Use-after-free in selinux_ip_postroute_compat

From: Dmitry Vyukov
Date: Thu Nov 05 2015 - 14:36:56 EST


Hello,

I've updated from bcee19f424a0d8c26ecf2607b73c690802658b29 (Sep 21) to
8e483ed1342a4ea45b70f0f33ac54eff7a33d918 (Nov 4) and start seeing the
following use-after-free reports:


BUG: KASan: use after free in selinux_ip_postroute_compat+0x2af/0x2d0
at addr ffff88003dbdc148
Read of size 8 by task swapper/1/0
=============================================================================
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 4.3.0+ #29
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88003ed06970 ffffffff81aab806 ffff88003e804b40
ffff88003dbdc000 ffff88003dbdc000 ffff88003ed069a0 ffffffff814a4b34
ffff88003e804b40 ffffea0000f6f700 ffff88003dbdc000 ffff88003ed06bd0
Call Trace:
<IRQ> [< inline >] __dump_stack lib/dump_stack.c:15
<IRQ> [<ffffffff81aab806>] dump_stack+0x68/0x92 lib/dump_stack.c:50
[<ffffffff814a4b34>] print_trailer+0xf4/0x150 mm/slub.c:650
[<ffffffff814aa44f>] object_err+0x2f/0x40 mm/slub.c:657
[< inline >] print_address_description mm/kasan/report.c:120
[<ffffffff814ac976>] kasan_report_error+0x1d6/0x3c0 mm/kasan/report.c:193
[< inline >] kasan_report mm/kasan/report.c:230
[<ffffffff814acc5e>] __asan_report_load8_noabort+0x3e/0x40
mm/kasan/report.c:251
[<ffffffff819614cf>] selinux_ip_postroute_compat+0x2af/0x2d0
security/selinux/hooks.c:4947
[<ffffffff819619af>] selinux_ip_postroute+0x4bf/0xb70
security/selinux/hooks.c:4986
[<ffffffff819620ee>] selinux_ipv4_postroute+0x3e/0x50
security/selinux/hooks.c:5110
[<ffffffff8287918d>] nf_iterate+0x15d/0x250 net/netfilter/core.c:274
[<ffffffff82879421>] nf_hook_slow+0x1a1/0x300 net/netfilter/core.c:306
[< inline >] nf_hook_thresh include/linux/netfilter.h:187
[< inline >] NF_HOOK_COND include/linux/netfilter.h:238
[<ffffffff829072c5>] ip_output+0x2b5/0x460 net/ipv4/ip_output.c:358
[< inline >] dst_output include/net/dst.h:459
[<ffffffff82904528>] ip_local_out+0xd8/0x1c0 net/ipv4/ip_output.c:116
[<ffffffff82904bb6>] ip_build_and_send_pkt+0x5a6/0xa40 net/ipv4/ip_output.c:171
[<ffffffff8299183d>] tcp_v4_send_synack+0x18d/0x270 net/ipv4/tcp_ipv4.c:841
[<ffffffff8294beeb>] tcp_conn_request+0x1f3b/0x2750 net/ipv4/tcp_input.c:6273
[<ffffffff8298b4be>] tcp_v4_conn_request+0x17e/0x240 net/ipv4/tcp_ipv4.c:1234
[<ffffffff8296012e>] tcp_rcv_state_process+0x6ae/0x4130
net/ipv4/tcp_input.c:5750
[<ffffffff8298f7db>] tcp_v4_do_rcv+0x2fb/0x9f0 net/ipv4/tcp_ipv4.c:1405
[<ffffffff82994952>] tcp_v4_rcv+0x2872/0x2f80 net/ipv4/tcp_ipv4.c:1630
[<ffffffff828eb0c9>] ip_local_deliver_finish+0x2a9/0xa30
net/ipv4/ip_input.c:216
[< inline >] NF_HOOK_THRESH include/linux/netfilter.h:226
[< inline >] NF_HOOK include/linux/netfilter.h:249
[<ffffffff828ed124>] ip_local_deliver+0x1c4/0x2f0 net/ipv4/ip_input.c:257
[< inline >] dst_input include/net/dst.h:465
[<ffffffff828ebe64>] ip_rcv_finish+0x614/0x11d0 net/ipv4/ip_input.c:365
[< inline >] NF_HOOK_THRESH include/linux/netfilter.h:226
[< inline >] NF_HOOK include/linux/netfilter.h:249
[<ffffffff828edcc6>] ip_rcv+0xa76/0x1470 net/ipv4/ip_input.c:455
[<ffffffff827c50d9>] __netif_receive_skb_core+0x1cb9/0x38e0 net/core/dev.c:3940
[<ffffffff827c6d2a>] __netif_receive_skb+0x2a/0x160 net/core/dev.c:3975
[<ffffffff827c9405>] netif_receive_skb_internal+0xe5/0x360 net/core/dev.c:4003
[< inline >] napi_skb_finish net/core/dev.c:4328
[<ffffffff827cd9d0>] napi_gro_receive+0x1c0/0x260 net/core/dev.c:4357
[< inline >] e1000_receive_skb
drivers/net/ethernet/intel/e1000/e1000_main.c:4007
[<ffffffff8232012c>] e1000_clean_rx_irq+0x4ec/0x10c0
drivers/net/ethernet/intel/e1000/e1000_main.c:4459
[<ffffffff8231dd46>] e1000_clean+0xa56/0x2520
drivers/net/ethernet/intel/e1000/e1000_main.c:3814
[< inline >] napi_poll net/core/dev.c:4793
[<ffffffff827ca73d>] net_rx_action+0x74d/0xc70 net/core/dev.c:4858
[<ffffffff8110fdae>] __do_softirq+0x2ae/0x710 kernel/softirq.c:273
[< inline >] invoke_softirq kernel/softirq.c:350
[<ffffffff811104ad>] irq_exit+0x15d/0x190 kernel/softirq.c:391
[< inline >] exiting_irq ./arch/x86/include/asm/apic.h:653
[<ffffffff81013256>] do_IRQ+0x86/0x1a0 arch/x86/kernel/irq.c:252
[<ffffffff82f23387>] common_interrupt+0x87/0x87 arch/x86/entry/entry_64.S:545
<EOI> [<ffffffff810d0706>] ? native_safe_halt+0x6/0x10
./arch/x86/include/asm/irqflags.h:49
[< inline >] arch_safe_halt ./arch/x86/include/asm/paravirt.h:111
[<ffffffff81026e42>] default_idle+0x22/0x1e0 arch/x86/kernel/process.c:304
[<ffffffff81027f7a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:295
[<ffffffff811d9b98>] default_idle_call+0x48/0x70 kernel/sched/idle.c:92
[< inline >] cpuidle_idle_call kernel/sched/idle.c:156
[< inline >] cpu_idle_loop kernel/sched/idle.c:251
[<ffffffff811da0bd>] cpu_startup_entry+0x41d/0x570 kernel/sched/idle.c:299
[<ffffffff810ac8b3>] start_secondary+0x243/0x2d0 arch/x86/kernel/smpboot.c:251

INFO: Allocated in __alloc_skb+0xf0/0x5f0 age=20059 cpu=1 pid=1248
[< none >] __slab_alloc+0x23a/0x560 mm/slub.c:2402
[< inline >] slab_alloc_node mm/slub.c:2470
[< none >] __kmalloc_node_track_caller+0xa4/0x230 mm/slub.c:3956
[< none >] __kmalloc_reserve.isra.33+0x41/0xe0 net/core/skbuff.c:135
[< none >] __alloc_skb+0xf0/0x5f0 net/core/skbuff.c:228
[< inline >] alloc_skb include/linux/skbuff.h:814
[< none >] kobject_uevent_env+0x5b0/0xbc0 lib/kobject_uevent.c:300
[< none >] kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:374
[< none >] uevent_store+0xc9/0xd0 drivers/base/bus.c:655
[< none >] dev_attr_store+0x5c/0x90 drivers/base/core.c:137
[< none >] sysfs_kf_write+0x121/0x180 fs/sysfs/file.c:133
[< none >] kernfs_fop_write+0x2b0/0x3f0 fs/kernfs/file.c:312
[< none >] __vfs_write+0x10e/0x3d0 fs/read_write.c:489
[< none >] vfs_write+0x16e/0x490 fs/read_write.c:538
[< inline >] SYSC_write fs/read_write.c:585
[< none >] SyS_write+0x111/0x220 fs/read_write.c:577
[< none >] entry_SYSCALL_64_fastpath+0x31/0x9a
arch/x86/entry/entry_64.S:187

INFO: Freed in skb_release_data+0x300/0x3c0 age=19765 cpu=2 pid=1219
[< none >] __slab_free+0x1ec/0x350 mm/slub.c:2587 (discriminator 1)
[< inline >] slab_free mm/slub.c:2736
[< none >] kfree+0x1ab/0x1c0 mm/slub.c:3522
[< inline >] skb_free_head net/core/skbuff.c:569
[< none >] skb_release_data+0x300/0x3c0 net/core/skbuff.c:600
[< none >] skb_release_all+0x4a/0x60 net/core/skbuff.c:659
[< inline >] __kfree_skb net/core/skbuff.c:673
[< none >] consume_skb+0xb1/0x1e0 net/core/skbuff.c:746
[< none >] skb_free_datagram+0x1a/0xe0 net/core/datagram.c:280
[< none >] netlink_recvmsg+0x536/0xd20 net/netlink/af_netlink.c:2590
[< inline >] sock_recvmsg_nosec net/socket.c:712
[< none >] sock_recvmsg+0x9d/0xb0 net/socket.c:720
[< none >] ___sys_recvmsg+0x259/0x540 net/socket.c:2104
[< none >] __sys_recvmsg+0xce/0x170 net/socket.c:2150
[< inline >] SYSC_recvmsg net/socket.c:2162
[< none >] SyS_recvmsg+0x2d/0x50 net/socket.c:2157
[< none >] entry_SYSCALL_64_fastpath+0x31/0x9a
arch/x86/entry/entry_64.S:187
INFO: Slab 0xffffea0000f6f700 objects=19 used=0 fp=0xffff88003dbdf0c0
flags=0x100000000004080
INFO: Object 0xffff88003dbdc000 @offset=0 fp=0xffff88003dbdc340
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/