| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5665DF20.9020904@gmail.com> Date: Mon, 7 Dec 2015 14:33:52 -0500 From: Vlad Yasevich <vyasevich@...il.com> To: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>, Dmitry Vyukov <dvyukov@...gle.com> Cc: netdev <netdev@...r.kernel.org>, Eric Dumazet <eric.dumazet@...il.com>, syzkaller <syzkaller@...glegroups.com>, linux-sctp@...r.kernel.org, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Sasha Levin <sasha.levin@...cle.com> Subject: Re: use-after-free in sctp_do_sm On 12/07/2015 01:52 PM, Marcelo Ricardo Leitner wrote: > On Mon, Dec 07, 2015 at 02:20:47PM +0100, Dmitry Vyukov wrote: >> On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo Leitner >> <marcelo.leitner@...il.com> wrote: >>> On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote: >>>> On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich <vyasevich@...il.com> wrote: > ... >>>>> Hi Marcelo >>>>> >>>>> I think you also need to catch the SCTP_DISPOSITION_ABORT and update >>>>> the pointer. There are some issues there though as some functions report >>>>> that code without actually destroying the association. This happens when >>>>> the ABORT chunk may be dropped. >>>>> >>>>> I think this might be why we still see the issue. >>>> >>>> >>>> Marcelo, >>>> >>>> Is this info enough for you to cook another fix? >>> >>> Hi, I think so. I was really wondering how you could trigger that issue >>> without the timestamp fix and Vlad's comment does shed some light on it. >>> >>> I'll do more tests later today, but what did you have connecting to the >>> listening socket? Somehow you made that accept() call to return.. >> >> Local connect in another thread I guess. > > Vlad, I reviewed the places on which it returns SCTP_DISPOSITION_ABORT, > and if I didn't miss something in there all of them either issue > SCTP_CMD_ASSOC_FAILED or SCTP_CMD_INIT_FAILED before returning it, thus > delaying DELETE_TCB and with that the asoc free. They delay it from the perspective of the command interpreter since the command to delete the TCB happens a little later, but status code is checked after all commands are processed and command processing doesn't change it. So the 'status' code would still be SCTP_DISPOSITION_ABORT after DELETE_TCB command was processed. So, I think we may still have an use-after-free issue here. > There is one place, > though, that may not do it that way, it's sctp_sf_abort_violation(), but > then that code only runs if asoc is already NULL by then. I don't believe so. The violation state function can run with a non-NULL association if we are encountering protocol violations after the association is established. -vlad > > Dmitry, still no luck here, cannot reproduce another hit. > I'm using sctp_test and a custom test of mine, both on localhost so I > would catch it in server or client side, nothing.. > > I need more info. Please enable the pr_debug() on debug_post_sfn() macro > and see which status is being reported when you trigger the issue. > And/or share a traffic capture so we can see what's going on with the > association. > > Marcelo > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists