general protection fault in tomoyo_socket_sendmsg_permission

Tetsuo Handa penguin-kernel at i-love.sakura.ne.jp
Fri Nov 13 10:49:58 UTC 2020 

syzbot reported that LSM module which inspects "struct socket"->sk experiences
NULL pointer dereference because vdev->ud.tcp_socket was set to NULL while
vdev->ud.tcp_tx kernel thread is still running.
Is serialization between attach_store() and vhci_shutdown_connection() correct?

[ 1151.164402][T23363] vhci_hcd: connection closed
[ 1151.167346][  T240] vhci_hcd: stop threads
[ 1151.178329][T26761] usb 17-1: new low-speed USB device number 2 using vhci_hcd
[ 1151.181245][  T240] vhci_hcd: release socket
[ 1151.195480][T23364] general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
[ 1151.207194][T23364] KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
[ 1151.215600][T23364] CPU: 0 PID: 23364 Comm: vhci_tx Not tainted 5.10.0-rc2-syzkaller #0
[ 1151.223740][T23364] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1151.233909][T23364] RIP: 0010:tomoyo_socket_sendmsg_permission+0x80/0x340
[ 1151.240845][T23364] Code: c7 40 0c f3 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 a0 00 00 00 31 c0 e8 0b 70 f1 fd 48 8d 7d 18 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 7d 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c
[ 1151.260448][T23364] RSP: 0018:ffffc90016f77ad0 EFLAGS: 00010206
[ 1151.260802][  T240] vhci_hcd: disconnect device

static void vhci_shutdown_connection(struct usbip_device *ud)
{
	struct vhci_device *vdev = container_of(ud, struct vhci_device, ud);

	/* need this? see stub_dev.c */
	if (ud->tcp_socket) {
		pr_debug("shutdown tcp_socket %d\n", ud->sockfd);
		kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
	}

	/* kill threads related to this sdev */
	if (vdev->ud.tcp_rx) {
		kthread_stop_put(vdev->ud.tcp_rx);
		vdev->ud.tcp_rx = NULL;
	}
	if (vdev->ud.tcp_tx) {
		kthread_stop_put(vdev->ud.tcp_tx);
		vdev->ud.tcp_tx = NULL;
	}
	pr_info("stop threads\n");

	/* active connection is closed */
	if (vdev->ud.tcp_socket) {
		sockfd_put(vdev->ud.tcp_socket);
		vdev->ud.tcp_socket = NULL;
		vdev->ud.sockfd = -1;
	}
	pr_info("release socket\n");

On 2020/11/13 16:21, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    9dbc1c03 Merge tag 'xfs-5.10-fixes-3' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10453034500000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1735b7978b1c3721
> dashboard link: https://syzkaller.appspot.com/bug?extid=95ce4b142579611ef0a9
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> userspace arch: i386
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+95ce4b142579611ef0a9 at syzkaller.appspotmail.com
> 
> general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
> CPU: 0 PID: 23364 Comm: vhci_tx Not tainted 5.10.0-rc2-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:tomoyo_socket_sendmsg_permission+0x80/0x340 security/tomoyo/network.c:762
> Code: c7 40 0c f3 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 a0 00 00 00 31 c0 e8 0b 70 f1 fd 48 8d 7d 18 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 7d 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c
> RSP: 0018:ffffc90016f77ad0 EFLAGS: 00010206
> RAX: 0000000000000003 RBX: 1ffff92002deef5b RCX: ffffffff83b3789e
> RDX: ffff8880186c8000 RSI: ffffffff837e9945 RDI: 0000000000000018
> RBP: 0000000000000000 R08: 0000000000000030 R09: ffffc90016f77d97
> R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
> R13: ffffc90016f77ce8 R14: ffffc90016f77ce8 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000562623b70868 CR3: 000000002af19000 CR4: 00000000001526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  security_socket_sendmsg+0x50/0xb0 security/security.c:2140
>  sock_sendmsg+0x3f/0x120 net/socket.c:668
>  vhci_send_cmd_submit+0x897/0xf90 drivers/usb/usbip/vhci_tx.c:139
>  vhci_tx_loop+0xfc/0x370 drivers/usb/usbip/vhci_tx.c:241
>  kthread+0x3af/0x4a0 kernel/kthread.c:292
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
> Modules linked in:
> ---[ end trace 535369ec3e6ef304 ]---
> RIP: 0010:tomoyo_socket_sendmsg_permission+0x80/0x340 security/tomoyo/network.c:762
> Code: c7 40 0c f3 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 a0 00 00 00 31 c0 e8 0b 70 f1 fd 48 8d 7d 18 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 7d 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c
> RSP: 0018:ffffc90016f77ad0 EFLAGS: 00010206
> RAX: 0000000000000003 RBX: 1ffff92002deef5b RCX: ffffffff83b3789e
> RDX: ffff8880186c8000 RSI: ffffffff837e9945 RDI: 0000000000000018
> RBP: 0000000000000000 R08: 0000000000000030 R09: ffffc90016f77d97
> R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
> R13: ffffc90016f77ce8 R14: ffffc90016f77ce8 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f0c3a930740 CR3: 000000002af19000 CR4: 00000000001526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller at googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>

More information about the Linux-security-module-archive mailing list