lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 1 Mar 2017 10:47:26 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Sowmini Varadhan <sowmini.varadhan@...cle.com>
Cc:     santosh.shilimkar@...cle.com, David Miller <davem@...emloft.net>,
        netdev <netdev@...r.kernel.org>, linux-rdma@...r.kernel.org,
        rds-devel@....oracle.com, LKML <linux-kernel@...r.kernel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: net/rds: use-after-free in inet_create

On Tue, Feb 28, 2017 at 11:24 PM, Sowmini Varadhan
<sowmini.varadhan@...cle.com> wrote:
>
> Actually, I'm not sure if I can assert that these are all manifestations
> of the same bug- was a netns-delete involved in this one as well?
>
> I see:
>
>> BUG: KASAN: use-after-free in memcmp+0xe3/0x160 lib/string.c:768 at
>     :
>>  memcmp+0xe3/0x160 lib/string.c:768
>     :
>>  rds_find_bound+0x4fe/0x8a0 net/rds/bind.c:63
>>  rds_recv_incoming+0x5f3/0x12c0 net/rds/recv.c:349
>>  rds_loop_xmit+0x1c5/0x490 net/rds/loop.c:82
>     :
> This appears to be for a looped back packet, and looks like there
> are problems with  some rds_sock that got removed from the bind_hash_table..
>
> According to the report, socket was created at
>> Allocated:
>> PID = 5235
>     :
>>  sk_prot_alloc+0x65/0x2a0 net/core/sock.c:1334
>>  sk_alloc+0x105/0x1010 net/core/sock.c:1396
>>  rds_create+0x11c/0x600 net/rds/af_rds.c:504
>
> and closed at some point:
>> Freed:
>> PID = 5235
>      :
>>  rds_release+0x3a1/0x4d0 net/rds/af_rds.c:89
>>  sock_release+0x8d/0x1e0 net/socket.c:599
>
> This is all uspace created rds sockets, and while there may be an
> unrelated bug here, I'm not sure I see  the netns/kernel-socket
> connection.. can you please clarify if this was also seen in some netns
> context?


Yes, these test processes run in private net namespaces.

Powered by blists - more mailing lists