• Eric Dumazet's avatar
    net: fix possible NULL deref in sock_reserve_memory · d00c8ee3
    Eric Dumazet authored
    Sanity check in sock_reserve_memory() was not enough to prevent malicious
    user to trigger a NULL deref.
    
    In this case, the isse is that sk_prot->memory_allocated is NULL.
    
    Use standard sk_has_account() helper to deal with this.
    
    BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
    BUG: KASAN: null-ptr-deref in atomic_long_add_return include/linux/atomic/atomic-instrumented.h:1218 [inline]
    BUG: KASAN: null-ptr-deref in sk_memory_allocated_add include/net/sock.h:1371 [inline]
    BUG: KASAN: null-ptr-deref in sock_reserve_memory net/core/sock.c:994 [inline]
    BUG: KASAN: null-ptr-deref in sock_setsockopt+0x22ab/0x2b30 net/core/sock.c:1443
    Write of size 8 at addr 0000000000000000 by task syz-executor.0/11270
    
    CPU: 1 PID: 11270 Comm: syz-executor.0 Not tainted 5.15.0-syzkaller #0
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
     __kasan_report mm/kasan/report.c:446 [inline]
     kasan_report.cold+0x66/0xdf mm/kasan/report.c:459
     check_region_inline mm/kasan/generic.c:183 [inline]
     kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
     instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
     atomic_long_add_return include/linux/atomic/atomic-instrumented.h:1218 [inline]
     sk_memory_allocated_add include/net/sock.h:1371 [inline]
     sock_reserve_memory net/core/sock.c:994 [inline]
     sock_setsockopt+0x22ab/0x2b30 net/core/sock.c:1443
     __sys_setsockopt+0x4f8/0x610 net/socket.c:2172
     __do_sys_setsockopt net/socket.c:2187 [inline]
     __se_sys_setsockopt net/socket.c:2184 [inline]
     __x64_sys_setsockopt+0xba/0x150 net/socket.c:2184
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    RIP: 0033:0x7f56076d5ae9
    Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007f5604c4b188 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
    RAX: ffffffffffffffda RBX: 00007f56077e8f60 RCX: 00007f56076d5ae9
    RDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000003
    RBP: 00007f560772ff25 R08: 000000000000fec7 R09: 0000000000000000
    R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000000
    R13: 00007fffb61a100f R14: 00007f5604c4b300 R15: 0000000000022000
     </TASK>
    
    Fixes: 2bb2f5fb ("net: add new socket option SO_RESERVE_MEM")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Acked-by: default avatarWei Wang <weiwan@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    d00c8ee3
sock.c 93.6 KB