diff mbox series

aoe: fix UAF in tx()

Message ID 20211119021743.1124606-1-yangyingliang@huawei.com (mailing list archive)
State New, archived
Headers show
Series aoe: fix UAF in tx() | expand

Commit Message

Yang Yingliang Nov. 19, 2021, 2:17 a.m. UTC
I got a UAF report when doing fuzz test:

[14631.865133][ T1288] BUG: KASAN: use-after-free in __dev_queue_xmit+0x1cf/0x1cd0
[14631.866261][ T1288] Read of size 8 at addr ffff8881207d08e0 by task aoe_tx0/1288
[14631.867316][ T1288]
[14631.867667][ T1288] CPU: 1 PID: 1288 Comm: aoe_tx0 Not tainted 5.16.0-rc1 #580
[14631.868672][ T1288] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[14631.870021][ T1288] Call Trace:
[14631.870481][ T1288]  <TASK>
[14631.870883][ T1288]  dump_stack_lvl+0xec/0x139
[14631.872267][ T1288]  print_address_description.constprop.11+0x41/0x60
[14631.874610][ T1288]  kasan_report.cold.16+0x83/0xdf
[14631.876825][ T1288]  __dev_queue_xmit+0x1cf/0x1cd0
[14631.888195][ T1288]  tx+0x5d/0xa0
[14631.889338][ T1288]  kthread+0x13d/0x210
[14631.892438][ T1288]  kthread+0x259/0x2a0
[14631.893704][ T1288]  ret_from_fork+0x1f/0x30
[14631.894325][ T1288]  </TASK>
[14631.894738][ T1288]
[14631.895055][ T1288] Allocated by task 22185:
[14631.895679][ T1288]  kasan_save_stack+0x1c/0x40
[14631.896336][ T1288]  __kasan_kmalloc+0x82/0xa0
[14631.896965][ T1288]  kvmalloc_node+0xb2/0x120
[14631.897590][ T1288]  alloc_netdev_mqs+0x96/0x7e0
[14631.898244][ T1288]  __tun_chr_ioctl+0x16bd/0x2a50
[14631.898925][ T1288]  __x64_sys_ioctl+0x116/0x170
[14631.899592][ T1288]  do_syscall_64+0x34/0xb0
[14631.900210][ T1288]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[14631.901026][ T1288]
[14631.901343][ T1288] Freed by task 22185:
[14631.901900][ T1288]  kasan_save_stack+0x1c/0x40
[14631.902546][ T1288]  kasan_set_track+0x21/0x30
[14631.903179][ T1288]  kasan_set_free_info+0x20/0x30
[14631.903862][ T1288]  __kasan_slab_free+0xc6/0x100
[14631.904533][ T1288]  kfree+0xc3/0x1d0
[14631.905065][ T1288]  kvfree+0x43/0x50
[14631.905593][ T1288]  device_release+0x5b/0x120
[14631.906245][ T1288]  kobject_put+0x120/0x1c0
[14631.906861][ T1288]  netdev_run_todo+0x433/0x590
[14631.907526][ T1288]  tun_chr_close+0x7b/0xb0
[14631.908136][ T1288]  __fput+0x178/0x5b0
[14631.908692][ T1288]  task_work_run+0xa7/0xf0
[14631.909301][ T1288]  do_exit+0x7f3/0x1a00
[14631.909878][ T1288]  do_group_exit+0x99/0x180
[14631.910492][ T1288]  __x64_sys_exit_group+0x28/0x30
[14631.911186][ T1288]  do_syscall_64+0x34/0xb0
[14631.911812][ T1288]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[14631.912629][ T1288]
[14631.912949][ T1288] The buggy address belongs to the object at ffff8881207d0000
[14631.912949][ T1288]  which belongs to the cache kmalloc-cg-16k of size 16384
[14631.914900][ T1288] The buggy address is located 2272 bytes inside of
[14631.914900][ T1288]  16384-byte region [ffff8881207d0000, ffff8881207d4000)
[14631.916739][ T1288] The buggy address belongs to the page:
[14631.917511][ T1288] page:0000000060187b1d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1207d0
[14631.918919][ T1288] head:0000000060187b1d order:3 compound_mapcount:0 compound_pincount:0
[14631.920068][ T1288] flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
[14631.921188][ T1288] raw: 057ff00000010200 ffffea0002b90a08 ffff888100002018 ffff88800a843f00
[14631.922372][ T1288] raw: 0000000000000000 ffff8881207d0000 0000000100000001 0000000000000000
[14631.922918][ T5332] Bluetooth: hci0: command 0x0409 tx timeout
[14631.923545][ T1288] page dumped because: kasan: bad access detected
[14631.923553][ T1288]
[14631.925582][ T1288] Memory state around the buggy address:
[14631.926347][ T1288]  ffff8881207d0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[14631.927452][ T1288]  ffff8881207d0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[14631.928546][ T1288] >ffff8881207d0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[14631.929629][ T1288]                                                        ^
[14631.930600][ T1288]  ffff8881207d0900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[14631.931693][ T1288]  ffff8881207d0980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

After skb queued into skbtxq, the net device of skb may be freed before it's
sent in tx(), then it leads a UAF. So hold the reference of device to avoid
the device been freed, put the reference after dev_queue_xmit().

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/block/aoe/aoenet.c | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c
index 63773a90581d..f2cb5d42cc6a 100644
--- a/drivers/block/aoe/aoenet.c
+++ b/drivers/block/aoe/aoenet.c
@@ -64,6 +64,7 @@  tx(int id) __must_hold(&txlock)
 			pr_warn("aoe: packet could not be sent on %s.  %s\n",
 				ifp ? ifp->name : "netif",
 				"consider increasing tx_queue_len");
+		dev_put(ifp);
 		spin_lock_irq(&txlock);
 	}
 	return 0;
@@ -117,6 +118,7 @@  aoenet_xmit(struct sk_buff_head *queue)
 
 	skb_queue_walk_safe(queue, skb, tmp) {
 		__skb_unlink(skb, queue);
+		dev_hold(skb->dev);
 		spin_lock_irqsave(&txlock, flags);
 		skb_queue_tail(&skbtxq, skb);
 		spin_unlock_irqrestore(&txlock, flags);