lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <a00a16c1-22dc-a46d-d937-50cd7d082d91@iogearbox.net>
Date:   Fri, 19 Oct 2018 17:57:43 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     syzbot <syzbot+1651eee005f9de26ec35@...kaller.appspotmail.com>,
        davem@...emloft.net, john.fastabend@...il.com,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in sk_psock_link_pop

On 10/19/2018 05:54 PM, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    3a3295bfa6f4 Merge branch 'sctp-fix-sk_wmem_queued-and-use..
> git tree:       net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=10a09791400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=133950703f7759f9
> dashboard link: https://syzkaller.appspot.com/bug?extid=1651eee005f9de26ec35
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> 
> Unfortunately, I don't have any reproducer for this crash yet.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+1651eee005f9de26ec35@...kaller.appspotmail.com
> 
> __nla_parse: 2 callbacks suppressed
> netlink: 20 bytes leftover after parsing attributes in process `syz-executor0'.
> ==================================================================
> BUG: KASAN: use-after-free in __lock_acquire+0x37c2/0x4ec0 kernel/locking/lockdep.c:3290
> Read of size 8 at addr ffff8801bcae2ff8 by task syz-executor3/30186
> 
> CPU: 0 PID: 30186 Comm: syz-executor3 Not tainted 4.19.0-rc7+ #266
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
>  print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
>  kasan_report_error mm/kasan/report.c:354 [inline]
>  kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
>  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
>  __lock_acquire+0x37c2/0x4ec0 kernel/locking/lockdep.c:3290
>  lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3900
>  __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
>  _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
>  spin_lock_bh include/linux/spinlock.h:334 [inline]
[...]

Looking into it ...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ