lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Fri, 04 Oct 2019 11:07:21 +0100
From:   David Howells <dhowells@...hat.com>
To:     Hillf Danton <hdanton@...a.com>
Cc:     dhowells@...hat.com,
        syzbot <syzbot+d850c266e3df14da1d31@...kaller.appspotmail.com>,
        MAILER_DAEMON@...il.uscc.net, davem@...emloft.net,
        linux-afs@...ts.infradead.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in rxrpc_send_keepalive

This is the fix, I think.

David
---
rxrpc: Fix call ref leak

When sendmsg() finds a call to continue on with, if the call is in an
inappropriate state, it doesn't release the ref it just got on that call
before returning an error.

This causes the following symptom to show up with kasan:

        BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
        net/rxrpc/output.c:635
        Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077

where line 635 is:

        whdr.epoch      = htonl(peer->local->rxnet->epoch);

The local endpoint (which cannot be pinned by the call) has been released,
but not the peer (which is pinned by the call).

Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception")
Reported-by: syzbot+d850c266e3df14da1d31@...kaller.appspotmail.com
Signed-off-by: David Howells <dhowells@...hat.com>
---
 sendmsg.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index 6cd55b1d79f9..79b5b23db4c1 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -661,6 +661,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
 		case RXRPC_CALL_SERVER_PREALLOC:
 		case RXRPC_CALL_SERVER_SECURING:
 		case RXRPC_CALL_SERVER_ACCEPTING:
+			rxrpc_put_call(call, rxrpc_call_put);
 			ret = -EBUSY;
 			goto error_release_sock;
 		default:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ