BUG: use-after-free Read in pfeng_netif_logif_xmit

licae · ‎03-18-2022

Today I found the following problems using the syzkaller.

BUG: KASAN: use-after-free in pfeng_netif_logif_xmit+0x5d4/0xa00 drivers/net/ethernet/freescale/../../../../../../../pfe/pfe/git/sw/linux-pfeng/pfeng-netif.c:357
Read of size 4 at addr ffffff80084ff830 by task rEvt09197f69d54/417
CPU: 1 PID: 417 Comm: rEvt09197f69d54 Tainted: G W 5.10.41-rt42+g5de5ef721718 #1
Hardware name: Freescale S32G274 (DT)
Call trace:
__ll_sc_atomic64_or arch/arm64/include/asm/atomic_ll_sc.h:222 [inline]
arch_atomic64_or arch/arm64/include/asm/atomic.h:65 [inline]
atomic64_or include/asm-generic/atomic-instrumented.h:1328 [inline]
atomic_long_or include/asm-generic/atomic-long.h:329 [inline]
set_bit include/asm-generic/bitops/atomic.h:17 [inline]
dump_backtrace+0x0/0x35c arch/arm64/kernel/stacktrace.c:76
show_stack+0x2c/0x40 arch/arm64/kernel/stacktrace.c:196
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x148/0x1bc lib/dump_stack.c:120
print_address_description.constprop.0+0x6c/0x488 mm/kasan/report.c:385
__kasan_report mm/kasan/report.c:545 [inline]
kasan_report+0x110/0x210 mm/kasan/report.c:562
check_memory_region_inline mm/kasan/generic.c:186 [inline]
__asan_load4+0x94/0xd0 mm/kasan/generic.c:251
pfeng_netif_logif_xmit+0x5d4/0xa00 drivers/net/ethernet/freescale/../../../../../../../pfe/pfe/git/sw/linux-pfeng/pfeng-netif.c:357
__netdev_start_xmit include/linux/netdevice.h:4772 [inline]
netdev_start_xmit include/linux/netdevice.h:4786 [inline]
xmit_one net/core/dev.c:3578 [inline]
dev_hard_start_xmit+0x16c/0x26c net/core/dev.c:3594
sch_direct_xmit+0x1a0/0x69c net/sched/sch_generic.c:342
__dev_xmit_skb net/core/dev.c:3783 [inline]
__dev_queue_xmit+0x658/0x1140 net/core/dev.c:4151
dev_queue_xmit+0x24/0x34 net/core/dev.c:4216
vlan_dev_hard_start_xmit+0x160/0x28c net/8021q/vlan_dev.c:124
__netdev_start_xmit include/linux/netdevice.h:4772 [inline]
netdev_start_xmit include/linux/netdevice.h:4786 [inline]
xmit_one net/core/dev.c:3578 [inline]
dev_hard_start_xmit+0x16c/0x26c net/core/dev.c:3594
__dev_queue_xmit+0xec0/0x1140 net/core/dev.c:4183
dev_queue_xmit+0x24/0x34 net/core/dev.c:4216
neigh_connected_output+0x198/0x220 net/core/neighbour.c:1521
neigh_output include/net/neighbour.h:510 [inline]
ip_finish_output2+0x308/0xbf4 net/ipv4/ip_output.c:230
__ip_finish_output+0x170/0x2d0 net/ipv4/ip_output.c:308
ip_finish_output net/ipv4/ip_output.c:318 [inline]
NF_HOOK_COND include/linux/netfilter.h:290 [inline]
ip_mc_output+0x27c/0x56c net/ipv4/ip_output.c:417
dst_output include/net/dst.h:443 [inline]
ip_local_out net/ipv4/ip_output.c:126 [inline]
ip_send_skb+0x74/0x1d0 net/ipv4/ip_output.c:1568
udp_send_skb+0x244/0x6c0 net/ipv4/udp.c:948
udp_sendmsg+0xd28/0xfec net/ipv4/udp.c:1235
inet_sendmsg+0x68/0xac net/ipv4/af_inet.c:817
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0x9c/0xb0 net/socket.c:671
____sys_sendmsg+0x39c/0x3c0 net/socket.c:2353
___sys_sendmsg+0xf4/0x154 net/socket.c:2407
__sys_sendmsg+0xd8/0x170 net/socket.c:2440
__do_sys_sendmsg net/socket.c:2449 [inline]
__se_sys_sendmsg net/socket.c:2447 [inline]
__arm64_sys_sendmsg+0x50/0x64 net/socket.c:2447
__invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
el0_svc_common.constprop.0+0xc8/0x2a4 arch/arm64/kernel/syscall.c:158
do_el0_svc+0xac/0xcc arch/arm64/kernel/syscall.c:197
el0_svc+0x24/0x34 arch/arm64/kernel/entry-common.c:353
el0_sync_handler+0x254/0x260 arch/arm64/kernel/entry-common.c:369
el0_sync+0x180/0x1c0 arch/arm64/kernel/entry.S:686
Allocated by task 417:
kasan_save_stack+0x28/0x60 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xc8/0xf0 mm/kasan/common.c:461
kasan_slab_alloc+0x18/0x2c mm/kasan/common.c:469
slab_post_alloc_hook mm/slab.h:533 [inline]
slab_alloc_node mm/slub.c:2952 [inline]
slab_alloc mm/slub.c:2960 [inline]
kmem_cache_alloc+0x1e0/0x344 mm/slub.c:2965
kmem_cache_alloc_node include/linux/slab.h:423 [inline]
__alloc_skb+0xb8/0x2dc net/core/skbuff.c:198
alloc_skb include/linux/skbuff.h:1095 [inline]
alloc_skb_with_frags+0x74/0x2a0 net/core/skbuff.c:5868
sock_alloc_send_pskb+0x498/0x4bc net/core/sock.c:2323
sock_alloc_send_skb+0x44/0x60 net/core/sock.c:2340
__ip_append_data+0xdd8/0x157c net/ipv4/ip_output.c:1097
ip_make_skb+0x1a8/0x1ec net/ipv4/ip_output.c:1634
udp_sendmsg+0xcfc/0xfec net/ipv4/udp.c:1230
inet_sendmsg+0x68/0xac net/ipv4/af_inet.c:817
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0x9c/0xb0 net/socket.c:671
____sys_sendmsg+0x39c/0x3c0 net/socket.c:2353
___sys_sendmsg+0xf4/0x154 net/socket.c:2407
__sys_sendmsg+0xd8/0x170 net/socket.c:2440
__do_sys_sendmsg net/socket.c:2449 [inline]
__se_sys_sendmsg net/socket.c:2447 [inline]
__arm64_sys_sendmsg+0x50/0x64 net/socket.c:2447
__invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
el0_svc_common.constprop.0+0xc8/0x2a4 arch/arm64/kernel/syscall.c:158
do_el0_svc+0xac/0xcc arch/arm64/kernel/syscall.c:197
el0_svc+0x24/0x34 arch/arm64/kernel/entry-common.c:353
el0_sync_handler+0x254/0x260 arch/arm64/kernel/entry-common.c:369
el0_sync+0x180/0x1c0 arch/arm64/kernel/entry.S:686
Freed by task 70:
kasan_save_stack+0x28/0x60 mm/kasan/common.c:48
kasan_set_track+0x28/0x40 mm/kasan/common.c:56
kasan_set_free_info+0x24/0x4c mm/kasan/generic.c:355
__kasan_slab_free+0x100/0x180 mm/kasan/common.c:422
kasan_slab_free+0x14/0x20 mm/kasan/common.c:431
slab_free_hook mm/slub.c:1547 [inline]
slab_free_freelist_hook mm/slub.c:1580 [inline]
slab_free mm/slub.c:3203 [inline]
kmem_cache_free_bulk mm/slub.c:3329 [inline]
kmem_cache_free_bulk+0x520/0x890 mm/slub.c:3316
_kfree_skb_defer net/core/skbuff.c:879 [inline]
napi_consume_skb+0x1f8/0x240 net/core/skbuff.c:909
pfeng_hif_chnl_txconf_free_map_full+0x1e0/0x20c drivers/net/ethernet/freescale/../../../../../../../pfe/pfe/git/sw/linux-pfeng/pfeng-bman.c:219
pfeng_hif_chnl_tx_conf drivers/net/ethernet/freescale/../../../../../../../pfe/pfe/git/sw/linux-pfeng/pfeng-hif.c:304 [inline]
pfeng_hif_chnl_poll+0x48/0x3c0 drivers/net/ethernet/freescale/../../../../../../../pfe/pfe/git/sw/linux-pfeng/pfeng-hif.c:338
napi_poll net/core/dev.c:6823 [inline]
net_rx_action+0x220/0x5cc net/core/dev.c:6893
_stext+0x170/0x330
The buggy address belongs to the object at ffffff80084ff7c0
The buggy address is located 112 bytes inside of
The buggy address belongs to the page:
page:0000000003bb961b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x884fe
head:0000000003bb961b order:1 compound_mapcount:0
flags: 0x10200(slab|head)
raw: 0000000000010200 dead000000000100 dead000000000122 ffffff8004ca8000
raw: 0000000000000000 0000000000190019 00000001ffffffff ffffff802699c401
page dumped because: kasan: bad access detected
page->mem_cgroup:ffffff802699c401
Memory state around the buggy address:
ffffff80084ff700: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
ffffff80084ff780: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffffff80084ff800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffffff80084ff880: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffff80084ff900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

This vulnerability is likely to be used by attackers through conditional competition, resulting in system crash, hope can be repaired as soon as possible

Regards.

claudiu · ‎03-30-2022

BTW, @licae, could you share your reproducer for this issue? Thanks.

ChenJun945 · ‎03-20-2022

yeah，I meet the same issue.I think we should modify like this

bugfix

claudiu · ‎03-30-2022

Hi,

Reading your log, the actual fix should be as follows:

diff --git a/sw/qnx_workspace/linux-pfeng/pfeng-netif.c b/sw/qnx_workspace/linux-pfeng/pfeng-netif.c
index 15d7a4656..a283c27ee 100644
--- a/sw/qnx_workspace/linux-pfeng/pfeng-netif.c
+++ b/sw/qnx_workspace/linux-pfeng/pfeng-netif.c
@@ -226,7 +226,7 @@ static netdev_tx_t pfeng_netif_logif_xmit(struct sk_buff *skb, struct net_device
        u32 nfrags = skb_shinfo(skb)->nr_frags;
        struct pfeng_hif_chnl *chnl;
        pfe_ct_hif_tx_hdr_t *tx_hdr;
-       unsigned int plen;
+       unsigned int plen, pkt_len;
        dma_addr_t dma;
        int f, i = 1;
        errno_t ret;
@@ -331,6 +331,8 @@ static netdev_tx_t pfeng_netif_logif_xmit(struct sk_buff *skb, struct net_device
        /* Software tx time stamp */
        skb_tx_timestamp(skb);
 
+       pkt_len = skb->len;
+
        /* Put linear part */
        ret = pfe_hif_chnl_tx(chnl->priv, (void *)dma, skb->data, plen, !nfrags);
        if (unlikely(EOK != ret)) {
@@ -366,7 +368,7 @@ static netdev_tx_t pfeng_netif_logif_xmit(struct sk_buff *skb, struct net_device
        pfeng_hif_shared_chnl_unlock_tx(chnl);
 
        netdev->stats.tx_packets++;
-       netdev->stats.tx_bytes += skb->len;
+       netdev->stats.tx_bytes += pkt_len;
 
       return NETDEV_TX_OK;