lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240907053953.60412-1-kuniyu@amazon.com>
Date: Fri, 6 Sep 2024 22:39:53 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <rao.shoaib@...cle.com>
CC: <davem@...emloft.net>, <edumazet@...gle.com>, <kuba@...nel.org>,
	<kuniyu@...zon.com>, <linux-kernel@...r.kernel.org>,
	<netdev@...r.kernel.org>, <pabeni@...hat.com>,
	<syzbot+8811381d455e3e9ec788@...kaller.appspotmail.com>,
	<syzkaller-bugs@...glegroups.com>
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in unix_stream_read_actor (2)

From: Shoaib Rao <rao.shoaib@...cle.com>
Date: Fri, 6 Sep 2024 22:06:27 -0700
> I have tried reproducing using the newly added tests but no luck. I will 
> keep trying but if there is another occurrence please let me know. I am 
> using an AMD system but that should not have any impact.
[...]
> +TEST_F(msg_oob, ex_oob_oob)
> +{
> +       sendpair("x", 1, MSG_OOB);
> +       epollpair(true);
> +       siocatmarkpair(true);
> +
> +       recvpair("x", 1, 1, MSG_OOB);
> +       epollpair(false);
> +       siocatmarkpair(true);
> +
> +       sendpair("y", 1, MSG_OOB);
> +       epollpair(true);
> +       siocatmarkpair(true);

The test fails on this line because SIOCATMARK has yet another bug
triggered by the same pattern, and my patch also fixes that.

If you remove this line, you'll see this failure on the following
recvpair("", -EAGAIN, 1, 0).

---8<---
# msg_oob.c:234:ex_oob_oob:AF_UNIX :y
# msg_oob.c:235:ex_oob_oob:Expected:Resource temporarily unavailable
# msg_oob.c:237:ex_oob_oob:Expected ret[0] (1) == expected_len (-1)
# ex_oob_oob: Test terminated by assertion
#          FAIL  msg_oob.peek.ex_oob_oob
not ok 31 msg_oob.peek.ex_oob_oob
---8<---

This failure means recv() without MSG_OOB expects -EAGAIN because
no data has been sent on the normal stream, but actually the recv()
returns 1 byte OOB data.

This is the same result triggered by the syzbot's repro.

I don't know why KASAN does not show a splat on your setup, but what
we need to do is not run the syz repro blindly and just wait a splat,
rather carefully analyse the sequence of syscalls and each consequence.

Sometimes I fixes bugs from the syzkaller's strace log without repro.

This time, the fact that recv() without MSG_OOB returns OOB data is
the clear sign that something went wrong.

You need not rely on KASAN.


> +
> +       recvpair("", -EAGAIN, 1, 0);
> +       epollpair(false);
> +       siocatmarkpair(false);
> +
> +       recvpair("", -EINVAL, 1, MSG_OOB);
> +       epollpair(false);
> +       siocatmarkpair(false);
> +}
[...]
> #  RUN           msg_oob.no_peek.ex_oob_oob ...
> # msg_oob.c:305:ex_oob_oob:Expected answ[0] (0) == oob_head (1)
> # ex_oob_oob: Test terminated by assertion
> #          FAIL  msg_oob.no_peek.ex_oob_oob

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ