Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/net
History
Zhengchao Shao 9b05d71869 ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet 
[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ]

When I perform the following test operations:
1.ip link add br0 type bridge
2.brctl addif br0 eth0
3.ip addr add 239.0.0.1/32 dev eth0
4.ip addr add 239.0.0.1/32 dev br0
5.ip addr add 224.0.0.1/32 dev br0
6.while ((1))
    do
        ifconfig br0 up
        ifconfig br0 down
    done
7.send IGMPv2 query packets to port eth0 continuously. For example,
./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00
1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00"

The preceding tests may trigger the refcnt uaf issue of the mc list. The
stack is as follows:
	refcount_t: addition on 0; use-after-free.
	WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25)
	CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80
	Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
	RIP: 0010:refcount_warn_saturate (lib/refcount.c:25)
	RSP: 0018:ffffb68f00657910 EFLAGS: 00010286
	RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908
	RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900
	RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff
	R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680
	R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00
	FS:  0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000
	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0
	Call Trace:
	<TASK>
	igmp_heard_query (net/ipv4/igmp.c:1068)
	igmp_rcv (net/ipv4/igmp.c:1132)
	ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
	ip_local_deliver_finish (net/ipv4/ip_input.c:234)
	__netif_receive_skb_one_core (net/core/dev.c:5529)
	netif_receive_skb_internal (net/core/dev.c:5729)
	netif_receive_skb (net/core/dev.c:5788)
	br_handle_frame_finish (net/bridge/br_input.c:216)
	nf_hook_bridge_pre (net/bridge/br_input.c:294)
	__netif_receive_skb_core (net/core/dev.c:5423)
	__netif_receive_skb_list_core (net/core/dev.c:5606)
	__netif_receive_skb_list (net/core/dev.c:5674)
	netif_receive_skb_list_internal (net/core/dev.c:5764)
	napi_gro_receive (net/core/gro.c:609)
	e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467)
	e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805)
	__napi_poll (net/core/dev.c:6533)
	net_rx_action (net/core/dev.c:6735)
	__do_softirq (kernel/softirq.c:554)
	run_ksoftirqd (kernel/softirq.c:913)
	smpboot_thread_fn (kernel/smpboot.c:164)
	kthread (kernel/kthread.c:388)
	ret_from_fork (arch/x86/kernel/process.c:153)
	ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
	</TASK>

The root causes are as follows:
Thread A					Thread B
...						netif_receive_skb
br_dev_stop					...
    br_multicast_leave_snoopers			...
        __ip_mc_dec_group			...
            __igmp_group_dropped		igmp_rcv
                igmp_stop_timer			    igmp_heard_query         //ref = 1
                ip_ma_put			        igmp_mod_timer
                    refcount_dec_and_test	            igmp_start_timer //ref = 0
			...                                     refcount_inc //ref increases from 0
When the device receives an IGMPv2 Query message, it starts the timer
immediately, regardless of whether the device is running. If the device is
down and has left the multicast group, it will cause the mc list refcount
uaf issue.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-18 12:11:10 +01:00
..
6lowpan Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
9p 9p/trans_fd: Annotate data-racy writes to file::f_flags 2024-11-18 11:43:14 +01:00
802 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
8021q Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
appletalk Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
atm Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ax25 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
batman-adv Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bluetooth Bluetooth: Fix double free in hci_conn_cleanup 2024-11-18 11:43:12 +01:00
bpf Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bpfilter Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bridge netfilter: nf_conntrack_bridge: initialize err to 0 2024-11-18 11:43:20 +01:00
caif Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
can can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior 2024-11-18 10:58:47 +01:00
ceph libceph: use kernel_connect() 2024-11-08 11:25:50 +01:00
core net: annotate data-races around sk->sk_dst_pending_confirm 2024-11-18 11:43:12 +01:00
dcb Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dccp dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2024-11-18 11:43:07 +01:00
decnet Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dns_resolver Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dsa Backport mac80211 patches from linux-6.1.y 2024-06-15 16:29:20 -03:00
ethernet Backport mac80211 patches from linux-6.1.y 2024-06-15 16:29:20 -03:00
ethtool Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hsr hsr: Prevent use after free in prp_create_tagged_frame() 2024-11-18 11:43:07 +01:00
ieee802154 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ife Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ipv4 ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet 2024-11-18 12:11:10 +01:00
ipv6 dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2024-11-18 11:43:07 +01:00
iucv Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
kcm Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
key Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
l2tp Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
l3mdev Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
lapb Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
llc llc: verify mac len before reading mac header 2024-11-18 11:43:07 +01:00
mac80211 wifi: mac80211: don't return unset power in ieee80211_get_tx_power() 2024-11-18 11:43:12 +01:00
mac802154 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mpls Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mptcp Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ncm Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ncsi Revert ncsi: Propagate carrier gain/loss events to the NCSI controller 2024-11-18 11:43:30 +01:00
netfilter netfilter: nf_tables: disable toggling dormant table state more than once 2024-11-18 11:43:32 +01:00
netlabel Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netlink Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netrom Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
nfc nfc: nci: fix possible NULL pointer dereference in send_acknowledge() 2024-11-08 11:26:08 +01:00
nsh Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
openvswitch Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
packet Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
phonet Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
psample Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
qrtr Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
rds net: prevent address rewrite in kernel_bind() 2024-11-08 11:25:44 +01:00
rfkill net: rfkill: gpio: prevent value glitch during probe 2024-11-08 11:26:10 +01:00
rose Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
rxrpc Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sched net: sched: cls_u32: Fix allocation size in u32_init() 2024-11-18 10:58:46 +01:00
sctp Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
skb_tracer Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
smc net/smc: avoid data corruption caused by decline 2024-11-18 12:10:55 +01:00
strparser Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sunrpc SUNRPC: Fix RPC client cleaned up the freed pipefs dentries 2024-11-18 11:43:19 +01:00
switchdev Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tipc tipc: Fix kernel-infoleak due to uninitialized TLV value 2024-11-18 11:43:19 +01:00
tls Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
unix Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vmw_vsock Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
wimax Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
wireless wifi: cfg80211: avoid leaking stack data into trace 2024-11-08 11:26:17 +01:00
x25 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xdp Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xfrm Revert "xfrm: fix a data-race in xfrm_gen_index()" 2024-11-17 19:38:56 +01:00
compat.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
devres.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Kconfig Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Makefile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
socket.c net: prevent address rewrite in kernel_bind() 2024-11-08 11:25:44 +01:00
sysctl_net.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
TEST_MAPPING Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00