| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Mar 2018 14:32:46 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: nhorman@...driver.com
Cc: linux-sctp@...r.kernel.org, netdev@...r.kernel.org,
lucien.xin@...il.com
Subject: Re: [PATCH v2] sctp: Fix double free in sctp_sendmsg_to_asoc
From: Neil Horman <nhorman@...driver.com>
Date: Mon, 12 Mar 2018 14:15:25 -0400
> syzbot/kasan detected a double free in sctp_sendmsg_to_asoc:
> BUG: KASAN: use-after-free in sctp_association_free+0x7b7/0x930
> net/sctp/associola.c:332
> Read of size 8 at addr ffff8801d8006ae0 by task syzkaller914861/4202
...
> This was introduced by commit:
> f84af33 sctp: factor out sctp_sendmsg_to_asoc from sctp_sendmsg
>
> As the newly refactored function moved the wait_for_sndbuf call to a
> point after the association was connected, allowing for peeloff events
> to occur, which in turn caused wait_for_sndbuf to return -EPIPE which
> was not caught by the logic that determines if an association should be
> freed or not.
>
> Fix it the easy way by returning the ordering of
> sctp_primitive_ASSOCIATE and sctp_wait_for_sndbuf to the old order, to
> ensure that EPIPE will not happen.
>
> Tested by myself using the syzbot reproducers with positive results
>
> Signed-off-by: Neil Horman <nhorman@...driver.com>
> CC: davem@...emloft.net
> CC: Xin Long <lucien.xin@...il.com>
> Reported-by: syzbot+a4e4112c3aff00c8cfd8@...kaller.appspotmail.com
Applied, thanks Neil.
Powered by blists - more mailing lists