[v2,net] RDMA/core: fix UAF in ib_get_eth_speed

Message ID	20240328113233.21388-1-dkirjanov@suse.de (mailing list archive)
State	Not Applicable
Delegated to:	Netdev Maintainers
Headers	show Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94A427CF1F for <netdev@vger.kernel.org>; Thu, 28 Mar 2024 11:32:53 +0000 (UTC) From: Denis Kirjanov <kirjanov@gmail.com> To: netdev@vger.kernel.org Cc: edumazet@google.com, jgg@ziepe.ca, leon@kernel.org, Denis Kirjanov <dkirjanov@suse.de>, syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com Subject: [PATCH v2 net] RDMA/core: fix UAF in ib_get_eth_speed Date: Thu, 28 Mar 2024 07:32:33 -0400 Message-Id: <20240328113233.21388-1-dkirjanov@suse.de> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[v2,net] RDMA/core: fix UAF in ib_get_eth_speed \| expand [v2,net] RDMA/core: fix UAF in ib_get_eth_speed

Context	Check	Description
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for net
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	fail	Errors and warnings before: 944 this patch: 16
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	fail	1 blamed authors not CCed: benve@cisco.com; 3 maintainers not CCed: xuhaoyue1@hisilicon.com linux-rdma@vger.kernel.org benve@cisco.com
netdev/build_clang	fail	Errors and warnings before: 955 this patch: 17
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	fail	Errors and warnings before: 955 this patch: 16
netdev/checkpatch	warning	WARNING: From:/Signed-off-by: email address mismatch: 'From: Denis Kirjanov <kirjanov@gmail.com>' != 'Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>' WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: d41861942fc5 ("IB/core: Add generic function to extract IB speed from netdev")'
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Denis Kirjanov March 28, 2024, 11:32 a.m. UTC

A call to ib_device_get_netdev from ib_get_eth_speed
may lead to a race condition while accessing a netdevice
instance since we don't hold the rtnl lock while checking
the registration state:
	if (res && res->reg_state != NETREG_REGISTERED) {

v2: unlock rtnl on error patch

Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from netdev")
Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
---
 drivers/infiniband/core/verbs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Eric Dumazet March 28, 2024, 11:51 a.m. UTC | #1

On Thu, Mar 28, 2024 at 12:32 PM Denis Kirjanov <kirjanov@gmail.com> wrote:
>
> A call to ib_device_get_netdev from ib_get_eth_speed
> may lead to a race condition while accessing a netdevice
> instance since we don't hold the rtnl lock while checking
> the registration state:
>         if (res && res->reg_state != NETREG_REGISTERED) {
>
> v2: unlock rtnl on error patch
>

What about other callers of ib_device_get_netdev() ?

It seems they also could be racy.

> Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
> Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from netdev")
> Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
> ---
>  drivers/infiniband/core/verbs.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
> index 94a7f3b0c71c..9c09d8c328b4 100644
> --- a/drivers/infiniband/core/verbs.c
> +++ b/drivers/infiniband/core/verbs.c
> @@ -1976,11 +1976,13 @@ int ib_get_eth_speed(struct ib_device *dev, u32 port_num, u16 *speed, u8 *width)
>         if (rdma_port_get_link_layer(dev, port_num) != IB_LINK_LAYER_ETHERNET)
>                 return -EINVAL;
>
> +       rtnl_lock();
>         netdev = ib_device_get_netdev(dev, port_num);
> -       if (!netdev)
> +       if (!netdev) {
> +               rtnl_unlock()
>                 return -ENODEV;
> +       }
>
> -       rtnl_lock();
>         rc = __ethtool_get_link_ksettings(netdev, &lksettings);
>         rtnl_unlock();
>
> --
> 2.30.2
>

Ratheesh Kannoth March 28, 2024, 11:58 a.m. UTC | #2

On 2024-03-28 at 17:02:33, Denis Kirjanov (kirjanov@gmail.com) wrote:
> A call to ib_device_get_netdev from ib_get_eth_speed
> may lead to a race condition while accessing a netdevice
> instance since we don't hold the rtnl lock while checking
> the registration state:
> 	if (res && res->reg_state != NETREG_REGISTERED) {
>
> v2: unlock rtnl on error patch
>
> Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
> Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from netdev")
> Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
> ---
>  drivers/infiniband/core/verbs.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
> index 94a7f3b0c71c..9c09d8c328b4 100644
> --- a/drivers/infiniband/core/verbs.c
> +++ b/drivers/infiniband/core/verbs.c
> @@ -1976,11 +1976,13 @@ int ib_get_eth_speed(struct ib_device *dev, u32 port_num, u16 *speed, u8 *width)
>  	if (rdma_port_get_link_layer(dev, port_num) != IB_LINK_LAYER_ETHERNET)
>  		return -EINVAL;
>
> +	rtnl_lock();
>  	netdev = ib_device_get_netdev(dev, port_num);
ib_device_get_netdev() hold ref to dev before checking reg_state, isn't it enough ?

> -	if (!netdev)
> +	if (!netdev) {
> +		rtnl_unlock()
>  		return -ENODEV;
> +	}
>
> -	rtnl_lock();
>  	rc = __ethtool_get_link_ksettings(netdev, &lksettings);
>  	rtnl_unlock();
>
> --
> 2.30.2
>

Naveen Mamindlapalli March 28, 2024, 12:01 p.m. UTC | #3

> -----Original Message-----
> From: Denis Kirjanov <kirjanov@gmail.com>
> Sent: Thursday, March 28, 2024 5:03 PM
> To: netdev@vger.kernel.org
> Cc: edumazet@google.com; jgg@ziepe.ca; leon@kernel.org; Denis Kirjanov
> <dkirjanov@suse.de>; syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
> Subject: [PATCH v2 net] RDMA/core: fix UAF in ib_get_eth_speed
> 
> A call to ib_device_get_netdev from ib_get_eth_speed may lead to a race
> condition while accessing a netdevice instance since we don't hold the rtnl lock
> while checking the registration state:
> 	if (res && res->reg_state != NETREG_REGISTERED) {
> 
> v2: unlock rtnl on error patch
> 
> Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
> Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from
> netdev")
> Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
> ---
>  drivers/infiniband/core/verbs.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c index
> 94a7f3b0c71c..9c09d8c328b4 100644
> --- a/drivers/infiniband/core/verbs.c
> +++ b/drivers/infiniband/core/verbs.c
> @@ -1976,11 +1976,13 @@ int ib_get_eth_speed(struct ib_device *dev, u32
> port_num, u16 *speed, u8 *width)
>  	if (rdma_port_get_link_layer(dev, port_num) !=
> IB_LINK_LAYER_ETHERNET)
>  		return -EINVAL;
> 
> +	rtnl_lock();
>  	netdev = ib_device_get_netdev(dev, port_num);
> -	if (!netdev)
> +	if (!netdev) {
> +		rtnl_unlock()
>  		return -ENODEV;
> +	}
> 
> -	rtnl_lock();
>  	rc = __ethtool_get_link_ksettings(netdev, &lksettings);
>  	rtnl_unlock();
> 
> --
> 2.30.2
> 
Reviewed-by: Naveen Mamindlapalli <naveenm@marvell.com>

Denis Kirjanov March 28, 2024, 12:18 p.m. UTC | #4

On 3/28/24 14:51, Eric Dumazet wrote:
> On Thu, Mar 28, 2024 at 12:32 PM Denis Kirjanov <kirjanov@gmail.com> wrote:
>>
>> A call to ib_device_get_netdev from ib_get_eth_speed
>> may lead to a race condition while accessing a netdevice
>> instance since we don't hold the rtnl lock while checking
>> the registration state:
>>         if (res && res->reg_state != NETREG_REGISTERED) {
>>
>> v2: unlock rtnl on error patch
>>
> 
> What about other callers of ib_device_get_netdev() ?

I'll add ASSERT_RTNL() to ib_device_get_netdev and update the remaining callers.

Thanks!

> 
> It seems they also could be racy.
> 
>> Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
>> Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from netdev")
>> Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
>> ---
>>  drivers/infiniband/core/verbs.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
>> index 94a7f3b0c71c..9c09d8c328b4 100644
>> --- a/drivers/infiniband/core/verbs.c
>> +++ b/drivers/infiniband/core/verbs.c
>> @@ -1976,11 +1976,13 @@ int ib_get_eth_speed(struct ib_device *dev, u32 port_num, u16 *speed, u8 *width)
>>         if (rdma_port_get_link_layer(dev, port_num) != IB_LINK_LAYER_ETHERNET)
>>                 return -EINVAL;
>>
>> +       rtnl_lock();
>>         netdev = ib_device_get_netdev(dev, port_num);
>> -       if (!netdev)
>> +       if (!netdev) {
>> +               rtnl_unlock()
>>                 return -ENODEV;
>> +       }
>>
>> -       rtnl_lock();
>>         rc = __ethtool_get_link_ksettings(netdev, &lksettings);
>>         rtnl_unlock();
>>
>> --
>> 2.30.2
>>

[v2,net] RDMA/core: fix UAF in ib_get_eth_speed

Checks

Commit Message

Comments

Patch