lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sat, 21 Sep 2013 11:08:06 -0700
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Dmitry Vyukov <dvyukov@...gle.com>, yoshfuji@...ux-ipv6.org,
	netdev@...r.kernel.org, Paul Turner <pjt@...gle.com>,
	Andrey Konovalov <andreyknvl@...gle.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Tom Herbert <therbert@...gle.com>
Subject: Re: Potential out-of-bounds access in ip6_finish_output2

On Sat, Sep 21, 2013 at 8:14 AM, Hannes Frederic Sowa
<hannes@...essinduktion.org> wrote:
> On Wed, Sep 18, 2013 at 12:48:51AM +0200, Hannes Frederic Sowa wrote:
>> On Mon, Sep 16, 2013 at 10:13:10PM -0700, Dmitry Vyukov wrote:
>> > I am working on AddressSanitizer -- a tool that detects use-after-free
>> > and out-of-bounds bugs
>> > (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel).
>> >
>> > I've got a dozen of reports in ip6_finish_output2. Below are 2 of
>> > them. They are always followed by kernel crash. Unfortunately I don't
>> > have a reproducer because I am using trinity fuzzer. I would
>> > appreciate if somebody familiar with the code look at sources and
>> > maybe spot the bug.
>>
>> Thanks for the report!
>>
>> I tried reproducing the bug and hit some other bugs nearby. I'll try to fix
>> them, but this could take some time.
>
> I fixed the first bug I encountered with trinity here:
> http://patchwork.ozlabs.org/patch/276835/
>
> The main cause of this bug has nothing to do with raw sockets, so I first
> thought they are not related. But I left my machine run trinity while
> I was sleeping and did not see any other splats (I added some manually
> range checks in ip6_append_data). So maybe your bug happend because the
> premature exit in the dontfrag check without resetting cork->length. Maybe
> you could give this patch a try? I'll have a second look later today.


Hi Hannes!

Testing now with your patch.
I've seen this report very few times, so it will be difficult to say
if it's not happening any more or just not triggered.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ