[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180720002704.GA20844@nautica>
Date: Fri, 20 Jul 2018 02:27:05 +0200
From: Dominique Martinet <asmadeus@...ewreck.org>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: syzbot <syzbot+b173e77096a8ba815511@...kaller.appspotmail.com>,
jack@...e.cz, jlayton@...hat.com, syzkaller-bugs@...glegroups.com,
linux-kernel@...r.kernel.org, willy@...radead.org,
linux-mm@...ck.org, v9fs-developer@...ts.sourceforge.net,
mgorman@...hsingularity.net
Subject: Re: [V9fs-developer] KASAN: use-after-free Read in
generic_perform_write
Andrew Morton wrote on Thu, Jul 19, 2018:
> On Thu, 19 Jul 2018 11:01:01 -0700 syzbot <syzbot+b173e77096a8ba815511@...kaller.appspotmail.com> wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 1c34981993da Add linux-next specific files for 20180719
> > git tree: linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16e6ac44400000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=7002497517b09aec
> > dashboard link: https://syzkaller.appspot.com/bug?extid=b173e77096a8ba815511
> > compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
>
> Thanks. I cc'ed v9fs-developer, optimistically. That list manager is
> weird :(
I agree that list is weird, does anyone know the reason v9fs-developer
is not a vger.k.o list? Or a reason not to change? It's still not too
late...
> I'm suspecting v9fs. Does that fs attempt to write to the fs from a
> kmalloced buffer?
Difficult to say without any idea of what syzkaller tried doing, but it
looks like it hook'd up a fd opened to a local ext4 file into a trans_fd
mount; so sending a packet to the "server" would trigger a local write
instead.
The reason it's freed too early probably is that the reply came from a
read before the write happened; this is going to be tricky to fix as
that write is 100% asynchronous without any feedback right now (the
design assumes that the write has to have finished by the time reply
came), but if we want to protect ourselves from rogue servers we'll have
to think about something.
I'll write it down to not forget, thanks for the cc.
--
Dominique Martinet
Powered by blists - more mailing lists