lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250319234912.GH126678@ziepe.ca>
Date: Wed, 19 Mar 2025 20:49:12 -0300
From: Jason Gunthorpe <jgg@...pe.ca>
To: syzbot <syzbot+17fb1664c4f5a2eeb36f@...kaller.appspotmail.com>
Cc: leon@...nel.org, linux-kernel@...r.kernel.org,
	linux-rdma@...r.kernel.org, netdev@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [rdma?] KASAN: slab-use-after-free Read in
 ib_device_uevent (2)

On Sun, Feb 16, 2025 at 01:55:20PM -0800, syzbot wrote:

> CPU: 1 UID: 0 PID: 6903 Comm: udevd Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
>  add_uevent_var+0x17c/0x3a0 lib/kobject_uevent.c:679
>  ib_device_uevent+0x4e/0xb0 drivers/infiniband/core/device.c:502
>  dev_uevent+0x28b/0x770 drivers/base/core.c:2673

> 
> Allocated by task 12483:
>  kvasprintf_const+0x164/0x1a0 lib/kasprintf.c:46
>  kobject_set_name_vargs+0x5a/0x140 lib/kobject.c:274
>  dev_set_name+0xc8/0x100 drivers/base/core.c:3468
>  assign_name drivers/infiniband/core/device.c:1202 [inline]
>  ib_register_device+0x7e0/0xdf0 drivers/infiniband/core/device.c:1384
>  siw_device_register drivers/infiniband/sw/siw/siw_main.c:72 [inline]

> Freed by task 12485:
>  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>  kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>  kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
>  poison_slab_object mm/kasan/common.c:247 [inline]
>  __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
>  kasan_slab_free include/linux/kasan.h:233 [inline]
>  slab_free_hook mm/slub.c:2353 [inline]
>  slab_free mm/slub.c:4609 [inline]
>  kfree+0x2c4/0x4d0 mm/slub.c:4757
>  kfree_const+0x55/0x60 mm/util.c:43
>  kobject_rename+0x179/0x260 lib/kobject.c:524
>  device_rename+0x130/0x230 drivers/base/core.c:4525
>  ib_device_rename+0x114/0x5c0 drivers/infiniband/core/device.c:402

This looks like it is racing siw_device_register() with
ib_device_rename() ??

Whichi suggests we don't have the right protection in
ib_device_rename() to not act on devices that are yet to be fully
registered.

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ