lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250625071208.1726-1-hdanton@sina.com>
Date: Wed, 25 Jun 2025 15:12:07 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+e04e2c007ba2c80476cb@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_get_neigh

> Date: Mon, 21 Apr 2025 19:40:26 -0700
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    9d7a0577c9db gcc-15: disable '-Wunterminated-string-initia..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=139b5ccc580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=efa83f9a6dd67d67
> dashboard link: https://syzkaller.appspot.com/bug?extid=e04e2c007ba2c80476cb
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15652c70580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17676c70580000

#syz test upstream master

--- x/net/rose/rose_route.c
+++ y/net/rose/rose_route.c
@@ -500,6 +500,7 @@ void rose_rt_device_down(struct net_devi
 			for (i = 0; i < t->count; i++) {
 				if (t->neighbour[i] != s)
 					continue;
+				t->neighbour[i] = NULL;
 
 				t->count--;
 
@@ -689,6 +690,8 @@ struct rose_neigh *rose_get_neigh(rose_a
 	for (node = rose_node_list; node != NULL; node = node->next) {
 		if (rosecmpm(addr, &node->address, node->mask) == 0) {
 			for (i = 0; i < node->count; i++) {
+				if (!node->neighbour[i])
+					continue;
 				if (node->neighbour[i]->restarted) {
 					res = node->neighbour[i];
 					goto out;
@@ -700,6 +703,8 @@ struct rose_neigh *rose_get_neigh(rose_a
 		for (node = rose_node_list; node != NULL; node = node->next) {
 			if (rosecmpm(addr, &node->address, node->mask) == 0) {
 				for (i = 0; i < node->count; i++) {
+					if (!node->neighbour[i])
+						continue;
 					if (!rose_ftimer_running(node->neighbour[i])) {
 						res = node->neighbour[i];
 						goto out;
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ