| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151207185218.GB22989@mrl.redhat.com> Date: Mon, 7 Dec 2015 16:52:18 -0200 From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com> To: Dmitry Vyukov <dvyukov@...gle.com> Cc: Vlad Yasevich <vyasevich@...il.com>, netdev <netdev@...r.kernel.org>, Eric Dumazet <eric.dumazet@...il.com>, syzkaller <syzkaller@...glegroups.com>, linux-sctp@...r.kernel.org, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Sasha Levin <sasha.levin@...cle.com> Subject: Re: use-after-free in sctp_do_sm On Mon, Dec 07, 2015 at 02:20:47PM +0100, Dmitry Vyukov wrote: > On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo Leitner > <marcelo.leitner@...il.com> wrote: > > On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote: > >> On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich <vyasevich@...il.com> wrote: ... > >> > Hi Marcelo > >> > > >> > I think you also need to catch the SCTP_DISPOSITION_ABORT and update > >> > the pointer. There are some issues there though as some functions report > >> > that code without actually destroying the association. This happens when > >> > the ABORT chunk may be dropped. > >> > > >> > I think this might be why we still see the issue. > >> > >> > >> Marcelo, > >> > >> Is this info enough for you to cook another fix? > > > > Hi, I think so. I was really wondering how you could trigger that issue > > without the timestamp fix and Vlad's comment does shed some light on it. > > > > I'll do more tests later today, but what did you have connecting to the > > listening socket? Somehow you made that accept() call to return.. > > Local connect in another thread I guess. Vlad, I reviewed the places on which it returns SCTP_DISPOSITION_ABORT, and if I didn't miss something in there all of them either issue SCTP_CMD_ASSOC_FAILED or SCTP_CMD_INIT_FAILED before returning it, thus delaying DELETE_TCB and with that the asoc free. There is one place, though, that may not do it that way, it's sctp_sf_abort_violation(), but then that code only runs if asoc is already NULL by then. Dmitry, still no luck here, cannot reproduce another hit. I'm using sctp_test and a custom test of mine, both on localhost so I would catch it in server or client side, nothing.. I need more info. Please enable the pr_debug() on debug_post_sfn() macro and see which status is being reported when you trigger the issue. And/or share a traffic capture so we can see what's going on with the association. Marcelo -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists