crypto: use-after-free in alg_bind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

On commit 8513342170278468bac126640a5d2d12ffbff106
+ crypto: algif_skcipher - Use new skcipher interface
+ crypto: algif_skcipher - Require setkey before accept(2)
+ crypto: af_alg - Disallow bind/setkey/... after accept(2)

The following program causes use-after-free in alg_bind and later
terminates kernel:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>

int fd;

void *thr(void *arg)
{
        switch ((long)arg) {
        case 0:
                fd = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0);
        case 1:
                *(uint16_t*)0x20000000 = (uint16_t)0x26;
                memcpy((void*)0x20000002,
"\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14);
                *(uint32_t*)0x20000010 = (uint32_t)0x2a;
                *(uint32_t*)0x20000014 = (uint32_t)0x8;
                memcpy((void*)0x20000018,
"\x65\x63\x62\x28\x61\x65\x73\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
64);
                syscall(SYS_bind, fd, 0x20000000ul, 0x58ul, 0, 0, 0);
                break;
        case 2:
                syscall(SYS_accept4, fd, 0, 0, 0x80000ul, 0, 0);
                break;
        }
        return 0;
}

int main()
{
        long i;
        pthread_t th[6];

        syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
        for (i = 0; i < 6; i++)
                pthread_create(&th[i], 0, thr, (void*)(i%3));
        usleep(10000);
        return 0;
}


==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x39db/0x3ca0 at addr
ffff880033e94f60
Read of size 8 by task a.out/7532
=============================================================================
BUG kmalloc-2048 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in sk_prot_alloc+0x1ed/0x340 age=1 cpu=1 pid=7532
[<     inline     >] kmalloc include/linux/slab.h:463
[<      none      >] sk_prot_alloc+0x1ed/0x340 net/core/sock.c:1354
[<      none      >] sk_alloc+0x3a/0x6b0 net/core/sock.c:1419
[<      none      >] alg_create+0x93/0x170 crypto/af_alg.c:370
[<      none      >] __sock_create+0x37c/0x640 net/socket.c:1162
[<     inline     >] sock_create net/socket.c:1202
[<     inline     >] SYSC_socket net/socket.c:1232
[<      none      >] SyS_socket+0xef/0x1b0 net/socket.c:1212

INFO: Freed in sk_destruct+0x3d7/0x490 age=1 cpu=0 pid=7531
[<      none      >] kfree+0x26a/0x290 mm/slub.c:3662
[<     inline     >] sk_prot_free net/core/sock.c:1391
[<      none      >] sk_destruct+0x3d7/0x490 net/core/sock.c:1467
[<      none      >] __sk_free+0x57/0x200 net/core/sock.c:1475
[<      none      >] sk_free+0x30/0x40 net/core/sock.c:1486
[<     inline     >] sock_put include/net/sock.h:1627
[<      none      >] af_alg_release+0x5b/0x70 crypto/af_alg.c:123
[<      none      >] sock_release+0x8d/0x1d0 net/socket.c:571
[<      none      >] sock_close+0x16/0x20 net/socket.c:1022
[<      none      >] __fput+0x233/0x780 fs/file_table.c:208
[<      none      >] ____fput+0x15/0x20 fs/file_table.c:244
[<      none      >] task_work_run+0x16b/0x200 kernel/task_work.c:115
[<     inline     >] tracehook_notify_resume include/linux/tracehook.h:191
[<      none      >] exit_to_usermode_loop+0x180/0x1a0
arch/x86/entry/common.c:251
[<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[<      none      >] syscall_return_slowpath+0x19f/0x210
arch/x86/entry/common.c:344
[<      none      >] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281

INFO: Slab 0xffffea0000cfa400 objects=13 used=8 fp=0xffff880033e94ec0
flags=0x1fffc0000004080
INFO: Object 0xffff880033e94ec0 @offset=20160 fp=0xffff880033e96c48
CPU: 1 PID: 7532 Comm: a.out Tainted: G    B           4.4.0-rc7+ #181
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff88006a49fa10 ffffffff8289d9dd ffff88003e805200
 ffff880033e94ec0 ffff880033e90000 ffff88006a49fa40 ffffffff816c8e24
 ffff88003e805200 ffffea0000cfa400 ffff880033e94ec0 ffffffff88b866e0

Call Trace:
 [<ffffffff816d239e>] __asan_report_load8_noabort+0x3e/0x40
mm/kasan/report.c:295
 [<ffffffff813ee5ab>] __lock_acquire+0x39db/0x3ca0 kernel/locking/lockdep.c:3092
 [<ffffffff813f0acf>] lock_acquire+0x19f/0x3c0 kernel/locking/lockdep.c:3585
 [<     inline     >] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137
 [<ffffffff85c8de0f>] _raw_spin_lock_bh+0x3f/0x50 kernel/locking/spinlock.c:175
 [<     inline     >] spin_lock_bh include/linux/spinlock.h:307
 [<ffffffff84b654d8>] lock_sock_nested+0x48/0x120 net/core/sock.c:2434
 [<     inline     >] lock_sock include/net/sock.h:1481
 [<ffffffff827ddc1a>] alg_bind+0x1aa/0x3f0 crypto/af_alg.c:182
 [<ffffffff84b5d84a>] SYSC_bind+0x1ea/0x250 net/socket.c:1376
 [<ffffffff84b5ff74>] SyS_bind+0x24/0x30 net/socket.c:1362
==================================================================
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux