| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170228222410.GA32635@oracle.com>
Date: Tue, 28 Feb 2017 17:24:10 -0500
From: Sowmini Varadhan <sowmini.varadhan@...cle.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: santosh.shilimkar@...cle.com, David Miller <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>, linux-rdma@...r.kernel.org,
rds-devel@....oracle.com, LKML <linux-kernel@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
syzkaller <syzkaller@...glegroups.com>
Subject: Re: net/rds: use-after-free in inet_create
Actually, I'm not sure if I can assert that these are all manifestations
of the same bug- was a netns-delete involved in this one as well?
I see:
> BUG: KASAN: use-after-free in memcmp+0xe3/0x160 lib/string.c:768 at
:
> memcmp+0xe3/0x160 lib/string.c:768
:
> rds_find_bound+0x4fe/0x8a0 net/rds/bind.c:63
> rds_recv_incoming+0x5f3/0x12c0 net/rds/recv.c:349
> rds_loop_xmit+0x1c5/0x490 net/rds/loop.c:82
:
This appears to be for a looped back packet, and looks like there
are problems with some rds_sock that got removed from the bind_hash_table..
According to the report, socket was created at
> Allocated:
> PID = 5235
:
> sk_prot_alloc+0x65/0x2a0 net/core/sock.c:1334
> sk_alloc+0x105/0x1010 net/core/sock.c:1396
> rds_create+0x11c/0x600 net/rds/af_rds.c:504
and closed at some point:
> Freed:
> PID = 5235
:
> rds_release+0x3a1/0x4d0 net/rds/af_rds.c:89
> sock_release+0x8d/0x1e0 net/socket.c:599
This is all uspace created rds sockets, and while there may be an
unrelated bug here, I'm not sure I see the netns/kernel-socket
connection.. can you please clarify if this was also seen in some netns
context?
--Sowmini
Powered by blists - more mailing lists