lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250709020610.3080-1-hdanton@sina.com>
Date: Wed,  9 Jul 2025 10:06:09 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+a6ffe86390c8a6afc818@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [rdma?] KASAN: slab-use-after-free Read in ucma_create_uevent

> Date: Tue, 08 Jul 2025 17:12:26 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    d006330be3f7 Merge tag 'sound-6.16-rc6' of git://git.kerne..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13e4bf70580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=8fa6c6703a4b2315
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6ffe86390c8a6afc818
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17e4bf70580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14f6ca8c580000

#syz test

--- x/drivers/infiniband/core/ucma.c
+++ y/drivers/infiniband/core/ucma.c
@@ -272,8 +272,24 @@ static struct ucma_event *ucma_create_ue
 	case RDMA_CM_EVENT_MULTICAST_ERROR:
 		uevent->mc = (struct ucma_multicast *)
 			     event->param.ud.private_data;
-		uevent->resp.uid = uevent->mc->uid;
-		uevent->resp.id = uevent->mc->id;
+		do {
+			struct ucma_multicast *mc;
+			int err = 1;
+
+			xa_lock(&multicast_table);
+			list_for_each_entry(mc, &ctx->mc_list, list)
+				if (mc == uevent->mc) {
+					uevent->resp.uid = uevent->mc->uid;
+					uevent->resp.id = uevent->mc->id;
+					err = 0;
+					break;
+				}
+			xa_unlock(&multicast_table);
+			if (err) {
+				kfree(uevent);
+				return NULL;
+			}
+		} while (0);
 		break;
 	default:
 		uevent->resp.uid = ctx->uid;
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ