lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180513203413.GB16286@ziepe.ca>
Date:   Sun, 13 May 2018 14:34:13 -0600
From:   Jason Gunthorpe <jgg@...pe.ca>
To:     DaeRyong Jeong <threeearcat@...il.com>
Cc:     dledford@...hat.com, leon@...nel.org, parav@...lanox.com,
        danielj@...lanox.com, swise@...ngridcomputing.com,
        monis@...lanox.com, inux-rdma@...r.kernel.org,
        linux-kernel@...r.kernel.org, byoungyoung@...due.edu,
        kt0755@...il.com, bammanag@...due.edu
Subject: Re: KASAN: use-after-free Read in cma_cancel_operation

On Fri, May 11, 2018 at 02:25:22PM +0900, DaeRyong Jeong wrote:
> We report the crash: KASAN: use-after-free Read in cma_cancel_operation
> 
> Note that this bug is previously reported by syzkaller.
> https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> Nonetheless, this bug has not fixed yet, and we hope that this report and our
> analysis, which gets help by the RaceFuzzer's feature, will helpful to fix the
> crash.
> 
> This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
> version of Syzkaller), which we describe more at the end of this
> report. Our analysis shows that the race occurs when invoking two
> syscalls concurrently, write$rdma_cm and write$rdma_cm.

Well, calling rdma_destroy_id() twice/concurrently is invalid.. The
confusing part of this is how does it happen from ucma.c ..

Double calls via write look OK to me, the ID is removed from the IDR
at the top so it cannot be invoked twice.. So not sure what
"write$rdma_cm and write$rdma_cm." is supposed to me?

Is your test showing that write() vs close() is the problem? The oops
suggests that.. And the logic around ctx->closing looks tortured
enough that it is probably wrong...

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ