| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Feb 2017 11:15:44 -0500
From: Sowmini Varadhan <sowmini.varadhan@...cle.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: santosh.shilimkar@...cle.com, David Miller <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>, linux-rdma@...r.kernel.org,
rds-devel@....oracle.com, LKML <linux-kernel@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
syzkaller <syzkaller@...glegroups.com>
Subject: Re: net/rds: use-after-free in inet_create
On (02/28/17 16:49), Dmitry Vyukov wrote:
>
> Grepping "socket" there, it was doing lots of things with sockets. Are
> we looking for some particular socket type? If there are few programs
> that create sockets of that type, then we can narrow down the set:
Yes, we are looking for PF_RDS/AF_RDS - this should be
#define AF_RDS 21 /* RDS sockets */
I see PF_KCM there (value 41) but no instances of 0x15.. how did
the rds_connect_worker thread get kicked off at all?
the way this is supposed to work is
1. someone modprobes rds-tcp
2. app tries to do rds_sendmsg to some ip address in a netns - this triggers the
creation of an rds_connection, and subsequent kernel socket TCP connection
threads (i.e., rds_connect_worker) for that netns
3. if you unload rds-tcp, the module_unload should do all the cleanup
needed via rds_tcp_conn_paths_destroy. This is done
Its not clear to me that the test is doing any of this...
is this reproducible? let me check if there is some race window where
we can restart a connection attempt when rds_tcp_kill_sock assumes
that the connect worker has been quiesced..
--Sowmini
Powered by blists - more mailing lists