lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20180310191634.GA612@zzz.localdomain>
Date:   Sat, 10 Mar 2018 11:16:34 -0800
From:   Eric Biggers <ebiggers3@...il.com>
To:     syzbot 
        <bot+d65446dfccfeeedc946b8511903687fe9f2d327a@...kaller.appspotmail.com>
Cc:     syzkaller-bugs@...glegroups.com, netdev@...r.kernel.org,
        Tom Herbert <tom@...ntonium.net>
Subject: Re: KASAN: use-after-free Read in strp_data_ready

On Tue, 24 Oct 2017 08:15:01 -0700, syzbot wrote:
> Hello, 
> 
> syzkaller hit the following crash on   
> b9f1f1ce866c28e3d9b86202441b220244754a69 
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master 
> compiler: gcc (GCC) 7.1.1 20170620 
> .config is attached 
> Raw console output is attached. 
> C reproducer is attached 
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ 
> for information about syzkaller reproducers 
> 
> 
> device lo entered promiscuous mode 
> ================================================================== 
> BUG: KASAN: use-after-free in strp_data_ready+0x2fb/0x390   
> net/strparser/strparser.c:394 
> Read of size 1 at addr ffff8801cebdda50 by task syzkaller825731/2994 
> 
> CPU: 1 PID: 2994 Comm: syzkaller825731 Not tainted 4.14.0-rc4+ #82 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS   
> Google 01/01/2011 
> Call Trace: 
>   <IRQ> 
>   __dump_stack lib/dump_stack.c:16 [inline] 
>   dump_stack+0x194/0x257 lib/dump_stack.c:52 
>   print_address_description+0x73/0x250 mm/kasan/report.c:252 
>   kasan_report_error mm/kasan/report.c:351 [inline] 
>   kasan_report+0x25b/0x340 mm/kasan/report.c:409 
>   __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427 
>   strp_data_ready+0x2fb/0x390 net/strparser/strparser.c:394 
>   psock_data_ready+0x56/0x70 net/kcm/kcmsock.c:353 
>   tcp_data_queue+0x1da8/0x3e50 net/ipv4/tcp_input.c:4672 
>   tcp_rcv_established+0x844/0x18a0 net/ipv4/tcp_input.c:5496 
>   tcp_v4_do_rcv+0x2ab/0x7d0 net/ipv4/tcp_ipv4.c:1460 
>   tcp_v4_rcv+0x24e5/0x2f80 net/ipv4/tcp_ipv4.c:1721 
>   ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216 
>   NF_HOOK include/linux/netfilter.h:249 [inline] 
>   ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257 
>   dst_input include/net/dst.h:465 [inline] 
>   ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397 
>   NF_HOOK include/linux/netfilter.h:249 [inline] 
>   ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493 
>   __netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4477 
>   __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4542 
>   process_backlog+0x203/0x740 net/core/dev.c:5221 
>   napi_poll net/core/dev.c:5619 [inline] 
>   net_rx_action+0x792/0x1910 net/core/dev.c:5685 
>   __do_softirq+0x29d/0xbb2 kernel/softirq.c:284 
>   do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:957 
>   </IRQ> 
>   do_softirq.part.20+0x14d/0x190 kernel/softirq.c:328 
>   do_softirq kernel/softirq.c:176 [inline] 
>   __local_bh_enable_ip+0x135/0x160 kernel/softirq.c:181 
>   local_bh_enable include/linux/bottom_half.h:31 [inline] 
>   rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline] 
>   ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231 
>   ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317 
>   NF_HOOK_COND include/linux/netfilter.h:238 [inline] 
>   ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405 
>   dst_output include/net/dst.h:459 [inline] 
>   ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 
>   ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504 
>   tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1137 
>   tcp_write_xmit+0x663/0x4de0 net/ipv4/tcp_output.c:2341 
>   __tcp_push_pending_frames+0xa0/0x250 net/ipv4/tcp_output.c:2513 
>   tcp_send_fin+0x1b0/0xdb0 net/ipv4/tcp_output.c:3058 
>   tcp_close+0xbe0/0xfc0 net/ipv4/tcp.c:2232 
>   inet_release+0xed/0x1c0 net/ipv4/af_inet.c:426 
>   sock_release+0x8d/0x1e0 net/socket.c:597 
>   sock_close+0x16/0x20 net/socket.c:1126 
>   __fput+0x333/0x7f0 fs/file_table.c:210 
>   ____fput+0x15/0x20 fs/file_table.c:244 
>   task_work_run+0x199/0x270 kernel/task_work.c:112 
>   exit_task_work include/linux/task_work.h:21 [inline] 
>   do_exit+0x9d2/0x1af0 kernel/exit.c:865 
> 
> 
> --- 
> This bug is generated by a dumb bot. It may contain errors. 
> See https://goo.gl/tpsmEJ for details. 
> Direct all questions to syzk...@...glegroups.com. 
> 
> syzbot will keep track of this bug report. 
> Once a fix for this bug is committed, please reply to this email with: 
> #syz fix: exact-commit-title 
> To mark this as a duplicate of another syzbot report, please reply with:

While unfortunately this bug report was ignored, it seems it was eventually
reported as a slightly different use-after-free ("KASAN: use-after-free Read in
psock_write_space") and was fixed around Jan 25 by commit 581e7226a5d4.
So telling syzbot:

#syz fix: kcm: Only allow TCP sockets to be attached to a KCM mux

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ