| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 May 2018 14:34:13 -0600
From: Jason Gunthorpe <jgg@...pe.ca>
To: DaeRyong Jeong <threeearcat@...il.com>
Cc: dledford@...hat.com, leon@...nel.org, parav@...lanox.com,
danielj@...lanox.com, swise@...ngridcomputing.com,
monis@...lanox.com, inux-rdma@...r.kernel.org,
linux-kernel@...r.kernel.org, byoungyoung@...due.edu,
kt0755@...il.com, bammanag@...due.edu
Subject: Re: KASAN: use-after-free Read in cma_cancel_operation
On Fri, May 11, 2018 at 02:25:22PM +0900, DaeRyong Jeong wrote:
> We report the crash: KASAN: use-after-free Read in cma_cancel_operation
>
> Note that this bug is previously reported by syzkaller.
> https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> Nonetheless, this bug has not fixed yet, and we hope that this report and our
> analysis, which gets help by the RaceFuzzer's feature, will helpful to fix the
> crash.
>
> This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
> version of Syzkaller), which we describe more at the end of this
> report. Our analysis shows that the race occurs when invoking two
> syscalls concurrently, write$rdma_cm and write$rdma_cm.
Well, calling rdma_destroy_id() twice/concurrently is invalid.. The
confusing part of this is how does it happen from ucma.c ..
Double calls via write look OK to me, the ID is removed from the IDR
at the top so it cannot be invoked twice.. So not sure what
"write$rdma_cm and write$rdma_cm." is supposed to me?
Is your test showing that write() vs close() is the problem? The oops
suggests that.. And the logic around ctx->closing looks tortured
enough that it is probably wrong...
Jason
Powered by blists - more mailing lists