| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <95aaa3d59cb3c9cc11b6b83880d92fec@codeaurora.org> Date: Thu, 05 Jul 2018 20:37:03 -0600 From: Subash Abhinov Kasiviswanathan <subashab@...eaurora.org> To: netdev@...r.kernel.org, eric.dumazet@...il.com, lorenzo@...gle.com Subject: Crash due to destroying TCP request sockets using SOCK_DESTROY We are seeing a crash on an ARM64 device with Android 4.14 based kernel. From the call stack, a TCP socket is being destroyed using netlink_diag. The memory dump showed that the socket was an inet request socket (in state TCP_NEW_SYN_RECV) with refcount of 0. The crash seems to have happened during a regression test where wifi was toggled with some browser activity but it is not very easily reproducible. I believe netd on Android tries to destroy all sockets in a system on change of network. 13232.479820: <2> refcount_t: underflow; use-after-free. 13232.479838: <6> ------------[ cut here ]------------ 13232.479843: <6> kernel BUG at kernel/msm-4.14/lib/refcount.c:204! 13232.479849: <6> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP 13232.479895: <6> CPU: 4 PID: 648 Comm: netd Tainted: G S W O 4.14.49+ #1 13232.479897: <6> task: fffffff5d6e28080 task.stack: ffffff801cf98000 13232.479908: <2> pc : refcount_sub_and_test+0x64/0x78 13232.479910: <2> lr : refcount_sub_and_test+0x64/0x78 13232.479911: <2> sp : ffffff801cf9ba40 pstate : 20400145 13232.479911: <2> x29: ffffff801cf9ba40 x28: fffffff5d6e28080 13232.479914: <2> x27: ffffff801cf9bd10 x26: fffffff4a1428f40 13232.479915: <2> x25: 0000000000000000 x24: ffffffffffffff91 13232.479917: <2> x23: 0000000000000015 x22: fffffff5b837c880 13232.479919: <2> x21: fffffff4a1428f40 x20: 0000000000000000 13232.479920: <2> x19: fffffff4c47c6088 x18: e7b13cd1ecbfea00 13232.479922: <2> x17: 00000008ec3bb553 x16: 011d8776aa792786 13232.479924: <2> x15: e7b13cd1ecbfea00 x14: 000000002bdb7692 13232.479925: <2> x13: 0000000000000000 x12: e7b13cd1ecbfea00 13232.479927: <2> x11: e7b13cd1ecbfea00 x10: 0000000000000000 13232.479928: <2> x9 : e7b13cd1ecbfea00 x8 : 0000000000000000 13232.479929: <2> x7 : 0000000000000001 x6 : 0000000000000001 13232.479931: <2> x5 : 0000000000000000 x4 : 00000c08ed425d69 13232.479932: <2> x3 : 00000066effb6000 x2 : ffffff8f09dc5000 13232.479934: <2> x1 : 0000000000000000 x0 : 0000000000000026 13232.479996: <6> Process netd (pid: 648, stack limit = 0xffffff801cf98000) 13232.479998: <2> Call trace: 13232.480000: <2> refcount_sub_and_test+0x64/0x78 13232.480002: <2> refcount_dec_and_test+0x18/0x24 13232.480005: <2> sock_gen_put+0x1c/0xb0 13232.480009: <2> tcp_diag_destroy+0x54/0x68 13232.480010: <2> inet_diag_cmd_exact+0x78/0xa0 13232.480012: <2> inet_diag_handler_cmd+0xcc/0xf8 13232.480018: <2> sock_diag_rcv_msg+0x130/0x158 13232.480021: <2> netlink_rcv_skb+0xa4/0x11c 13232.480023: <2> sock_diag_rcv+0x34/0x48 13232.480025: <2> netlink_unicast+0x158/0x1f0 13232.480026: <2> netlink_sendmsg+0x334/0x340 13232.480028: <2> sock_sendmsg+0x44/0x60 13232.480031: <2> sock_write_iter+0xac/0xf4 13232.480034: <2> __vfs_write+0x124/0x154 13232.480036: <2> vfs_write+0xcc/0x188 13232.480038: <2> SyS_write+0x60/0xc0 13232.480040: <2> el0_svc_naked+0x34/0x38 13232.480042: <6> Code: 910003fd f0008200 910fd000 97f4158c (d4210000) 13232.480045: <6> ---[ end trace 994bad5b8077e394 ]--- 13232.480061: <6> Kernel panic - not syncing: Fatal exception -- Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project
Powered by blists - more mailing lists