lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 13 Apr 2021 22:19:25 +0800
From:   Hao Sun <sunhao.th@...il.com>
To:     Jason Gunthorpe <jgg@...pe.ca>
Cc:     dledford@...hat.com, linux-rdma@...r.kernel.org, leon@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

Jason Gunthorpe <jgg@...pe.ca> 于2021年4月13日周二 下午9:45写道:
>
> On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
> > Jason Gunthorpe <jgg@...pe.ca> 于2021年4月13日周二 下午9:34写道:
> > >
> > > On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > > > Hi
> > > >
> > > > When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> > > > the Linux kernel, I found two use-after-free bugs which have been
> > > > reported a long time ago by Syzbot.
> > > > Although the corresponding patches have been merged into upstream,
> > > > these two bugs can still be triggered easily.
> > > > The original information about Syzbot report can be found here:
> > > > https://syzkaller.appspot.com/bug?id=8dc0bcd9dd6ec915ba10b3354740eb420884acaa
> > > > https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> > >
> > > Then why hasn't syzbot seen this in a year's time? Seems strange
> > >
> >
> > Seems strange to me too, but the fact is that the reproduction program
> > in attachment can trigger these two bugs quickly.
>
> Do you have this in the C format?
>

Just tried to use syz-prog2c to convert the repro-prog to C format.
The repro program of  rdma_listen was successfully reproduced
(uploaded in attachment), the other one failed. it looks like
syz-prog2c may not be able to do the equivalent conversion.
You can use syz-execprog to execute the reprogram directly, this
method can reproduce both crashes, I have tried it.

For reproduction prog of  cma_cancel_operation,  using syz-execprog
can run this reproduction program directly:
 ./syz-execprog  -threaded -repeat 0 -procs 2 -slowdown 1 -enable tun
-enable netdev -enable resetnet -enable cgroups -enable binfmt-misc
-enable close_fds -enable devlinkpci -enable usb -enable vhci -enable
wifi -enable ieee802154 -enable sysctl repro.prog

View attachment "repro_rdma.c" of type "text/plain" (9921 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ