| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dddafeb7-95a2-52e3-57fa-62c6e4c5b832@gmail.com>
Date: Wed, 5 Jun 2019 09:48:58 -0600
From: David Ahern <dsahern@...il.com>
To: syzbot <syzbot+a9e23ea2aa21044c2798@...kaller.appspotmail.com>,
davem@...emloft.net, kuznet@....inr.ac.ru,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
syzkaller-bugs@...glegroups.com, yoshfuji@...ux-ipv6.org
Subject: Re: KASAN: slab-out-of-bounds Read in rt_cache_valid
On 6/3/19 11:10 PM, syzbot wrote:
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in rt_cache_valid+0x158/0x190
> net/ipv4/route.c:1556
> Read of size 2 at addr ffff8880654f3ac7 by task syz-executor.0/26603
>
> CPU: 0 PID: 26603 Comm: syz-executor.0 Not tainted 5.2.0-rc2+ #9
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
> __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
> kasan_report+0x12/0x20 mm/kasan/common.c:614
> __asan_report_load2_noabort+0x14/0x20 mm/kasan/generic_report.c:130
> rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556
> __mkroute_output net/ipv4/route.c:2332 [inline]
This one appears to be a use after free. The fib entry is still live (in
the FIB) and the cached entry is still attached. Perhaps one too many
puts on the dst_entry.
Powered by blists - more mailing lists