net: kcm: use previously opened message only once

Message ID	20240801130833.680962-1-dmantipov@yandex.ru (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from forward204b.mail.yandex.net (forward204b.mail.yandex.net [178.154.239.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 11F141A4F07 for <netdev@vger.kernel.org>; Thu, 1 Aug 2024 13:15:44 +0000 (UTC) From: Dmitry Antipov <dmantipov@yandex.ru> To: Tom Herbert <tom@herbertland.com> Cc: Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org, lvc-project@linuxtesting.org, Dmitry Antipov <dmantipov@yandex.ru>, syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com Subject: [PATCH] net: kcm: use previously opened message only once Date: Thu, 1 Aug 2024 16:08:33 +0300 Message-ID: <20240801130833.680962-1-dmantipov@yandex.ru> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	net: kcm: use previously opened message only once \| expand net: kcm: use previously opened message only once

Message ID

20240801130833.680962-1-dmantipov@yandex.ru (mailing list archive)

State

Changes Requested

Delegated to:

Netdev Maintainers

Headers

From: Dmitry Antipov <dmantipov@yandex.ru>
To: Tom Herbert <tom@herbertland.com>
Cc: Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org,
	lvc-project@linuxtesting.org,
	Dmitry Antipov <dmantipov@yandex.ru>,
	syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com
Subject: [PATCH] net: kcm: use previously opened message only once
Date: Thu,  1 Aug 2024 16:08:33 +0300
Message-ID: <20240801130833.680962-1-dmantipov@yandex.ru>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

net: kcm: use previously opened message only once | expand

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 42 this patch: 42
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	warning	2 maintainers not CCed: kuniyu@amazon.com edumazet@google.com
netdev/build_clang	success	Errors and warnings before: 43 this patch: 43
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 43 this patch: 43
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	success	net-next-2024-08-06--00-00 (tests: 707)

Context

Check

Description

netdev/series_format

warning

Single patches do not need cover letters; Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 42 this patch: 42

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

warning

2 maintainers not CCed: kuniyu@amazon.com edumazet@google.com

netdev/build_clang

success

Errors and warnings before: 43 this patch: 43

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 43 this patch: 43

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 8 lines checked

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

netdev/contest

success

net-next-2024-08-06--00-00 (tests: 707)

Commit Message

Dmitry Antipov Aug. 1, 2024, 1:08 p.m. UTC

When syzkaller reproducer injects 'alloc_skb()' failure at line
817, 'kcm_sendmsg()' may return with partial message saved at
'kcm->seq_skb'. Next call of this function will try to build the
next message starting from the saved one, but should do it only
once. Otherwise a complete mess in skb management causes an
undefined behavior of any kind, including UAFs reported by KASAN.

Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Reported-by: syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b72d86aa5df17ce74c60
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 net/kcm/kcmsock.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Jakub Kicinski Aug. 6, 2024, midnight UTC | #1

On Thu,  1 Aug 2024 16:08:33 +0300 Dmitry Antipov wrote:
> When syzkaller reproducer injects 'alloc_skb()' failure at line
> 817, 'kcm_sendmsg()' may return with partial message saved at
> 'kcm->seq_skb'. Next call of this function will try to build the
> next message starting from the saved one, but should do it only
> once. Otherwise a complete mess in skb management causes an
> undefined behavior of any kind, including UAFs reported by KASAN.
> 
> Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
> Reported-by: syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b72d86aa5df17ce74c60
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
>  net/kcm/kcmsock.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
> index 2f191e50d4fc..fa5ce5c88045 100644
> --- a/net/kcm/kcmsock.c
> +++ b/net/kcm/kcmsock.c
> @@ -766,6 +766,8 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
>  	if (kcm->seq_skb) {
>  		/* Previously opened message */
>  		head = kcm->seq_skb;
> +		/* ...should be used only once */
> +		kcm->seq_skb = NULL;
>  		skb = kcm_tx_msg(head)->last_skb;
>  		goto start;
>  	}

Not sure how much this matters but if we clear seq_skb then handling
here:
https://elixir.bootlin.com/linux/v6.10-rc4/source/net/kcm/kcmsock.c#L940
will work differently.

diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index 2f191e50d4fc..fa5ce5c88045 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -766,6 +766,8 @@  static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 	if (kcm->seq_skb) {
 		/* Previously opened message */
 		head = kcm->seq_skb;
+		/* ...should be used only once */
+		kcm->seq_skb = NULL;
 		skb = kcm_tx_msg(head)->last_skb;
 		goto start;
 	}

net: kcm: use previously opened message only once

Checks

Commit Message

Comments

Patch