From patchwork Fri Nov 20 19:59:16 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Hurley <peter@hurleysoftware.com>
X-Patchwork-Id: 547032
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id EE4171402D6
	for <patchwork-incoming@ozlabs.org>;
	Sat, 21 Nov 2015 06:59:38 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=hurleysoftware-com.20150623.gappssmtp.com
	header.i=@hurleysoftware-com.20150623.gappssmtp.com
	header.b=vXgmO1jr; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1162799AbbKTT7W (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 20 Nov 2015 14:59:22 -0500
Received: from mail-ig0-f175.google.com ([209.85.213.175]:35616 "EHLO
	mail-ig0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1162214AbbKTT7T (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 20 Nov 2015 14:59:19 -0500
Received: by igl9 with SMTP id 9so18000146igl.0
	for <netdev@vger.kernel.org>; Fri, 20 Nov 2015 11:59:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=hurleysoftware-com.20150623.gappssmtp.com; s=20150623;
	h=subject:to:references:cc:from:message-id:date:user-agent
	:mime-version:in-reply-to:content-type:content-transfer-encoding;
	bh=MKx5lFYJojHtIqmZb/OoYk3oasorAE6N1nnDAPTgb0M=;
	b=vXgmO1jr8ELZnRrNxtEVfsPDsNl9kzu4scwa+xo+T389kXJdUv/7wiq2xffqJHjY+8
	eDtIYl2/9i9hH1XUEPLCOqaSDsrlY01Yn4bntNgXD83fg058IuAQkEVfTKIFl0e08y2e
	rJs3xHGbTWhq6J8GxiqxBAA4Ruuhay7fl4wBXfywWSdRWstGWklisThnSEMpH0z2TfRs
	IFpLF57Qg6ENK34K+67WVizTWDEREOPYulYhI647rXq5jCMg1LC4gZzqk1CGk9Ob+Nik
	SFM3M0+EY1EA+aUgEWcrzN5dYkgUhuqocmPyyUo+Hhs9RCG8pCSsFLnM+LJxhG0JxOA0
	m8rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:subject:to:references:cc:from:message-id:date
	:user-agent:mime-version:in-reply-to:content-type
	:content-transfer-encoding;
	bh=MKx5lFYJojHtIqmZb/OoYk3oasorAE6N1nnDAPTgb0M=;
	b=KtS5Q6Hz855gNgnoXWcNqkHkW9bHiSNOrSe5W4RFiZ0VYyhuhu05M+ruPUYbxjFgYc
	KtI8d7zZhDxvsfabTBZS6b6yVEVnXkWGGXT+EcJfO0yr9jyPubtM5qtAssbIvleYlfXm
	9alrFGw6Q0YA2MD9x0Zru/liiPegSeL0Fg4obr2NL4F/4JFCBT4HburGeqssDUfuMRY9
	mk4TeeAzS76Emo32xa25WGnw+kCwqLYgjNxWrBEPsSajyfbur3o46MOjzIN2HZZCv5UC
	zohC5ZGsgsvYGECjo+TNVTjJYmQ2WIvYhCPuVansWX0IFneEane3+HOjsBi6nrXkS359
	Q4cw==
X-Gm-Message-State: 
 ALoCoQnvHJH9QFhHGGQubf3IyPizaGLZXRxMqqkMBSh6zM20+o13W8yKlFMfkJQuydUEVZVf+BzL
X-Received: by 10.50.20.73 with SMTP id l9mr3392827ige.50.1448049559069;
	Fri, 20 Nov 2015 11:59:19 -0800 (PST)
Received: from [192.168.1.6] (cpe-76-190-194-55.neo.res.rr.com.
	[76.190.194.55]) by smtp.gmail.com with ESMTPSA id
	qb2sm424233igb.10.2015.11.20.11.59.17
	(version=TLSv1/SSLv3 cipher=OTHER);
	Fri, 20 Nov 2015 11:59:18 -0800 (PST)
Subject: Re: tty,net: use-after-free in x25_asy_open_tty
To: Sasha Levin <sasha.levin@oracle.com>, gregkh@linuxfoundation.org,
	Jiri Slaby <jslaby@suse.cz>, David Miller <davem@davemloft.net>
References: <564F26A5.4050905@oracle.com>
Cc: LKML <linux-kernel@vger.kernel.org>, syzkaller@googlegroups.com,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>
From: Peter Hurley <peter@hurleysoftware.com>
Message-ID: <564F7B94.3060405@hurleysoftware.com>
Date: Fri, 20 Nov 2015 14:59:16 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <564F26A5.4050905@oracle.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

[ + David Miller ]

On 11/20/2015 08:56 AM, Sasha Levin wrote:
> Hi all,
> 
> While fuzzing with syzkaller inside a kvmtools guest running latest -next kernel, I've hit:
> 
> [  634.336761] ==================================================================
> [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
> [  634.339558] Read of size 4 by task syzkaller_execu/8981
> [  634.340359] =============================================================================
> [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected

Thanks for the report, Sasha.
Would you please test the patch below?

The ldisc api should really prevent these kinds of errors. I'll prepare
a patch to the tty core which should address the api weakness.

Regards,
Peter Hurley

--->% ---
Subject: [PATCH] wan/x25: Fix use-after-free in x25_asy_open_tty()

The N_X25 line discipline may access the previous line discipline's closed
and already-freed private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1] Report by Sasha Levin <sasha.levin@oracle.com>
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/net/wan/x25_asy.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
index 5c47b01..cd39025 100644
--- a/drivers/net/wan/x25_asy.c
+++ b/drivers/net/wan/x25_asy.c
@@ -549,16 +549,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty,
 
 static int x25_asy_open_tty(struct tty_struct *tty)
 {
-	struct x25_asy *sl = tty->disc_data;
+	struct x25_asy *sl;
 	int err;
 
 	if (tty->ops->write == NULL)
 		return -EOPNOTSUPP;
 
-	/* First make sure we're not already connected. */
-	if (sl && sl->magic == X25_ASY_MAGIC)
-		return -EEXIST;
-
 	/* OK.  Find a free X.25 channel to use. */
 	sl = x25_asy_alloc();
 	if (sl == NULL)