lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACkBjsa3Fqkp-OkHFQ0LCL+VbP2H3xvpaArFkTPsdw8Cka27sw@mail.gmail.com>
Date:   Fri, 17 Sep 2021 09:01:50 +0800
From:   Hao Sun <sunhao.th@...il.com>
To:     Jason Gunthorpe <jgg@...pe.ca>
Cc:     dledford@...hat.com, linux-rdma@...r.kernel.org, leon@...nel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

Jason Gunthorpe <jgg@...pe.ca> 于2021年9月17日周五 上午2:35写道:
>
> On Tue, Apr 13, 2021 at 10:19:25PM +0800, Hao Sun wrote:
> > Jason Gunthorpe <jgg@...pe.ca> 于2021年4月13日周二 下午9:45写道:
> > >
> > > On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
> > > > Jason Gunthorpe <jgg@...pe.ca> 于2021年4月13日周二 下午9:34写道:
> > > > >
> > > > > On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > > > > > Hi
> > > > > >
> > > > > > When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> > > > > > the Linux kernel, I found two use-after-free bugs which have been
> > > > > > reported a long time ago by Syzbot.
> > > > > > Although the corresponding patches have been merged into upstream,
> > > > > > these two bugs can still be triggered easily.
> > > > > > The original information about Syzbot report can be found here:
> > > > > > https://syzkaller.appspot.com/bug?id=8dc0bcd9dd6ec915ba10b3354740eb420884acaa
> > > > > > https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> > > > >
> > > > > Then why hasn't syzbot seen this in a year's time? Seems strange
> > > > >
> > > >
> > > > Seems strange to me too, but the fact is that the reproduction program
> > > > in attachment can trigger these two bugs quickly.
> > >
> > > Do you have this in the C format?
> > >
> >
> > Just tried to use syz-prog2c to convert the repro-prog to C format.
> > The repro program of  rdma_listen was successfully reproduced
> > (uploaded in attachment), the other one failed. it looks like
> > syz-prog2c may not be able to do the equivalent conversion.
> > You can use syz-execprog to execute the reprogram directly, this
> > method can reproduce both crashes, I have tried it.
>
> Can you check this patch that should solve it?
>
> https://patchwork.kernel.org/project/linux-rdma/patch/0-v1-9fbb33f5e201+2a-cma_listen_jgg@nvidia.com/
>

Just executed the original Syz prog on the latest Linux kernel
(ff1ffd71d5f0 Merge tag 'hyperv-fixes-signed-20210915'), it did not
crash the kernel. I've checked that the above patch has not been
merged into the latest commit. Therefore, there might be some other
commits that fixed that issue.

Regards
Hao

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ