lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 23 Jul 2021 19:36:11 +0300
From:   Pavel Skripkin <paskripkin@...il.com>
To:     syzbot <syzbot+e6741b97d5552f97c24d@...kaller.appspotmail.com>
Cc:     davem@...emloft.net, devicetree@...r.kernel.org,
        frowand.list@...il.com, gregkh@...uxfoundation.org,
        jmaloy@...hat.com, kuba@...nel.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, rafael@...nel.org, robh+dt@...nel.org,
        robh@...nel.org, syzkaller-bugs@...glegroups.com,
        tipc-discussion@...ts.sourceforge.net, ying.xue@...driver.com
Subject: Re: [syzbot] KASAN: use-after-free Read in tipc_recvmsg

On Sun, 18 Jul 2021 10:15:19 -0700
syzbot <syzbot+e6741b97d5552f97c24d@...kaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    ab0441b4a920 Merge branch 'vmxnet3-version-6'
> git tree:       net-next
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=1744ac6a300000 kernel
> config:  https://syzkaller.appspot.com/x/.config?x=da140227e4f25b17
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=e6741b97d5552f97c24d syz
> repro:
> https://syzkaller.appspot.com/x/repro.syz?x=13973a74300000 C
> reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17ffc902300000
> 
> The issue was bisected to:
> 
> commit 67a3156453859ceb40dc4448b7a6a99ea0ad27c7
> Author: Rob Herring <robh@...nel.org>
> Date:   Thu May 27 19:45:47 2021 +0000
> 
>     of: Merge of_address_to_resource() and
> of_pci_address_to_resource() implementations
> 
> bisection log:
> https://syzkaller.appspot.com/x/bisect.txt?x=129b0438300000 final
> oops:     https://syzkaller.appspot.com/x/report.txt?x=119b0438300000
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=169b0438300000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit: Reported-by:
> syzbot+e6741b97d5552f97c24d@...kaller.appspotmail.com Fixes:
> 67a315645385 ("of: Merge of_address_to_resource() and
> of_pci_address_to_resource() implementations")
> 
> ==================================================================
> BUG: KASAN: use-after-free in tipc_recvmsg+0xf77/0xf90
> net/tipc/socket.c:1979 Read of size 4 at addr ffff8880328cf1c0 by
> task kworker/u4:0/8
> 

Since code accesing skb_cb after possible kfree_skb() call let's just
store bytes_read to variable and use it instead of acessing
skb_cb->bytes_read

#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master



With regards,
Pavel Skripkin

View attachment "0001-tipc-fix-use-after-free-in-tipc_recvmsg.patch" of type "text/x-patch" (1232 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ