From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46C4AC6FA82 for ; Fri, 23 Sep 2022 14:32:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230449AbiIWOcX (ORCPT ); Fri, 23 Sep 2022 10:32:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230165AbiIWOcV (ORCPT ); Fri, 23 Sep 2022 10:32:21 -0400 Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 743E313EEA2 for ; Fri, 23 Sep 2022 07:32:20 -0700 (PDT) Received: by mail-wr1-x42e.google.com with SMTP id n10so235152wrw.12 for ; Fri, 23 Sep 2022 07:32:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date; bh=BqFcqfNTG2GvCpxZGGXPwBR88LLMz8saElhg5eR1FAQ=; b=QwBknRSPLmBTxD58lZ+VaiRp+e8/kh3ItU5drA/MIm6g8kLz9bYOhce6v/EAiqIgEU MzSX5NQ1kF9S79EX4xwxUa5ma4DydkHCAzCMePqdYxWykJIAjc4n4ymzr+tyhzQKQ341 NRn+PNUePIAyDBOpxdiOt1QI1AgX77SAYN2m8NWha38HVDgqlGsJKf5Rdm8gapEqG3jF 3Wk+L9Rzq7kC0XgejHPJka/mlGc3MKIju+Rjs9fmv/HJFaUHEST/svJuenJ6k8aCnfQW rZHJJ9OG4iHnvhgI33tUAEE6J5HXODSRh3LQBWbOC8y1q/TjRnyj/LgbEJjlbhqHTPNV NZcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date; bh=BqFcqfNTG2GvCpxZGGXPwBR88LLMz8saElhg5eR1FAQ=; b=6nglq0pcX+FAbdbgldOYp6DmF57u6LltHdkYWSoNI6bpLhs7XZ2+0HW1ThsdhYGT2M rC/bK8CKH4ySSS1ZGoV66cIhgassOuZppBziuf3Tntl2yieNcgS2IYcAIXEbKuuuyHQu nlVxiy72mfmmulM53XQGxyU0mHuxQZI3RYauYsZLWEQXmANcTHlwX5yZjQeScjXoZZJ/ ii4vxHRGqJ85IQWvTH6FutKSlxTKXB/iOaH3Txck40RmmeFdfSHv0aIFeEDfbE5yMYEg g+CDv5NeJoYFrO5kbk4/ryO2G99FsnuDIW0pSUdi3lgOHfoYec4rah5LJ5w4zvqKr6lD YK7w== X-Gm-Message-State: ACrzQf3uMhec5bkBbdn5B+ZrZvBPrzk/OGz2Ry1soDEEJUA8bmgOEOSt o+9E16B858pL7x6imm8T6AOw4Qas0ic= X-Google-Smtp-Source: AMsMyM4iAcqlenTVGuevXo1zPqMGmK+8pNubZ5T+OcYC7Q+GvdzODXKHOtvucYoE5rtyM+gd6W0RDg== X-Received: by 2002:a05:6000:178d:b0:226:ffe8:72df with SMTP id e13-20020a056000178d00b00226ffe872dfmr5332959wrg.496.1663943538610; Fri, 23 Sep 2022 07:32:18 -0700 (PDT) Received: from [192.168.8.198] (188.28.201.74.threembb.co.uk. [188.28.201.74]) by smtp.gmail.com with ESMTPSA id n13-20020adfe34d000000b002285f73f11dsm9177084wrj.81.2022.09.23.07.32.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 23 Sep 2022 07:32:18 -0700 (PDT) Message-ID: Date: Fri, 23 Sep 2022 15:31:16 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Subject: Re: [PATCH for-next 1/1] io_uring/net: fix UAF in io_sendrecv_fail() Content-Language: en-US To: io-uring@vger.kernel.org Cc: Jens Axboe , Dylan Yudaken , syzbot+4c597a574a3f5a251bda@syzkaller.appspotmail.com References: <49ee34929051a668e4829b6549dcd3eba49bf95b.1663941567.git.asml.silence@gmail.com> From: Pavel Begunkov In-Reply-To: <49ee34929051a668e4829b6549dcd3eba49bf95b.1663941567.git.asml.silence@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org On 9/23/22 14:59, Pavel Begunkov wrote: > We should not assume anything about ->free_iov just from > REQ_F_ASYNC_DATA but rather rely on REQ_F_NEED_CLEANUP, as we may > allocate ->async_data but failed init would leave the field in not > consistent state. The easiest solution is to remove removing > REQ_F_NEED_CLEANUP and so ->async_data dealloc from io_sendrecv_fail() > and let io_send_zc_cleanup() do the job. The catch here is that we also > need to prevent double notif flushing, just test it for NULL and zero > where it's needed. > > BUG: KASAN: use-after-free in io_sendrecv_fail+0x3b0/0x3e0 io_uring/net.c:1221 > Write of size 8 at addr ffff8880771b4080 by task syz-executor.3/30199 > > CPU: 1 PID: 30199 Comm: syz-executor.3 Not tainted 6.0.0-rc6-next-20220923-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 > Call Trace: > > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 > print_address_description mm/kasan/report.c:284 [inline] > print_report+0x15e/0x45d mm/kasan/report.c:395 > kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 > io_sendrecv_fail+0x3b0/0x3e0 io_uring/net.c:1221 > io_req_complete_failed+0x155/0x1b0 io_uring/io_uring.c:873 > io_drain_req io_uring/io_uring.c:1648 [inline] > io_queue_sqe_fallback.cold+0x29f/0x788 io_uring/io_uring.c:1931 > io_submit_sqe io_uring/io_uring.c:2160 [inline] > io_submit_sqes+0x1180/0x1df0 io_uring/io_uring.c:2276 > __do_sys_io_uring_enter+0xac6/0x2410 io_uring/io_uring.c:3216 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd Missed unused var, will resend > > Fixes: c4c0009e0b56e ("io_uring/net: combine fail handlers") > Reported-by: syzbot+4c597a574a3f5a251bda@syzkaller.appspotmail.com > Signed-off-by: Pavel Begunkov > --- > io_uring/net.c | 14 +++++--------- > 1 file changed, 5 insertions(+), 9 deletions(-) > > diff --git a/io_uring/net.c b/io_uring/net.c > index 757a300578f4..e9e66bace45f 100644 > --- a/io_uring/net.c > +++ b/io_uring/net.c > @@ -915,9 +915,11 @@ void io_send_zc_cleanup(struct io_kiocb *req) > io = req->async_data; > kfree(io->free_iov); > } > - zc->notif->flags |= REQ_F_CQE_SKIP; > - io_notif_flush(zc->notif); > - zc->notif = NULL; > + if (zc->notif) { > + zc->notif->flags |= REQ_F_CQE_SKIP; > + io_notif_flush(zc->notif); > + zc->notif = NULL; > + } > } > > int io_send_zc_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) > @@ -1215,12 +1217,6 @@ void io_sendrecv_fail(struct io_kiocb *req) > io_notif_flush(sr->notif); > sr->notif = NULL; > } > - if (req_has_async_data(req)) { > - io = req->async_data; > - kfree(io->free_iov); > - io->free_iov = NULL; > - } > - req->flags &= ~REQ_F_NEED_CLEANUP; > io_req_set_res(req, res, req->cqe.flags); > } > -- Pavel Begunkov