lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAOJe8K0XkGCd198eYdR2EHPcTWrT8pUsuVFomubJv3anpzEBgw@mail.gmail.com>
Date:   Sat, 6 Jan 2018 12:29:15 -0500
From:   Denis Kirjanov <kda@...ux-powerpc.org>
To:     syzbot <syzbot+5adcca18fca253b4cb15@...kaller.appspotmail.com>
Cc:     davem@...emloft.net, linux-kernel@...r.kernel.org,
        linux-sctp@...r.kernel.org, netdev@...r.kernel.org,
        nhorman@...driver.com, syzkaller-bugs@...glegroups.com,
        vyasevich@...il.com
Subject: Re: KASAN: use-after-free Read in sctp_packet_transmit

On 1/5/18, syzbot <syzbot+5adcca18fca253b4cb15@...kaller.appspotmail.com> wrote:
> Hello,
>
> syzkaller hit the following crash on
> 8a4816cad00bf14642f0ed6043b32d29a05006ce
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> Unfortunately, I don't have any reproducer for this bug yet.
>
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+5adcca18fca253b4cb15@...kaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> ==================================================================
> BUG: KASAN: use-after-free in sctp_packet_transmit+0x3505/0x3750
> net/sctp/output.c:643
> Read of size 8 at addr ffff8801bda9fb80 by task modprobe/23740
>

This can be related to the following corruption during send:
 #6 [ffff8805945ff940] invalid_op at ffffffff8100c15b
    [exception RIP: sctp_chunk_put+91]
    RIP: ffffffffa039db3b  RSP: ffff8805945ff9f8  RFLAGS: 00010212
    RAX: ffff8808b025cb01  RBX: ffff880dbb1b0d80  RCX: ffff8805945ff818
    RDX: 0000000000000020  RSI: ffff8809a84746d8  RDI: ffff880dbb1b0d80
    RBP: ffff8805945ffa08   R8: ffff880dbb13a0c0   R9: 0000000000000000
    R10: ffff880000023820  R11: 0000000000000000  R12: ffff880dbb1b0d80
    R13: 0000000000000000  R14: ffff8808b025cb80  R15: 0000000000000000
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #7 [ffff8805945ffa10] sctp_datamsg_put at ffffffffa039c543 [sctp]
 #8 [ffff8805945ffa60] sctp_datamsg_free at ffffffffa039c9dd [sctp]
 #9 [ffff8805945ffa80] sctp_sendmsg at ffffffffa03a9440 [sctp]
#10 [ffff8805945ffb70] inet_sendmsg at ffffffff814ef0ba
#11 [ffff8805945ffbb0] sock_sendmsg at ffffffff8146b4c7
#12 [ffff8805945ffd60] __sys_sendmsg at ffffffff8146b976
#13 [ffff8805945fff10] sys_sendmsg at ffffffff8146bb99

In this case we have the chunk with 0 refcounter:
struct sctp_chunk {
  list = {
    next = 0xffff8809a84746d8,
    prev = 0xffff880dbb1b0e80
  },
  refcnt = {
    counter = 0
  },
  transmitted_list = {
    next = 0xffff880dbb1b0d98,
    prev = 0xffff880dbb1b0d98
  },
  frag_list = {
    next = 0xffff880dbb1b0da8,
    prev = 0xffff880dbb1b0da8
  },
  skb = 0xffff880dbb1a4700,
  param_hdr = {
    v = 0x0,
    p = 0x0,
    life = 0x0,
    dns = 0x0,
    cookie = 0x0,
....

Previous chunk in the list has the refcounter set to 2:
struct sctp_chunk {
  list = {
    next = 0xffff880dbb1b0d80,
    prev = 0xffff880c657160c0
  },
  refcnt = {
    counter = 2
  },
  transmitted_list = {
    next = 0xffff880dbb1b0e98,
    prev = 0xffff880dbb1b0e98
  },
  frag_list = {
    next = 0xffff8808b025c300,
    prev = 0xffff8808b025c300
  },
  skb = 0xffff880dbb1a4840,
  param_hdr = {
    v = 0x0,
    p = 0x0,
    life = 0x0,
    dns = 0x0,
    cookie = 0x0,
...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ