lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 04 Mar 2017 12:15:14 -0800
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     David Ahern <dsa@...ulusnetworks.com>,
        Mahesh Bandewar <maheshb@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>,
        David Miller <davem@...emloft.net>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        James Morris <jmorris@...ei.org>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Patrick McHardy <kaber@...sh.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Cong Wang <xiyou.wangcong@...il.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: net: heap out-of-bounds in
 fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote:
> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern <dsa@...ulusnetworks.com> wrote:
> > On 3/3/17 6:39 AM, Dmitry Vyukov wrote:
> >> I am getting heap out-of-bounds reports in
> >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running
> >> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all
> >> follow the same pattern: an object of size 216 is allocated from
> >> ip_dst_cache slab, and then accessed at offset 272/276 withing
> >> fib6_walk. Looks like type confusion. Unfortunately this is not
> >> reproducible.
> >
> > I'll take a look this weekend or Monday at the latest.
> 
> 
> I've got some additional useful info on this. I think this is
> use-after-free rather than out-of-bounds. I've collected stack where
> the route was disposed with call_rcu, see the last "Disposed" stack.
> The crash happens when cmpxchg in rt_cache_route replaces an existing
> route. And that route seems to have some existing pointers to it
> (rt->dst.rt6_next) which fib6_walk uses to get to it after its
> deletion.

rt_cache_route() deals with IPv4 routes.

We somehow mix IPv4 and IPv6 dsts in IPv6 tree.

We need to add type safety at IPV6 route insertions to catch the
offender.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ