lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ba70b229-317b-9c2d-f3bb-5450eec85694@I-love.SAKURA.ne.jp>
Date:   Fri, 19 May 2023 07:19:57 +0900
From:   Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:     Fedor Pchelkin <pchelkin@...ras.ru>,
        Guoqing Jiang <guoqing.jiang@...ux.dev>
Cc:     syzbot <syzbot+79f283f1f4ccc6e8b624@...kaller.appspotmail.com>,
        bmt@...ich.ibm.com, jgg@...pe.ca, leon@...nel.org,
        linux-kernel@...r.kernel.org, linux-rdma@...r.kernel.org,
        syzkaller-bugs@...glegroups.com,
        Alexey Khoroshilov <khoroshilov@...ras.ru>,
        lvc-project@...uxtesting.org
Subject: Re: [syzbot] [rdma?] KASAN: slab-use-after-free Read in
 siw_query_port

On 2023/05/19 5:21, Fedor Pchelkin wrote:
> On our local Syzkaller instance the bug started to be caught after
> 266e9b3475ba ("RDMA/siw: Remove namespace check from siw_netdev_event()")
> so CC'ing Tetsuo Handa if maybe he would be also interested in the bug.

UAF could not be observed until that commit because hung task was observed
until that commit because syzkaller is testing non init_net namespace.

> This fix seems to be good and perhaps it just made a bigger opportunity
> for the UAF bug to happen. Actually, the C repro was taken from there [2].
> 
> With your suggested solution the UAF is not reproduced. I don't know the
> exact reasons why dev_put() was placed before calling query_port() but the
> context implies that netdev can be freed in that period. And some of
> ->query_port() realizations may touch netdev. So it seems reasonable to
> move ref count put after performing query_port().

Since ib_device_get_netdev() calls dev_hold() on success, I think that
we need to call dev_put() after query_port(). Please send as a formal patch.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ