Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Paolo Abeni 7eeabfb237 tcp: fix UaF in tcp_prune_ofo_queue() 
The CI reported a UaF in tcp_prune_ofo_queue():

BUG: KASAN: slab-use-after-free in tcp_prune_ofo_queue+0x55d/0x660
Read of size 4 at addr ffff8880134729d8 by task socat/20348

CPU: 0 UID: 0 PID: 20348 Comm: socat Not tainted 6.16.0-rc5-virtme #1 PREEMPT(full)
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
 <TASK>
 dump_stack_lvl+0x82/0xd0
 print_address_description.constprop.0+0x2c/0x400
 print_report+0xb4/0x270
 kasan_report+0xca/0x100
 tcp_prune_ofo_queue+0x55d/0x660
 tcp_try_rmem_schedule+0x855/0x12e0
 tcp_data_queue+0x4dd/0x2260
 tcp_rcv_established+0x5e8/0x2370
 tcp_v4_do_rcv+0x4ba/0x8c0
 __release_sock+0x27a/0x390
 release_sock+0x53/0x1d0
 tcp_sendmsg+0x37/0x50
 sock_write_iter+0x3c1/0x520
 vfs_write+0xc09/0x1210
 ksys_write+0x183/0x1d0
 do_syscall_64+0xc1/0x380
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcf73ef2337
Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007ffd4f924708 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcf73ef2337
RDX: 0000000000002000 RSI: 0000555f11d1a000 RDI: 0000000000000008
RBP: 0000555f11d1a000 R08: 0000000000002000 R09: 0000000000000000
R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000008
R13: 0000000000002000 R14: 0000555ee1a44570 R15: 0000000000002000
 </TASK>

Allocated by task 20348:
 kasan_save_stack+0x24/0x50
 kasan_save_track+0x14/0x30
 __kasan_slab_alloc+0x59/0x70
 kmem_cache_alloc_node_noprof+0x110/0x340
 __alloc_skb+0x213/0x2e0
 tcp_collapse+0x43f/0xff0
 tcp_try_rmem_schedule+0x6b9/0x12e0
 tcp_data_queue+0x4dd/0x2260
 tcp_rcv_established+0x5e8/0x2370
 tcp_v4_do_rcv+0x4ba/0x8c0
 __release_sock+0x27a/0x390
 release_sock+0x53/0x1d0
 tcp_sendmsg+0x37/0x50
 sock_write_iter+0x3c1/0x520
 vfs_write+0xc09/0x1210
 ksys_write+0x183/0x1d0
 do_syscall_64+0xc1/0x380
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 20348:
 kasan_save_stack+0x24/0x50
 kasan_save_track+0x14/0x30
 kasan_save_free_info+0x3b/0x60
 __kasan_slab_free+0x38/0x50
 kmem_cache_free+0x149/0x330
 tcp_prune_ofo_queue+0x211/0x660
 tcp_try_rmem_schedule+0x855/0x12e0
 tcp_data_queue+0x4dd/0x2260
 tcp_rcv_established+0x5e8/0x2370
 tcp_v4_do_rcv+0x4ba/0x8c0
 __release_sock+0x27a/0x390
 release_sock+0x53/0x1d0
 tcp_sendmsg+0x37/0x50
 sock_write_iter+0x3c1/0x520
 vfs_write+0xc09/0x1210
 ksys_write+0x183/0x1d0
 do_syscall_64+0xc1/0x380
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888013472900
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 216 bytes inside of
 freed 232-byte region [ffff888013472900, ffff8880134729e8)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13472
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88800198fb40 ffffea0000347b10 ffffea00004f5290
raw: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88800198fb40 ffffea0000347b10 ffffea00004f5290
head: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
head: 0080000000000001 ffffea00004d1c81 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888013472880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888013472900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888013472980: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                                                    ^
 ffff888013472a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888013472a80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb

Indeed tcp_prune_ofo_queue() is reusing the skb dropped a few lines
above. The caller wants to enqueue 'in_skb', lets check space vs the
latter.

Fixes: 1d2fbaad7c ("tcp: stronger sk_rcvbuf checks")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Tested-by: syzbot+865aca08c0533171bf6a@syzkaller.appspotmail.com
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/b78d2d9bdccca29021eed9a0e7097dd8dc00f485.1752567053.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2025-07-16 16:13:26 -07:00
..
6lowpan net: replace ND_PRINTK with dynamic debug 2025-07-10 15:27:32 -07:00
9p netfs: Fix the request's work item to not require a ref 2025-05-21 14:35:20 +02:00
802 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
8021q net: 802: Remove unused p8022 code 2025-04-22 07:04:02 -07:00
appletalk Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-11 11:42:38 -07:00
atm atm: clip: Fix NULL pointer dereference in vcc_sendmsg() 2025-07-09 19:09:36 -07:00
ax25 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
batman-adv This cleanup patchset includes the following patches: 2025-07-11 17:50:27 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-10 10:10:49 -07:00
bpf selftests/bpf: Add test to access const void pointer argument in tracing program 2025-04-23 11:26:22 -07:00
bridge bridge: mcast: Fix use-after-free during router port configuration 2025-06-23 18:19:10 -07:00
caif caif: reduce stack size, again 2025-06-23 16:58:43 -07:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-06-12 10:09:10 -07:00
ceph A small CephFS encryption-related fix and a dead code cleanup. 2025-04-25 15:51:28 -07:00
core Add support to set NAPI threaded for individual NAPI 2025-07-14 18:02:37 -07:00
dcb
devlink devlink: Add new "clock_id" generic device param 2025-07-09 19:08:52 -07:00
dns_resolver
dsa net: dsa: tag_brcm: add support for legacy FCS tags 2025-06-17 17:52:01 -07:00
ethernet
ethtool ethtool: Don't check for RXFH fields conflict when no input_xfrm is requested 2025-07-16 15:03:56 -07:00
handshake net/handshake: Add new parameter 'HANDSHAKE_A_ACCEPT_KEYRING' 2025-07-08 15:31:44 +02:00
hsr treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
ieee802154 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
ife
ipv4 tcp: fix UaF in tcp_prune_ofo_queue() 2025-07-16 16:13:26 -07:00
ipv6 ipv6: mcast: Remove unnecessary null check in ip6_mc_find_dev() 2025-07-15 16:34:01 -07:00
iucv
kcm net: splice: Drop unused @gfp 2025-07-08 08:37:15 -07:00
key net: remove sock_i_uid() 2025-06-23 17:04:03 -07:00
l2tp net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
l3mdev net: fib_rules: Fix iif / oif matching on L3 master device 2025-04-15 17:54:56 -07:00
lapb treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
llc net: make sk->sk_rcvtimeo lockless 2025-06-23 17:05:12 -07:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-11 11:42:38 -07:00
mac802154
mctp net: mctp: Add bind lookup test 2025-07-15 12:08:39 +02:00
mpls mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). 2025-06-17 18:21:59 -07:00
mptcp tcp: move tcp_memory_allocated into net_aligned_data 2025-07-02 14:22:02 -07:00
ncsi net: ncsi: Fix buffer overflow in fetching version id 2025-06-12 18:21:59 -07:00
netfilter netfilter: nf_tables: adjust lockdep assertions handling 2025-07-10 03:01:22 +02:00
netlabel calipso: unlock rcu before returning -EAFNOSUPPORT 2025-06-05 08:03:38 -07:00
netlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-11 11:42:38 -07:00
netrom treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-06-19 13:00:24 -07:00
nsh
openvswitch net: openvswitch: allow providing upcall pid for the 'execute' command 2025-07-07 14:30:39 -07:00
packet net: remove sock_i_uid() 2025-06-23 17:04:03 -07:00
phonet net: remove sock_i_uid() 2025-06-23 17:04:03 -07:00
psample
qrtr
rds don't open-code kernel_accept() in rds_tcp_accept_one() 2025-07-15 16:19:54 -07:00
rfkill
rose rose: fix dangling neighbour pointers in rose_rt_device_down() 2025-07-01 19:28:48 -07:00
rxrpc rxrpc: Fix oops due to non-existence of prealloc backlog struct 2025-07-09 19:41:44 -07:00
sched net_sched: act_skbedit: use RCU in tcf_skbedit_dump() 2025-07-11 16:01:17 -07:00
sctp net: dst: annotate data-races around dst->obsolete 2025-07-02 14:32:29 -07:00
shaper
smc net/smc: convert timeouts to secs_to_jiffies() 2025-07-09 19:25:01 -07:00
strparser net: make sk->sk_rcvtimeo lockless 2025-06-23 17:05:12 -07:00
sunrpc sunrpc: fix loop in gss seqno cache 2025-06-23 11:01:15 -04:00
switchdev
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-10 10:10:49 -07:00
tls bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls 2025-06-11 16:59:42 +02:00
unix af_unix: Introduce SO_INQ. 2025-07-08 18:05:25 -07:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-10 10:10:49 -07:00
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-11 11:42:38 -07:00
x25 net/x25: Remove unused x25_terminate_link() 2025-07-14 17:19:13 -07:00
xdp net: xsk: introduce XDP_MAX_TX_SKB_BUDGET setsockopt 2025-07-10 14:48:29 +02:00
xfrm net: dst: annotate data-races around dst->obsolete 2025-07-02 14:32:29 -07:00
Kconfig net: Kconfig NET_DEVMEM selects GENERIC_ALLOCATOR 2025-05-27 17:31:42 -07:00
Kconfig.debug
Makefile net: Retire DCCP socket. 2025-04-11 18:58:10 -07:00
compat.c
devres.c
socket.c net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
sysctl_net.c