| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241011134124.3048936-1-snovitoll@gmail.com> Date: Fri, 11 Oct 2024 18:41:24 +0500 From: Sabyrzhan Tasbolatov <snovitoll@...il.com> To: eadavis@...com Cc: davem@...emloft.net, edumazet@...gle.com, kernel@...gutronix.de, kuba@...nel.org, leitao@...ian.org, linux-can@...r.kernel.org, linux-kernel@...r.kernel.org, mkl@...gutronix.de, netdev@...r.kernel.org, o.rempel@...gutronix.de, pabeni@...hat.com, robin@...tonic.nl, socketcan@...tkopp.net, syzbot+ad601904231505ad6617@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com, snovitoll@...il.com Subject: Re: [PATCH net-next V2] can: j1939: fix uaf warning in j1939_session_destroy On Thu, 8 Aug 2024 19:07:55 +0800, Edward Adam Davis wrote: > On Thu, 8 Aug 2024 09:49:18 +0200, Oleksij Rempel wrote: > > > the skb to the queue and increase the skb reference count through it. > > > > > > Reported-and-tested-by: syzbot+ad601904231505ad6617@...kaller.appspotmail.com > > > Closes: https://syzkaller.appspot.com/bug?extid=ad601904231505ad6617 > > > Signed-off-by: Edward Adam Davis <eadavis@...com> > > > > This patch breaks j1939. > > The issue can be reproduced by running following commands: > I tried to reproduce the problem using the following command, but was > unsuccessful. Prompt me to install j1939cat and j1939acd, and there are > some other errors. > > Can you share the logs from when you reproduced the problem? Hello, Here is the log of can-tests/j1939/run_all.sh: # ip link add type vcan # ip l s dev vcan0 up # ./run_all.sh vcan0 vcan0 ############################################## run: j1939_ac_100k_dual_can.sh generate random data for the test 1+0 records in 1+0 records out 102400 bytes (102 kB, 100 KiB) copied, 0.00191192 s, 53.6 MB/s start j1939acd and j1939cat on vcan0 8321 8323 start j1939acd and j1939cat on vcan0 [ 132.211317][ T8326] vcan0: tx drop: invalid sa for name 0x0000000011223340 j1939cat: j1939cat_send_one: transfer error: -99: Cannot assign requested address It fails here: https://github.com/linux-can/can-tests/blob/master/j1939/j1939_ac_100k_dual_can.sh#L70 The error message is printed in this condition: https://elixir.bootlin.com/linux/v6.12-rc2/source/net/can/j1939/address-claim.c#L104-L108 I've applied your patch on the current 6.12.0-rc2 and the syzkaller C repro doesn't trigger WARNING uaf, refcount anymore though. == Offtopic: I wonder if can-tests/j1939 should be refactored from shell to C tests in the same linux-can/can-tests repository (or even migrate to KUnit tests) to improve debugging, test coverage. I'd like to understand which syscalls and params are used j1939cat and j1939acd utils -- currently, tracing with strace and trace-cmd (ftrace). > > git clone git@...hub.com:linux-can/can-tests.git > > cd can-tests/j1939/ > > ip link add type vcan > > ip l s dev vcan0 up > > ./run_all.sh vcan0 vcan0
Powered by blists - more mailing lists