lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Z-XOvkE-i2fEtRZS@codewreck.org>
Date: Fri, 28 Mar 2025 07:18:38 +0900
From: asmadeus@...ewreck.org
To: syzbot <syzbot+62262fdc0e01d99573fc@...kaller.appspotmail.com>
Cc: brauner@...nel.org, dhowells@...hat.com, ericvh@...nel.org,
	jack@...e.cz, jlayton@...nel.org, kprateek.nayak@....com,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux_oss@...debyte.com, lucho@...kov.net, mjguzik@...il.com,
	netfs@...ts.linux.dev, oleg@...hat.com, swapnil.sapkal@....com,
	syzkaller-bugs@...glegroups.com, v9fs@...ts.linux.dev,
	viro@...iv.linux.org.uk
Subject: Re: [syzbot] [netfs?] INFO: task hung in netfs_unbuffered_write_iter

syzbot wrote on Thu, Mar 27, 2025 at 02:19:03PM -0700:
> BUG: KASAN: slab-use-after-free in p9_conn_cancel+0x900/0x910 net/9p/trans_fd.c:205
> Read of size 8 at addr ffff88807b19ea50 by task syz-executor/6595

Ugh, why...
Ah, if ->request() fails p9_client_rpc assumes the request was not
written (e.g. write error), so you can't return an error after the
list_add_tail call in p9_fd_request.

I think you can call p9_conn_cancel with the error and return 0 anyway,
and this paticular workaround will probably work, regardless of whether
it's the correct thing to do here (still haven't had time to look at the
patch here)

Sorry for this mess (even if most of it predates me...)
-- 
Dominique

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ