit data...
nf_tables_core.c Loading commit data...
nf_tables_inet.c Loading commit data...
nf_tables_netdev.c Loading commit data...
nf_tables_trace.c Loading commit data...
nfnetlink.c Loading commit data...
nfnetlink_acct.c Loading commit data...
nfnetlink_cthelper.c Loading commit data...
nfnetlink_cttimeout.c Loading commit data...
nfnetlink_log.c Loading commit data...
nfnetlink_queue.c Loading commit data...
nft_bitwise.c Loading commit data...
nft_byteorder.c Loading commit data...
nft_cmp.c Loading commit data...
nft_compat.c Loading commit data...
nft_counter.c Loading commit data...
nft_ct.c Loading commit data...
nft_dup_netdev.c Loading commit data...
nft_dynset.c Loading commit data...
nft_exthdr.c Loading commit data...
nft_fib.c Loading commit data...
nft_fib_inet.c Loading commit data...
nft_fib_netdev.c Loading commit data...
nft_fwd_netdev.c Loading commit data...
nft_hash.c Loading commit data...
nft_immediate.c Loading commit data...
nft_limit.c Loading commit data...
nft_log.c Loading commit data...
nft_lookup.c Loading commit data...
nft_masq.c Loading commit data...
nft_meta.c Loading commit data...
nft_nat.c Loading commit data...
nft_numgen.c Loading commit data...
nft_objref.c Loading commit data...
nft_payload.c Loading commit data...
nft_queue.c Loading commit data...
nft_quota.c Loading commit data...
nft_range.c Loading commit data...
nft_redir.c Loading commit data...
nft_reject.c Loading commit data...
nft_reject_inet.c Loading commit data...
nft_rt.c Loading commit data...
nft_set_bitmap.c Loading commit data...
nft_set_hash.c Loading commit data...
nft_set_rbtree.c Loading commit data...
x_tables.c Loading commit data...
xt_AUDIT.c Loading commit data...
xt_CHECKSUM.c Loading commit data...
xt_CLASSIFY.c Loading commit data...
xt_CONNSECMARK.c Loading commit data...
xt_CT.c Loading commit data...
xt_DSCP.c Loading commit data...
xt_HL.c Loading commit data...
xt_HMARK.c Loading commit data...
xt_IDLETIMER.c Loading commit data...
xt_LED.c Loading commit data...
xt_LOG.c Loading commit data...
xt_NETMAP.c Loading commit data...
xt_NFLOG.c Loading commit data...
xt_NFQUEUE.c Loading commit data...
xt_RATEEST.c Loading commit data...
xt_REDIRECT.c Loading commit data...
xt_SECMARK.c Loading commit data...
xt_TCPMSS.c Loading commit data...
xt_TCPOPTSTRIP.c Loading commit data...
xt_TEE.c Loading commit data...
xt_TPROXY.c Loading commit data...
xt_TRACE.c Loading commit data...
xt_addrtype.c Loading commit data...
xt_bpf.c Loading commit data...
xt_cgroup.c Loading commit data...
xt_cluster.c Loading commit data...
xt_comment.c Loading commit data...
xt_connbytes.c Loading commit data...
xt_connlabel.c Loading commit data...
xt_connlimit.c Loading commit data...
xt_connmark.c Loading commit data...
xt_conntrack.c Loading commit data...
xt_cpu.c Loading commit data...
xt_dccp.c Loading commit data...
xt_devgroup.c Loading commit data...
xt_dscp.c Loading commit data...
xt_ecn.c Loading commit data...
xt_esp.c Loading commit data...
xt_hashlimit.c Loading commit data...
xt_helper.c Loading commit data...
xt_hl.c Loading commit data...
xt_ipcomp.c Loading commit data...
xt_iprange.c Loading commit data...
xt_ipvs.c Loading commit data...
xt_l2tp.c Loading commit data...
xt_length.c Loading commit data...
xt_limit.c Loading commit data...
xt_mac.c Loading commit data...
xt_mark.c Loading commit data...
xt_multiport.c Loading commit data...
xt_nat.c Loading commit data...
xt_nfacct.c Loading commit data...
xt_osf.c Loading commit data...
xt_owner.c Loading commit data...
xt_physdev.c Loading commit data...
xt_pkttype.c Loading commit data...
xt_policy.c Loading commit data...
xt_quota.c Loading commit data...
xt_rateest.c Loading commit data...
xt_realm.c Loading commit data...
xt_recent.c Loading commit data...
xt_repldata.h Loading commit data...
xt_sctp.c Loading commit data...
xt_set.c Loading commit data...
xt_socket.c Loading commit data...
xt_state.c Loading commit data...
xt_statistic.c Loading commit data...
xt_string.c Loading commit data...
xt_tcpmss.c Loading commit data...
xt_tcpudp.c Loading commit data...
xt_time.c Loading commit data...
xt_u32.c Loading commit data...