From patchwork Wed Jan 3 19:55:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magali Lemes X-Patchwork-Id: 1882202 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T50q374NHz1ydb for ; Thu, 4 Jan 2024 06:56:47 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rL7M1-0005tC-Ea; Wed, 03 Jan 2024 19:56:41 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rL7LY-0005jm-BB for kernel-team@lists.ubuntu.com; Wed, 03 Jan 2024 19:56:12 +0000 Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com [209.85.216.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 5B39D3F5A5 for ; Wed, 3 Jan 2024 19:56:10 +0000 (UTC) Received: by mail-pj1-f69.google.com with SMTP id 98e67ed59e1d1-28c26fe6068so5274397a91.0 for ; Wed, 03 Jan 2024 11:56:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704311765; x=1704916565; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i1Alx2F3l0BPpvqaMh/6e8YAcbSUGofiBBK/0wX/23g=; b=A/ABindBfSKVi9BdtkRc5Z+kP8K7pgg64D0FbMDxqS0ZY+3P2zw5FZ1UbKiSU/NMZ8 6ZRQIzem5A9iuvDM11/DPdLDYqPtRhyrvJRvrWfue5nhY2fx13rx89NqmT6s9QzZsM7Z HxQkP9LlbqFyJxk9qbcJ+YPTPL0foBWenna60faH6DBvagDXNTWH0gdPLw1qflKcdIeG WyWy4E3C9GnmNWiKlsOKcjJASa4xZ6u7S/pJyjESTNfu4fdgWrjUKrhGSKj2O8Mri6tA pKeXgbM4wNOd+x1iR4jCoTUVA4CEE7dEa2qo3V84wX9VM3fKeUVd6M7v8TSumgAA2z2B DB5A== X-Gm-Message-State: AOJu0YwrnzXbV2aRIxF2pcDNn36PBhc9qtZ8T9kALTOXiUvDqzPUcO1g pd8R1VV0mNRjuvfD3SB4G+G9tYUQM+xxiQPSRjBgX2FULdlBqh5/I1JQok1QoHm9375ac/7Y/Z1 B5+d1OhRugQofI4uum2W2afkfkhVlFBRjWqU2zsGh3JWkttn31BPJtaa8 X-Received: by 2002:a17:90a:b388:b0:286:a708:cd2c with SMTP id e8-20020a17090ab38800b00286a708cd2cmr6988634pjr.9.1704311765545; Wed, 03 Jan 2024 11:56:05 -0800 (PST) X-Google-Smtp-Source: AGHT+IFKkfnRXMJY+mtqxvVA9IVYI/2+43C09K4GaWKXpGurrK5ZvO/RPoPg0p20q9OFM9HIxf2aOA== X-Received: by 2002:a17:90a:b388:b0:286:a708:cd2c with SMTP id e8-20020a17090ab38800b00286a708cd2cmr6988623pjr.9.1704311765140; Wed, 03 Jan 2024 11:56:05 -0800 (PST) Received: from magali.. ([2804:14c:bbe3:4606:75a8:2900:cce3:52c0]) by smtp.gmail.com with ESMTPSA id l9-20020a17090aaa8900b0028cef021d45sm1217166pjq.17.2024.01.03.11.56.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jan 2024 11:56:04 -0800 (PST) From: Magali Lemes To: kernel-team@lists.ubuntu.com Subject: [SRU][F/J/L/M/OEM-6.5][PATCH 1/1] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet Date: Wed, 3 Jan 2024 16:55:58 -0300 Message-Id: <20240103195558.381779-2-magali.lemes@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240103195558.381779-1-magali.lemes@canonical.com> References: <20240103195558.381779-1-magali.lemes@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Zhengchao Shao When I perform the following test operations: 1.ip link add br0 type bridge 2.brctl addif br0 eth0 3.ip addr add 239.0.0.1/32 dev eth0 4.ip addr add 239.0.0.1/32 dev br0 5.ip addr add 224.0.0.1/32 dev br0 6.while ((1)) do ifconfig br0 up ifconfig br0 down done 7.send IGMPv2 query packets to port eth0 continuously. For example, ./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00 1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00" The preceding tests may trigger the refcnt uaf issue of the mc list. The stack is as follows: refcount_t: addition on 0; use-after-free. WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25) CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:refcount_warn_saturate (lib/refcount.c:25) RSP: 0018:ffffb68f00657910 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900 RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680 R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00 FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0 Call Trace: igmp_heard_query (net/ipv4/igmp.c:1068) igmp_rcv (net/ipv4/igmp.c:1132) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) netif_receive_skb_internal (net/core/dev.c:5729) netif_receive_skb (net/core/dev.c:5788) br_handle_frame_finish (net/bridge/br_input.c:216) nf_hook_bridge_pre (net/bridge/br_input.c:294) __netif_receive_skb_core (net/core/dev.c:5423) __netif_receive_skb_list_core (net/core/dev.c:5606) __netif_receive_skb_list (net/core/dev.c:5674) netif_receive_skb_list_internal (net/core/dev.c:5764) napi_gro_receive (net/core/gro.c:609) e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467) e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6735) __do_softirq (kernel/softirq.c:554) run_ksoftirqd (kernel/softirq.c:913) smpboot_thread_fn (kernel/smpboot.c:164) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:250) The root causes are as follows: Thread A Thread B ... netif_receive_skb br_dev_stop ... br_multicast_leave_snoopers ... __ip_mc_dec_group ... __igmp_group_dropped igmp_rcv igmp_stop_timer igmp_heard_query //ref = 1 ip_ma_put igmp_mod_timer refcount_dec_and_test igmp_start_timer //ref = 0 ... refcount_inc //ref increases from 0 When the device receives an IGMPv2 Query message, it starts the timer immediately, regardless of whether the device is running. If the device is down and has left the multicast group, it will cause the mc list refcount uaf issue. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Zhengchao Shao Reviewed-by: Eric Dumazet Reviewed-by: Hangbin Liu Signed-off-by: David S. Miller (cherry picked from commit e2b706c691905fe78468c361aaabc719d0a496f1) CVE-2023-6932 Signed-off-by: Magali Lemes --- net/ipv4/igmp.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index cb031e851c12..715f99e76826 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -218,8 +218,10 @@ static void igmp_start_timer(struct ip_mc_list *im, int max_delay) int tv = prandom_u32() % max_delay; im->tm_running = 1; - if (!mod_timer(&im->timer, jiffies+tv+2)) - refcount_inc(&im->refcnt); + if (refcount_inc_not_zero(&im->refcnt)) { + if (mod_timer(&im->timer, jiffies + tv + 2)) + ip_ma_put(im); + } } static void igmp_gq_start_timer(struct in_device *in_dev)