KASAN: use-after-free Read in cipso_v4_genopt

Original report of the bug: https://syzkaller.appspot.com/bug?id=96e7d345748d8814901c91cd92084ed04b46701e

From our analysis, we find that it can lead to 1 constrained address write.

Fuzzer tested kernel version: 7a7fd0de

Upstream patch: cipso,calipso: resolve a number of problems with the DOI refcounts and net: mac802154: Fix general protection fault

Primitive 1: Constrained address write in netlbl_bitmap_setbit

Bug impact analysis:

doi_def was freed but still used in cipso_v4_genopt

switch (doi_def->tags[iter]) { // doi_def was freed, thus it triggered the UAF read which was initially caught by syzbot/syzkaller

case CIPSO_V4_TAG_RBITMAP:

ret_val = cipso_v4_gentag_rbm(doi_def, // doi_def was freed, and got passed to cipso_v4_gentag_rbm

secattr,

&buf[CIPSO_V4_HDR_LEN],

buf_len - CIPSO_V4_HDR_LEN);

break;

cipso_v4_gentag_rbm passed doi_def to cipso_v4_map_cat_rbm_hton

static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,

const struct netlbl_lsm_secattr *secattr,

unsigned char *buffer,

u32 buffer_len)

{

...

if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {

ret_val = cipso_v4_map_cat_rbm_hton(doi_def, // doi_def was freed, and got passed to cipso_v4_map_lvl_hton

secattr,

&buffer[4],

buffer_len - 4);

...

}

Note that doi_def was freed, host_cat_array can point to any address. Furthermore, elements in host_cat_array can also take potentially any arbitrary value

static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,

const struct netlbl_lsm_secattr *secattr,

unsigned char *net_cat,

u32 net_cat_len)

{

...

u32 *host_cat_array = NULL;

if (doi_def->type == CIPSO_V4_MAP_TRANS) {

host_cat_size = doi_def->map.std->cat.local_size;

host_cat_array = doi_def->map.std->cat.local; // An arbitrary value write happened here

}

for (;;) {

...

switch (doi_def->type) {

case CIPSO_V4_MAP_TRANS:

...

net_spot = host_cat_array[host_spot]; // net_spot can also be an arbitrary value

...

break;

}

...

netlbl_bitmap_setbit(net_cat, net_spot, 1); // net_spot passed to netlbl_bitmap_setbit

...

}

...

}

By controlling bit, we can control the index of bitmap, which means we can determine how far the write can be (causing OOB memory access)

void netlbl_bitmap_setbit(unsigned char *bitmap, u32 bit, u8 state)

{

u32 byte_spot;

u8 bitmask;

byte_spot = bit / 8; // bit is an arbitrary value, therefore we can control byte_spot

bitmask = 0x80 >> (bit % 8);

if (state)

bitmap[byte_spot] |= bitmask; // The write can be out-of-bounds as byte_spot is controlled, the address range where the write can happen is [bitmap, bitmap+536870912]

else

bitmap[byte_spot] &= ~bitmask; // The write can be out-of-bounds by byte_spot is controlled, the address range where the write can happen is [bitmap, bitmap+536870912]

}

Trace in high level:

|cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784 (Triggered the UAF read bug)

|netlbl_bitmap_setbit net/ipv4/cipso_ipv4.c:829

|netlbl_bitmap_setbit net/netlabel/netlabel_kapi.c:930 (Triggered a new impact: Constrained address write)

Trace in detail:

0xffffffff85327b63

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784 (Triggered the UAF read bug)

--------------------------------------

0xffffffff85327b75

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784

--------------------------------------

0xffffffff85327b7e

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784

--------------------------------------

0xffffffff85327b84

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784

--------------------------------------

0xffffffff85327e81

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1786

--------------------------------------

0xffffffff85327e86

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1786

--------------------------------------

0xffffffff85327e8e

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1786

--------------------------------------

0xffffffff85327ea3

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1786

--------------------------------------

0xffffffff85327eac

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1194

--------------------------------------

0xffffffff85327eb1

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1194

--------------------------------------

0xffffffff85327ebd

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1194

--------------------------------------

0xffffffff85327ed3

cipso_v4_genopt net/ipv4/cipso_ipv4.c:681

--------------------------------------

0xffffffff85327eec

cipso_v4_genopt net/ipv4/cipso_ipv4.c:681

--------------------------------------

0xffffffff853281ef

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1814

--------------------------------------

0xffffffff853281f4

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1814

--------------------------------------

0xffffffff85328204

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1814

--------------------------------------

0xffffffff85328212

cipso_v4_genopt net/ipv4/cipso_ipv4.c:686

--------------------------------------

0xffffffff85328225

cipso_v4_genopt net/ipv4/cipso_ipv4.c:686

--------------------------------------

0xffffffff8532822e

cipso_v4_genopt net/ipv4/cipso_ipv4.c:686

--------------------------------------

0xffffffff85328233

cipso_v4_genopt net/ipv4/cipso_ipv4.c:686

--------------------------------------

0xffffffff8532823d

cipso_v4_genopt net/ipv4/cipso_ipv4.c:686

--------------------------------------

0xffffffff85328254

cipso_v4_genopt net/ipv4/cipso_ipv4.c:686

--------------------------------------

0xffffffff85328269

cipso_v4_genopt net/ipv4/cipso_ipv4.c:686

--------------------------------------

0xffffffff85328272

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1200

--------------------------------------

0xffffffff85328277

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1200

--------------------------------------

0xffffffff85328283

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1200

--------------------------------------

0xffffffff8532828b

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1201

--------------------------------------

0xffffffff85328290

cipso_v4_genopt net/ipv4/cipso_ipv4.c:1201

--------------------------------------

0xffffffff853282a7

cipso_v4_genopt net/ipv4/cipso_ipv4.c:805

--------------------------------------

0xffffffff853282b1

cipso_v4_genopt net/ipv4/cipso_ipv4.c:805

--------------------------------------

0xffffffff853282c6

cipso_v4_genopt net/ipv4/cipso_ipv4.c:806

--------------------------------------

0xffffffff853280a9

cipso_v4_genopt net/ipv4/cipso_ipv4.c:804

--------------------------------------

0xffffffff85328118

cipso_v4_genopt net/ipv4/cipso_ipv4.c:810

--------------------------------------

0xffffffff8532811d

cipso_v4_genopt net/ipv4/cipso_ipv4.c:810

--------------------------------------

0xffffffff8532812d

cipso_v4_genopt net/ipv4/cipso_ipv4.c:810

--------------------------------------

0xffffffff85c25c80

netlbl_catmap_walk net/netlabel/netlabel_kapi.c:615

--------------------------------------

0xffffffff85c25c98

netlbl_catmap_walk net/netlabel/netlabel_kapi.c:562

--------------------------------------

0xffffffff85c25c9d