[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAeHK+xQxcQB92NK5-xBtd2rWQRGWPv29G5jePva2c2sTg248Q@mail.gmail.com>
Date: Wed, 5 Apr 2017 16:02:44 +0200
From: Andrey Konovalov <andreyknvl@...gle.com>
To: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Cc: Xin Long <lucien.xin@...il.com>,
Vlad Yasevich <vyasevich@...il.com>,
Neil Horman <nhorman@...driver.com>,
"David S. Miller" <davem@...emloft.net>,
linux-sctp@...r.kernel.org, netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Dmitry Vyukov <dvyukov@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Kostya Serebryany <kcc@...gle.com>,
syzkaller <syzkaller@...glegroups.com>
Subject: Re: net/sctp: list double add warning in sctp_endpoint_add_asoc
On Tue, Apr 4, 2017 at 11:14 PM, Marcelo Ricardo Leitner
<marcelo.leitner@...il.com> wrote:
> On Wed, Apr 05, 2017 at 01:29:19AM +0800, Xin Long wrote:
>> On Tue, Apr 4, 2017 at 9:28 PM, Andrey Konovalov <andreyknvl@...gle.com> wrote:
>> > Hi,
>> >
>> > I've got the following error report while fuzzing the kernel with syzkaller.
>> >
>> > On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5).
>> >
>> > A reproducer and .config are attached.
>> The script is pretty hard to reproduce the issue in my env.
>
> I didn't try running it but I also found the reproducer very complicated
> to follow. Do you have any plans on having some PoC optimizer, so we can
> have a more readable code?
> strace is handy for filtering the noise, yes, but sometimes it doesn't
> cut it.
We do have some plans (like to remote all those unnecessary helper
functions), but it's probably not going to become much better.
You mostly only need to look at the thr() function to understand
what's going on.
What I sometimes do is run each of the switch cases under strace
separately to understand what each of them do.
I've also attached a program in syzkaller format.
You can take a look at it, if you find it useful, I can start
attaching them for subsequent reports.
>
>> But there seems a case to cause a use-after-free when out of snd_buf.
>>
>> the case is like:
>> -----------
>> one thread: another thread:
>> sctp_rcv hold asoc (hold transport)
>> enqueue the chunk to backlog queue
>> [refcnt=2]
>>
>> sctp_close free assoc
>> [refcnt=1]
>>
>> sctp_sendmsg find asoc
>> but not hold it
>>
>> out of snd_buf
>> hold asoc, schedule out
>> [refcnt = 2]
>>
>> process backlog and put asoc/transport
>> [refcnt=1]
>>
>> schedule in, put asoc
>> [refcnt=0] <--- destroyed
>>
>> sctp_sendmsg continue
>
> It shouldn't be continuing here because sctp_wait_for_sndbuf and
> sctp_wait_for_connect functions are checking if the asoc is dead
> already when it schedules in, even though sctp_wait_for_connect return
> value is ignored and sctp_sendmsg() simply returns after that.
> Or the checks for dead asocs in there aren't enough somehow.
>
>> using asoc, panic
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@...glegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Download attachment "log" of type "application/octet-stream" (9189 bytes)
Powered by blists - more mailing lists