lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 30 Nov 2020 10:43:46 -0700
From:   Jens Axboe <axboe@...nel.dk>
To:     Matthew Wilcox <willy@...radead.org>,
        Hillf Danton <hdanton@...a.com>
Cc:     syzbot <syzbot+12056a09a0311d758e60@...kaller.appspotmail.com>,
        io-uring@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in idr_for_each (2)

On 11/29/20 5:26 AM, Matthew Wilcox wrote:
> On Sun, Nov 29, 2020 at 07:34:29PM +0800, Hillf Danton wrote:
>>>  radix_tree_next_slot include/linux/radix-tree.h:422 [inline]
>>>  idr_for_each+0x206/0x220 lib/idr.c:202
>>>  io_destroy_buffers fs/io_uring.c:8275 [inline]
>>
>> Matthew, can you shed any light on the link between the use of idr
>> routines and the UAF reported?
> 
> I presume it's some misuse of IDR by io_uring.  I'd rather io_uring
> didn't use the IDR at all.  This compiles; I promise no more than that.

Looks reasonable to me. Care to send as an actual patch?

This would just leave the personality idr as the last idr use case in
io_uring, hint hint :-)

Would be nice to fully understand why this issue exists with idr, I
don't immediately see anything wrong. But as I cannot even reproduce, I
can't verify that the xa version is sane wrt fixing it either...

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ