| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 May 2023 07:19:57 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Fedor Pchelkin <pchelkin@...ras.ru>,
Guoqing Jiang <guoqing.jiang@...ux.dev>
Cc: syzbot <syzbot+79f283f1f4ccc6e8b624@...kaller.appspotmail.com>,
bmt@...ich.ibm.com, jgg@...pe.ca, leon@...nel.org,
linux-kernel@...r.kernel.org, linux-rdma@...r.kernel.org,
syzkaller-bugs@...glegroups.com,
Alexey Khoroshilov <khoroshilov@...ras.ru>,
lvc-project@...uxtesting.org
Subject: Re: [syzbot] [rdma?] KASAN: slab-use-after-free Read in
siw_query_port
On 2023/05/19 5:21, Fedor Pchelkin wrote:
> On our local Syzkaller instance the bug started to be caught after
> 266e9b3475ba ("RDMA/siw: Remove namespace check from siw_netdev_event()")
> so CC'ing Tetsuo Handa if maybe he would be also interested in the bug.
UAF could not be observed until that commit because hung task was observed
until that commit because syzkaller is testing non init_net namespace.
> This fix seems to be good and perhaps it just made a bigger opportunity
> for the UAF bug to happen. Actually, the C repro was taken from there [2].
>
> With your suggested solution the UAF is not reproduced. I don't know the
> exact reasons why dev_put() was placed before calling query_port() but the
> context implies that netdev can be freed in that period. And some of
> ->query_port() realizations may touch netdev. So it seems reasonable to
> move ref count put after performing query_port().
Since ib_device_get_netdev() calls dev_hold() on success, I think that
we need to call dev_put() after query_port(). Please send as a formal patch.
Powered by blists - more mailing lists