| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Yun0/rDv4ptBl65S@sol.localdomain>
Date: Tue, 2 Aug 2022 21:09:34 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: Siddh Raman Pant <code@...dh.me>
Cc: syzbot <syzbot+c70d87ac1d001f29a058@...kaller.appspotmail.com>,
hdanton <hdanton@...a.com>,
linux-kernel <linux-kernel@...r.kernel.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: [syzbot] KASAN: use-after-free Read in post_one_notification
On Wed, Aug 03, 2022 at 09:34:10AM +0530, Siddh Raman Pant wrote:
> On Wed, 03 Aug 2022 03:57:19 +0530 Eric Biggers <ebiggers@...nel.org> wrote:
> > It appears this was already fixed, so no need for any more activity on this bug:
> >
> > #syz fix: watchqueue: make sure to serialize 'wqueue->defunct' properly
> >
> > - Eric
>
> It doesn't address the dangling pointer remaining in the watch_queue,
> which was the root cause of this crash. The use-after-free happened
> because the pipe was freed but a dangling pointer of it remained in
> a watch_queue, and an attempt to dereference it was there.
>
I don't think that's true; the pointer doesn't get dereferenced after
watch_queue::defunct is set. See my message on the other thread where I
explained this: https://lore.kernel.org/lkml/YunKlJCDlmyn2hJ4@sol.localdomain
Of course, if you actually have a reproducer, or a KASAN report, or anything at
all that shows there is still a problem, then please post it.
- Eric
Powered by blists - more mailing lists