evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Yang Yingliang 305fb9d38b tun: fix use-after-free when register netdev failed 
[ Upstream commit 77f22f92dff8e7b45c7786a430626d38071d4670 ]

I got a UAF repport in tun driver when doing fuzzy test:

[  466.269490] ==================================================================
[  466.271792] BUG: KASAN: use-after-free in tun_chr_read_iter+0x2ca/0x2d0
[  466.271806] Read of size 8 at addr ffff888372139250 by task tun-test/2699
[  466.271810]
[  466.271824] CPU: 1 PID: 2699 Comm: tun-test Not tainted 5.3.0-rc1-00001-g5a9433db2614-dirty #427
[  466.271833] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[  466.271838] Call Trace:
[  466.271858]  dump_stack+0xca/0x13e
[  466.271871]  ? tun_chr_read_iter+0x2ca/0x2d0
[  466.271890]  print_address_description+0x79/0x440
[  466.271906]  ? vprintk_func+0x5e/0xf0
[  466.271920]  ? tun_chr_read_iter+0x2ca/0x2d0
[  466.271935]  __kasan_report+0x15c/0x1df
[  466.271958]  ? tun_chr_read_iter+0x2ca/0x2d0
[  466.271976]  kasan_report+0xe/0x20
[  466.271987]  tun_chr_read_iter+0x2ca/0x2d0
[  466.272013]  do_iter_readv_writev+0x4b7/0x740
[  466.272032]  ? default_llseek+0x2d0/0x2d0
[  466.272072]  do_iter_read+0x1c5/0x5e0
[  466.272110]  vfs_readv+0x108/0x180
[  466.299007]  ? compat_rw_copy_check_uvector+0x440/0x440
[  466.299020]  ? fsnotify+0x888/0xd50
[  466.299040]  ? __fsnotify_parent+0xd0/0x350
[  466.299064]  ? fsnotify_first_mark+0x1e0/0x1e0
[  466.304548]  ? vfs_write+0x264/0x510
[  466.304569]  ? ksys_write+0x101/0x210
[  466.304591]  ? do_preadv+0x116/0x1a0
[  466.304609]  do_preadv+0x116/0x1a0
[  466.309829]  do_syscall_64+0xc8/0x600
[  466.309849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  466.309861] RIP: 0033:0x4560f9
[  466.309875] Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[  466.309889] RSP: 002b:00007ffffa5166e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000127
[  466.322992] RAX: ffffffffffffffda RBX: 0000000000400460 RCX: 00000000004560f9
[  466.322999] RDX: 0000000000000003 RSI: 00000000200008c0 RDI: 0000000000000003
[  466.323007] RBP: 00007ffffa516700 R08: 0000000000000004 R09: 0000000000000000
[  466.323014] R10: 0000000000000000 R11: 0000000000000206 R12: 000000000040cb10
[  466.323021] R13: 0000000000000000 R14: 00000000006d7018 R15: 0000000000000000
[  466.323057]
[  466.323064] Allocated by task 2605:
[  466.335165]  save_stack+0x19/0x80
[  466.336240]  __kasan_kmalloc.constprop.8+0xa0/0xd0
[  466.337755]  kmem_cache_alloc+0xe8/0x320
[  466.339050]  getname_flags+0xca/0x560
[  466.340229]  user_path_at_empty+0x2c/0x50
[  466.341508]  vfs_statx+0xe6/0x190
[  466.342619]  __do_sys_newstat+0x81/0x100
[  466.343908]  do_syscall_64+0xc8/0x600
[  466.345303]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  466.347034]
[  466.347517] Freed by task 2605:
[  466.348471]  save_stack+0x19/0x80
[  466.349476]  __kasan_slab_free+0x12e/0x180
[  466.350726]  kmem_cache_free+0xc8/0x430
[  466.351874]  putname+0xe2/0x120
[  466.352921]  filename_lookup+0x257/0x3e0
[  466.354319]  vfs_statx+0xe6/0x190
[  466.355498]  __do_sys_newstat+0x81/0x100
[  466.356889]  do_syscall_64+0xc8/0x600
[  466.358037]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  466.359567]
[  466.360050] The buggy address belongs to the object at ffff888372139100
[  466.360050]  which belongs to the cache names_cache of size 4096
[  466.363735] The buggy address is located 336 bytes inside of
[  466.363735]  4096-byte region [ffff888372139100, ffff88837213a100)
[  466.367179] The buggy address belongs to the page:
[  466.368604] page:ffffea000dc84e00 refcount:1 mapcount:0 mapping:ffff8883df1b4f00 index:0x0 compound_mapcount: 0
[  466.371582] flags: 0x2fffff80010200(slab|head)
[  466.372910] raw: 002fffff80010200 dead000000000100 dead000000000122 ffff8883df1b4f00
[  466.375209] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[  466.377778] page dumped because: kasan: bad access detected
[  466.379730]
[  466.380288] Memory state around the buggy address:
[  466.381844]  ffff888372139100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.384009]  ffff888372139180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.386131] >ffff888372139200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.388257]                                                  ^
[  466.390234]  ffff888372139280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.392512]  ffff888372139300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.394667] ==================================================================

tun_chr_read_iter() accessed the memory which freed by free_netdev()
called by tun_set_iff():

        CPUA                                           CPUB
  tun_set_iff()
    alloc_netdev_mqs()
    tun_attach()
                                                  tun_chr_read_iter()
                                                    tun_get()
                                                    tun_do_read()
                                                      tun_ring_recv()
    register_netdevice() <-- inject error
    goto err_detach
    tun_detach_all() <-- set RCV_SHUTDOWN
    free_netdev() <-- called from
                     err_free_dev path
      netdev_freemem() <-- free the memory
                        without check refcount
      (In this path, the refcount cannot prevent
       freeing the memory of dev, and the memory
       will be used by dev_put() called by
       tun_chr_read_iter() on CPUB.)
                                                     (Break from tun_ring_recv(),
                                                     because RCV_SHUTDOWN is set)
                                                   tun_put()
                                                     dev_put() <-- use the memory
                                                                   freed by netdev_freemem()

Put the publishing of tfile->tun after register_netdevice(),
so tun_get() won't get the tun pointer that freed by
err_detach path if register_netdevice() failed.

Fixes: eb0fb363f9 ("tuntap: attach queue 0 before registering netdevice")
Reported-by: Hulk Robot <hulkci@huawei.com>
Suggested-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-09-21 07:12:41 +02:00
..
accessibility
acpi ACPI / SBS: Fix GPE storm on recent MacBookPro's 2019-04-27 09:33:58 +02:00
amba ARM: amba: Don't read past the end of sysfs "driver_override" buffer 2018-05-02 07:53:42 -07:00
android coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping 2019-06-22 08:18:27 +02:00
ata libata: add SG safety checks in SFF pio transfers 2019-09-06 10:18:08 +02:00
atm atm: iphase: Fix Spectre v1 vulnerability 2019-08-11 12:20:44 +02:00
auxdisplay
base regmap: fix bulk writes on paged registers 2019-08-04 09:34:46 +02:00
bcma
block floppy: fix out-of-bounds read in copy_buffer 2019-08-04 09:34:52 +02:00
bluetooth Bluetooth: btqca: Add a short delay before downloading the NVM 2019-09-10 10:29:46 +01:00
bus bus: brcmstb_gisb: correct support for 64-bit address output 2018-04-13 19:50:05 +02:00
cdrom cdrom: Fix race condition in cdrom_sysctl_register 2019-04-27 09:33:52 +02:00
char hpet: Fix division by zero in hpet_time_div() 2019-08-04 09:35:00 +02:00
clk clk: s2mps11: Add used attribute to s2mps11_dt_match 2019-09-16 08:13:36 +02:00
clocksource clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown 2019-03-23 08:44:35 +01:00
connector
cpufreq cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() 2019-08-25 10:52:47 +02:00
cpuidle cpuidle: big.LITTLE: fix refcount leak 2019-02-20 10:13:09 +01:00
crypto crypto: talitos - fix skcipher failure due to wrong output IV 2019-08-04 09:34:40 +02:00
dca
devfreq PM / devfreq: tegra: fix error return code in tegra_devfreq_probe() 2018-11-10 07:41:40 -08:00
dio
dma dmaengine: ste_dma40: fix unneeded variable warning 2019-09-06 10:18:14 +02:00
dma-buf
edac EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec 2019-08-04 09:34:48 +02:00
eisa
extcon extcon: arizona: Disable mic detect if running when driver is removed 2019-06-11 12:24:01 +02:00
firewire firewire-ohci: work around oversized DMA reads on JMicron controllers 2018-05-30 07:48:52 +02:00
firmware iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND 2019-08-25 10:52:46 +02:00
fmc
fpga
gpio gpio: omap: ensure irq is enabled before wakeup 2019-08-04 09:34:45 +02:00
gpu drm/virtio: Add memory barriers for capset cache. 2019-08-04 09:34:56 +02:00
hid HID: wacom: correct misreported EKR ring values 2019-09-06 10:18:09 +02:00
hsi HSI: ssi_protocol: double free in ssip_pn_xmit() 2018-03-24 10:58:42 +01:00
hv Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels 2019-01-13 10:05:27 +01:00
hwmon hwmon: (nct7802) Fix wrong detection of in4 presence 2019-08-25 10:52:52 +02:00
hwspinlock
hwtracing stm class: Fix a double free of stm_source_device 2019-09-06 10:18:17 +02:00
i2c i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr 2019-06-22 08:18:26 +02:00
ide ide: pmac: add of_node_put() 2018-12-21 14:09:52 +01:00
idle
iio iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data 2019-06-11 12:24:02 +02:00
infiniband IB/mlx4: Fix memory leaks 2019-09-10 10:29:48 +01:00
input Input: psmouse - fix build error of multiple definition 2019-08-25 10:53:03 +02:00
iommu iommu/amd: Move iommu_init_pci() to .init section 2019-08-25 10:53:05 +02:00
ipack
irqchip irqchip/irq-imx-gpcv2: Forward irq type to parent 2019-08-25 10:52:59 +02:00
isdn isdn/capi: check message length in capi_write() 2019-09-21 07:12:39 +02:00
leds leds: lp55xx: fix null deref on firmware load failure 2019-04-27 09:33:51 +02:00
lguest
lightnvm
macintosh macintosh/via-pmu: Add missing mmio accessors 2018-09-19 22:48:57 +02:00
mailbox mailbox: handle failed named mailbox channel request 2019-08-04 09:34:58 +02:00
mcb
md dm table: fix invalid memory accesses with too high sector number 2019-09-06 10:18:11 +02:00
media media: radio-raremono: change devm_k*alloc to k*alloc 2019-08-04 09:35:02 +02:00
memory memory: tegra: Fix integer overflow on tick value calculation 2019-06-11 12:23:46 +02:00
memstick memstick: Fix error cleanup path of memstick_init 2019-08-04 09:34:56 +02:00
message scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() 2018-05-30 07:48:58 +02:00
mfd mfd: arizona: Fix undefined behavior 2019-08-04 09:34:58 +02:00
misc VMCI: Release resource if the work is already queued 2019-09-06 10:18:17 +02:00
mmc mmc: core: Fix init of SD cards reporting an invalid VDD range 2019-09-06 10:18:17 +02:00
mtd mtd: rawnand: gpmi: fix MX28 bus master lockup problem 2019-02-20 10:13:17 +01:00
net tun: fix use-after-free when register netdev failed 2019-09-21 07:12:41 +02:00
nfc st_nci_hci_connectivity_event_received: null check the allocation 2019-09-06 10:18:05 +02:00
ntb ntb_transport: Fix bug with max_mw_size parameter 2018-05-30 07:48:55 +02:00
nubus
nvdimm libnvdimm/btt: Fix a kmemdup failure check 2019-05-16 19:45:05 +02:00
nvme nvme-pci: initialize queue memory before interrupts 2018-07-11 16:03:47 +02:00
nvmem nvmem: core: fix read buffer in place 2019-06-22 08:18:20 +02:00
of of: add helper to lookup compatible child node 2018-12-01 09:46:35 +01:00
oprofile
parisc parisc: Use implicit space register selection for loading the coherence index of I/O pdirs 2019-06-11 12:24:13 +02:00
parport parport: Fix mem leak in parport_register_dev_model 2019-07-10 09:56:31 +02:00
pci PCI: sysfs: Ignore lockdep for remove attribute 2019-08-04 09:34:57 +02:00
pcmcia pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges 2018-11-21 09:27:30 +01:00
perf drivers/perf: arm_pmu: handle no platform_device 2018-03-22 09:23:26 +01:00
phy phy: renesas: rcar-gen2: Fix memory leak at error paths 2019-08-04 09:34:57 +02:00
pinctrl pinctrl: rockchip: fix leaked of_node references 2019-08-04 09:34:56 +02:00
platform platform/chrome: cros_ec_proto: check for NULL transfer function 2019-06-22 08:18:20 +02:00
pnp
power power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG 2019-06-11 12:23:49 +02:00
powercap PowerCap: Fix an error code in powercap_register_zone() 2018-04-13 19:50:05 +02:00
pps drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl 2019-08-04 09:35:02 +02:00
ps3
ptp ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl 2019-02-20 10:13:05 +01:00
pwm pwm: Fix deadlock warning when removing PWM device 2019-06-22 08:18:21 +02:00
rapidio
ras
regulator regulator: s2mps11: Fix buck7 and buck8 wrong voltages 2019-08-04 09:34:50 +02:00
remoteproc
reset
rpmsg
rtc rtc: 88pm860x: prevent use-after-free on device remove 2019-06-11 12:23:54 +02:00
s390 s390/qdio: add sanity checks to the fast-requeue path 2019-08-25 10:52:47 +02:00
sbus drivers/sbus/char: add of_node_put() 2018-12-21 14:09:52 +01:00
scsi scsi: ufs: Fix NULL pointer dereference in ufshcd_config_vreg_hpm() 2019-09-06 10:18:14 +02:00
sfi
sh
sn
soc soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher 2019-06-22 08:18:20 +02:00
spi spi: bcm2835aux: fix corruptions for longer spi transfers 2019-09-10 10:29:50 +01:00
spmi
ssb ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit 2019-06-11 12:23:53 +02:00
staging staging: comedi: dt3000: Fix rounding up of timer divisor 2019-08-25 10:53:01 +02:00
target scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock 2019-03-23 08:44:35 +01:00
tc TC: Set DMA masks for devices 2018-11-21 09:27:36 +01:00
thermal thermal/int340x_thermal: fix mode setting 2019-04-27 09:33:57 +02:00
thunderbolt thunderbolt: Resume control channel after hibernation image is created 2018-04-24 09:32:07 +02:00
tty tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop 2019-08-25 10:52:51 +02:00
uio uio: Fix an Oops on load 2018-11-27 16:08:02 +01:00
usb USB: storage: ums-realtek: Whitelist auto-delink support 2019-09-06 10:18:16 +02:00
uwb uwb: hwa-rc: fix memory leak at probe 2018-10-10 08:52:04 +02:00
vfio vfio/pci: use correct format characters 2019-05-16 19:45:01 +02:00
vhost vhost: make sure log_num < in_num 2019-09-16 08:13:36 +02:00
video video: imsttfb: fix potential NULL pointer dereferences 2019-06-22 08:18:21 +02:00
virt drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl 2019-05-16 19:45:18 +02:00
virtio virtio_balloon: fix another race between migration and ballooning 2018-08-06 16:24:42 +02:00
vlynq
vme
w1 w1: fix the resume command API 2019-06-11 12:23:55 +02:00
watchdog watchdog: bcm2835_wdt: Fix module autoload 2019-09-06 10:18:15 +02:00
xen xen/pciback: remove set but not used variable 'old_state' 2019-08-25 10:52:59 +02:00
zorro zorro: Set up z->dev.dma_mask for the DMA API 2018-05-30 07:49:11 +02:00
Kconfig
Makefile