Re: [PATCH] ipv6: ensure message length for raw socket is at least sizeof(ipv6hdr)

From: Alexander Potapenko
Date: Fri Apr 28 2017 - 10:30:42 EST


On Wed, Apr 26, 2017 at 3:00 PM, Alexander Potapenko <glider@xxxxxxxxxx> wrote:
> On Wed, Apr 26, 2017 at 10:54 AM, Alexander Potapenko <glider@xxxxxxxxxx> wrote:
>> On Tue, Apr 25, 2017 at 7:55 PM, David Miller <davem@xxxxxxxxxxxxx> wrote:
>>> From: Alexander Potapenko <glider@xxxxxxxxxx>
>>> Date: Tue, 25 Apr 2017 15:18:27 +0200
>>>
>>>> rawv6_send_hdrinc() expects that the buffer copied from the userspace
>>>> contains the IPv6 header, so if too few bytes are copied parts of the
>>>> header may remain uninitialized.
>>>>
>>>> This bug has been detected with KMSAN.
>>>>
>>>> Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>
>>>
>>> Hmmm, ipv4 seems to lack this check as well.
>>>
>>> I think we need to be careful here and fully understand why KMSAN doesn't
>>> seem to be triggering in the ipv4 case but for ipv6 it is before I apply
>>> this.
>> Maybe I just couldn't come up with a decent test case for ipv4 yet.
>> syzkaller generated the equivalent of the following program for ipv6:
>>
>> =======================================
>> #define _GNU_SOURCE
>>
>> #include <netinet/in.h>
>> #include <string.h>
>> #include <sys/socket.h>
>> #include <error.h>
>>
>> int main()
>> {
>> int sock = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
>> struct sockaddr_in6 dest_addr;
>> memset(&dest_addr, 0, sizeof(dest_addr));
>> dest_addr.sin6_family = AF_INET6;
>> inet_pton(AF_INET6, "ff00::", &dest_addr.sin6_addr);
>> int err = sendto(sock, 0, 0, 0, &dest_addr, sizeof(dest_addr));
>> if (err == -1)
>> perror("sendto");
>> return 0;
>> }
>> =======================================
>>
>> I attempted to replace INET6 and such with INET and provide a legal
>> IPv4 address to inet_pton(), but couldn't trigger the warning.
> syzkaller reports the following errors in the wild (although there's
> no stable repro):
>
> ==================================================================
> BUG: KMSAN: use of unitialized memory in raw_send_hdrinc
> net/ipv4/raw.c:407 [inline]
> BUG: KMSAN: use of unitialized memory in raw_sendmsg+0x2c8b/0x3400
> net/ipv4/raw.c:640
> inter: 0
> CPU: 3 PID: 2853 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2445
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:16 [inline]
> dump_stack+0x143/0x1b0 lib/dump_stack.c:52
> kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078
> __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510
> raw_send_hdrinc net/ipv4/raw.c:407 [inline]
> raw_sendmsg+0x2c8b/0x3400 net/ipv4/raw.c:640
> inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
> sock_sendmsg_nosec net/socket.c:633 [inline]
> sock_sendmsg net/socket.c:643 [inline]
> ___sys_sendmsg+0xd4b/0x10f0 net/socket.c:1997
> __sys_sendmsg net/socket.c:2031 [inline]
> SYSC_sendmsg+0x2c6/0x3f0 net/socket.c:2042
> SyS_sendmsg+0x87/0xb0 net/socket.c:2038
> entry_SYSCALL_64_fastpath+0x13/0x94
> RIP: 0033:0x44a669
> RSP: 002b:00007f08d06edb58 EFLAGS: 00000286 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 0000000000708000 RCX: 000000000044a669
> RDX: 0000000000000000 RSI: 0000000020007fc8 RDI: 0000000000000017
> RBP: 0000000000005080 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000286 R12: 00000000006e4140
> R13: 0000000020b22000 R14: 0000000000000000 R15: 0000000000000000
> origin: 00000000cb200085
> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362 [inline]
> kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257
> kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270
> slab_alloc_node mm/slub.c:2735 [inline]
> __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341
> __kmalloc_reserve net/core/skbuff.c:138 [inline]
> __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
> alloc_skb include/linux/skbuff.h:933 [inline]
> alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678
> sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903
> sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920
> raw_send_hdrinc net/ipv4/raw.c:366 [inline]
> raw_sendmsg+0x1db4/0x3400 net/ipv4/raw.c:640
> inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
> sock_sendmsg_nosec net/socket.c:633 [inline]
> sock_sendmsg net/socket.c:643 [inline]
> ___sys_sendmsg+0xd4b/0x10f0 net/socket.c:1997
> __sys_sendmsg net/socket.c:2031 [inline]
> SYSC_sendmsg+0x2c6/0x3f0 net/socket.c:2042
> SyS_sendmsg+0x87/0xb0 net/socket.c:2038
> entry_SYSCALL_64_fastpath+0x13/0x94
> ==================================================================
Ok, there was a subtle bug in KMSAN instrumentation that made the IPv4
case extremely hard to discover
(http://bugs.llvm.org/show_bug.cgi?id=32842)
After fixing it, the following syscalls:
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
sendto(3, NULL, 0, MSG_DONTWAIT, {sa_family=AF_INET,
sin_port=htons(36895), sin_addr=inet_addr("10.0.0.0")}, 16) = -1
EINVAL (Invalid argument)
reliably trigger the bug at line 404 here:

342 static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
343 struct msghdr *msg, size_t length,
344 struct rtable **rtp, unsigned int flags,
345 const struct sockcm_cookie *sockc)
346 {
...
391 if (memcpy_from_msg(iph, msg, length))
392 goto error_free;
393
394 iphlen = iph->ihl * 4;
395
396 /*
397 * We don't want to modify the ip header, but we do need to
398 * be sure that it won't cause problems later along the network
399 * stack. Specifically we want to make sure that iph->ihl is a
400 * sane value. If ihl points beyond the length of the
buffer passed
401 * in, reject the frame as invalid
402 */
403 err = -EINVAL;
404 if (iphlen > length)
405 goto error_free;

I'll send the updated patch next week.
>
>>
>>
>>
>> --
>> Alexander Potapenko
>> Software Engineer
>>
>> Google Germany GmbH
>> Erika-Mann-StraÃe, 33
>> 80636 MÃnchen
>>
>> GeschÃftsfÃhrer: Matthew Scott Sucherman, Paul Terence Manicle
>> Registergericht und -nummer: Hamburg, HRB 86891
>> Sitz der Gesellschaft: Hamburg
>
>
>
> --
> Alexander Potapenko
> Software Engineer
>
> Google Germany GmbH
> Erika-Mann-StraÃe, 33
> 80636 MÃnchen
>
> GeschÃftsfÃhrer: Matthew Scott Sucherman, Paul Terence Manicle
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg



--
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-StraÃe, 33
80636 MÃnchen

GeschÃftsfÃhrer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg