lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CANp29Y7YgoherVOp+Pv9+zMo+7e3XAOKMNV-FWfRUAu6STDboQ@mail.gmail.com>
Date: Mon, 27 Jan 2025 19:50:34 +0100
From: Aleksandr Nogikh <nogikh@...gle.com>
To: Carlos Llamas <cmllamas@...gle.com>
Cc: syzbot <syzbot+7015dcf45953112c8b45@...kaller.appspotmail.com>, 
	Li Li <dualli@...gle.com>, arve@...roid.com, brauner@...nel.org, 
	gregkh@...uxfoundation.org, joel@...lfernandes.org, 
	linux-kernel@...r.kernel.org, linux-next@...r.kernel.org, maco@...roid.com, 
	sfr@...b.auug.org.au, surenb@...gle.com, syzkaller-bugs@...glegroups.com, 
	tkjos@...roid.com
Subject: Re: [syzbot] [kernel?] linux-next test error: KASAN:
 slab-use-after-free Write in binder_add_device

On Thu, Jan 23, 2025 at 5:49 PM Carlos Llamas <cmllamas@...gle.com> wrote:
>
> On Thu, Jan 23, 2025 at 01:32:29PM +0100, Aleksandr Nogikh wrote:
> > The problem began to appear after:
> >
> > commit 12d909cac1e1c4147cc3417fee804ee12fc6b984
> > Author: Li Li <dualli@...gle.com>
> > Date:   Wed Dec 18 13:29:34 2024 -0800
> >
> >     binderfs: add new binder devices to binder_devices
> >
>
> Correct. I tried to mark this commit with a #syz blame or something but
> I couldn't find anything.

That's not supported at the moment. I've just added a +1 to our
related backlog issue:
https://github.com/google/syzkaller/issues/3491.

> The problem here is we add binderfs devices to
> the binder_devices list but we don't remove them when these are kfreed
> e.g. during umount.
>
> This is then fairly easy to reproduce, something like:
>   $ mount -t binder binder /dev/binderfs
>   $ umount /dev/binderfs
>   $ mount -t binder binder /dev/binderfs
>
> It should be a simply fix. I'll send a patch later today.

Thanks for having taken a look and fixing this bug!

-- 
Aleksandr

>
> Thanks,
> --
> Carlos Llamas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ