From patchwork Fri Sep 27 12:22:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Massimiliano Pellizzer X-Patchwork-Id: 1990266 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XFV4p4kQDz1xt8 for ; Fri, 27 Sep 2024 22:23:54 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1suA0h-0001BM-As; Fri, 27 Sep 2024 12:23:47 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1suA0d-00010S-Dr for kernel-team@lists.ubuntu.com; Fri, 27 Sep 2024 12:23:44 +0000 Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 132883F135 for ; Fri, 27 Sep 2024 12:23:37 +0000 (UTC) Received: by mail-ej1-f72.google.com with SMTP id a640c23a62f3a-a8711c48990so167405966b.2 for ; Fri, 27 Sep 2024 05:23:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727439816; x=1728044616; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E55MQCnZnAWs0C6furbRH4IgZ66i7THnjoxb2oR9zk4=; b=ejKZCnFFKeavvsG6WB+CerHuDnK1wNUYmoAp9SZTw7RkB8TNnTpJHqClaJyn0nlh0f Lb9xvaBOb2kBUdpeGf9pfVKwRVxE2ETc0/L3JY9SXsyXUGOCYB+cGZf47tEmrguJ4s0G miKPdtthakV8r4/Mm3uQedlgqtzWXulohvQsEZd0vv4sJqwE+hODI1rBKKGEpP/xLu5M j8csu4WeBSUP2OckebqjSiM78o0wYDWY8M+lPt6mOwI/yF4Kv3sLcbRVl/ssHMZzpCuK 7ksayDgiCgxuXMEO5rVYFN6ijjxbxT0XU2FP3IcCHT0IsZ6O7sGp1x5fG0ZhtEi6LfQx o72w== X-Gm-Message-State: AOJu0YwebzGDvgJQvxNlxQ7v7zobd9fFE7NiaZ7SZokNcyGIOShD2atf g9ruTUxEneY3oF4rgCKtX/u1CIES9CL8cWltqpDQdO6Ux7FuTS1ldImCiB+MLyhQQcD0NXzRcnW R1mr9CTGeGkkRlUBaD9W4wEPWIOX2cxh0762iOM1ETINbQ7CoA4u6U+SAmhLpMKHfGh+fU0ILCV l+ZWyQQiB/AA== X-Received: by 2002:a17:907:7da8:b0:a86:a56a:3596 with SMTP id a640c23a62f3a-a93c4a98d4cmr329698966b.60.1727439815615; Fri, 27 Sep 2024 05:23:35 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGXU/iYoGBHdv/4KEFyyjGvBo4ckDP5lwKUCGWcNr7jYlRaMVRXPK14mCzAuTC0zSa3u+RkbA== X-Received: by 2002:a17:907:7da8:b0:a86:a56a:3596 with SMTP id a640c23a62f3a-a93c4a98d4cmr329696566b.60.1727439815201; Fri, 27 Sep 2024 05:23:35 -0700 (PDT) Received: from framework-canonical.station (net-93-71-67-9.cust.vodafonedsl.it. [93.71.67.9]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a93c2945f2esm128052366b.117.2024.09.27.05.23.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Sep 2024 05:23:34 -0700 (PDT) From: Massimiliano Pellizzer To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/1] bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue Date: Fri, 27 Sep 2024 14:22:44 +0200 Message-ID: <20240927122321.34030-2-massimiliano.pellizzer@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240927122321.34030-1-massimiliano.pellizzer@canonical.com> References: <20240927122321.34030-1-massimiliano.pellizzer@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jason Xing commit 6648e613226e18897231ab5e42ffc29e63fa3365 upstream. Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which syzbot reported [1]. [1] BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer similarly due to no protection of saved_data_ready. Here is another different caller causing the same issue because of the same reason. So we should protect it with sk_callback_lock read lock because the writer side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);". To avoid errors that could happen in future, I move those two pairs of lock into the sk_psock_data_ready(), which is suggested by John Fastabend. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Reported-by: syzbot+aa8c8ec2538929f18f2d@syzkaller.appspotmail.com Signed-off-by: Jason Xing Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Closes: https://syzkaller.appspot.com/bug?extid=aa8c8ec2538929f18f2d Link: https://lore.kernel.org/all/20240329134037.92124-1-kerneljasonxing@gmail.com Link: https://lore.kernel.org/bpf/20240404021001.94815-1-kerneljasonxing@gmail.com Signed-off-by: Ashwin Dayanand Kamat Signed-off-by: Greg Kroah-Hartman (cherry picked from commit c0809c128dad4c3413818384eb06a341633db973 linux-5.10.y) CVE-2024-36938 Signed-off-by: Massimiliano Pellizzer --- include/linux/skmsg.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h index 613d04526032..e1e276994807 100644 --- a/include/linux/skmsg.h +++ b/include/linux/skmsg.h @@ -440,10 +440,12 @@ static inline void sk_psock_put(struct sock *sk, struct sk_psock *psock) static inline void sk_psock_data_ready(struct sock *sk, struct sk_psock *psock) { + read_lock_bh(&sk->sk_callback_lock); if (psock->parser.enabled) psock->parser.saved_data_ready(sk); else sk->sk_data_ready(sk); + read_unlock_bh(&sk->sk_callback_lock); } static inline void psock_set_prog(struct bpf_prog **pprog,