lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 17 Oct 2018 22:12:12 -0700 (PDT)
From:   David Miller <>
Subject: Re: [PATCH net] sctp: fix race on sctp_id2asoc

From: Marcelo Ricardo Leitner <>
Date: Tue, 16 Oct 2018 15:18:17 -0300

> syzbot reported an use-after-free involving sctp_id2asoc.  Dmitry Vyukov
> helped to root cause it and it is because of reading the asoc after it
> was freed:
>         CPU 1                       CPU 2
> (working on socket 1)            (working on socket 2)
> 	                         sctp_association_destroy
> sctp_id2asoc
>    spin lock
>      grab the asoc from idr
>    spin unlock
>                                    spin lock
> 				     remove asoc from idr
> 				   spin unlock
> 				   free(asoc)
>    if asoc-> != sk ... [*]
> This can only be hit if trying to fetch asocs from different sockets. As
> we have a single IDR for all asocs, in all SCTP sockets, their id is
> unique on the system. An application can try to send stuff on an id
> that matches on another socket, and the if in [*] will protect from such
> usage. But it didn't consider that as that asoc may belong to another
> socket, it may be freed in parallel (read: under another socket lock).
> We fix it by moving the checks in [*] into the protected region. This
> fixes it because the asoc cannot be freed while the lock is held.
> Reported-by:
> Acked-by: Dmitry Vyukov <>
> Signed-off-by: Marcelo Ricardo Leitner <>

Applied and queued up for -stable.

Powered by blists - more mailing lists