| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LFD.2.21.1906040021510.3876@ja.home.ssi.bg>
Date: Tue, 4 Jun 2019 00:32:22 +0300 (EEST)
From: Julian Anastasov <ja@....bg>
To: syzbot <syzbot+722da59ccb264bc19910@...kaller.appspotmail.com>
cc: coreteam@...filter.org, "David S. Miller" <davem@...emloft.net>,
fw@...len.de, kadlec@...ckhole.kfki.hu,
linux-kernel <linux-kernel@...r.kernel.org>,
netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
pablo@...filter.org, syzkaller-bugs@...glegroups.com,
lvs-devel@...r.kernel.org
Subject: Re: memory leak in nf_hook_entries_grow
Hello,
On Mon, 3 Jun 2019, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 3ab4436f Merge tag 'nfsd-5.2-1' of git://linux-nfs.org/~bf..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15feaf82a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=50393f7bfe444ff6
> dashboard link: https://syzkaller.appspot.com/bug?extid=722da59ccb264bc19910
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12f02772a00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1657b80ea00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+722da59ccb264bc19910@...kaller.appspotmail.com
>
> 035][ T7273] IPVS: ftp: loaded support on port[0] = 21
> BUG: memory leak
> unreferenced object 0xffff88810acd8a80 (size 96):
> comm "syz-executor073", pid 7254, jiffies 4294950560 (age 22.250s)
> hex dump (first 32 bytes):
> 02 00 00 00 00 00 00 00 50 8b bb 82 ff ff ff ff ........P.......
> 00 00 00 00 00 00 00 00 00 77 bb 82 ff ff ff ff .........w......
> backtrace:
> [<0000000013db61f1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55
> [inline]
> [<0000000013db61f1>] slab_post_alloc_hook mm/slab.h:439 [inline]
> [<0000000013db61f1>] slab_alloc_node mm/slab.c:3269 [inline]
> [<0000000013db61f1>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597
> [<000000001a27307d>] __do_kmalloc_node mm/slab.c:3619 [inline]
> [<000000001a27307d>] __kmalloc_node+0x38/0x50 mm/slab.c:3627
> [<0000000025054add>] kmalloc_node include/linux/slab.h:590 [inline]
> [<0000000025054add>] kvmalloc_node+0x4a/0xd0 mm/util.c:431
> [<0000000050d1bc00>] kvmalloc include/linux/mm.h:637 [inline]
> [<0000000050d1bc00>] kvzalloc include/linux/mm.h:645 [inline]
> [<0000000050d1bc00>] allocate_hook_entries_size+0x3b/0x60
> net/netfilter/core.c:61
> [<00000000e8abe142>] nf_hook_entries_grow+0xae/0x270
> net/netfilter/core.c:128
> [<000000004b94797c>] __nf_register_net_hook+0x9a/0x170
> net/netfilter/core.c:337
> [<00000000d1545cbc>] nf_register_net_hook+0x34/0xc0
> net/netfilter/core.c:464
> [<00000000876c9b55>] nf_register_net_hooks+0x53/0xc0
> net/netfilter/core.c:480
> [<000000002ea868e0>] __ip_vs_init+0xe8/0x170
> net/netfilter/ipvs/ip_vs_core.c:2280
After commit "ipvs: Fix use-after-free in ip_vs_in" we planned
to call nf_register_net_hooks() only when rule is created but this
is net-next material and we should not leave leak in the error path.
I'll post a patch that adds .init handler for ipvs_core_dev_ops, so
that nf_register_net_hooks() is called there.
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
Regards
--
Julian Anastasov <ja@....bg>
Powered by blists - more mailing lists