lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACT4Y+bWWAiMYQN_Fvxs7CKR9hRAA+r0t_YZhja3B5xGcZ4vcQ@mail.gmail.com> Date: Tue, 28 Feb 2017 17:32:57 +0100 From: Dmitry Vyukov <dvyukov@...gle.com> To: Sowmini Varadhan <sowmini.varadhan@...cle.com> Cc: santosh.shilimkar@...cle.com, David Miller <davem@...emloft.net>, netdev <netdev@...r.kernel.org>, linux-rdma@...r.kernel.org, rds-devel@....oracle.com, LKML <linux-kernel@...r.kernel.org>, Eric Dumazet <edumazet@...gle.com>, syzkaller <syzkaller@...glegroups.com> Subject: Re: net/rds: use-after-free in inet_create On Tue, Feb 28, 2017 at 5:15 PM, Sowmini Varadhan <sowmini.varadhan@...cle.com> wrote: > On (02/28/17 16:49), Dmitry Vyukov wrote: >> >> Grepping "socket" there, it was doing lots of things with sockets. Are >> we looking for some particular socket type? If there are few programs >> that create sockets of that type, then we can narrow down the set: > > Yes, we are looking for PF_RDS/AF_RDS - this should be > #define AF_RDS 21 /* RDS sockets */ > > I see PF_KCM there (value 41) but no instances of 0x15.. how did > the rds_connect_worker thread get kicked off at all? > > the way this is supposed to work is > 1. someone modprobes rds-tcp > 2. app tries to do rds_sendmsg to some ip address in a netns - this triggers the > creation of an rds_connection, and subsequent kernel socket TCP connection > threads (i.e., rds_connect_worker) for that netns > 3. if you unload rds-tcp, the module_unload should do all the cleanup > needed via rds_tcp_conn_paths_destroy. This is done > Its not clear to me that the test is doing any of this... > > is this reproducible? let me check if there is some race window where > we can restart a connection attempt when rds_tcp_kill_sock assumes > that the connect worker has been quiesced.. Not reproducible so far. rds is compiled into kernel (no modules): CONFIG_RDS=y CONFIG_RDS_TCP=y Also fuzzer actively creates and destroys namespaces. Yes, I don't see socket(0x15) in the log. Probably it was truncated.
Powered by blists - more mailing lists