[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CADvbK_e6jD_wvo+iz9oNHEjOKa=Xsy9OhnEbV1M8kDWp=qnxwA@mail.gmail.com>
Date: Tue, 3 Nov 2020 21:52:10 +0800
From: Xin Long <lucien.xin@...il.com>
To: syzbot <syzbot+5be8aebb1b7dfa90ef31@...kaller.appspotmail.com>
Cc: davem <davem@...emloft.net>,
Herbert Xu <herbert@...dor.apana.org.au>,
Jakub Kicinski <kuba@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
network dev <netdev@...r.kernel.org>,
Steffen Klassert <steffen.klassert@...unet.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: use-after-free Read in decode_session6
On Tue, Nov 3, 2020 at 9:14 PM Xin Long <lucien.xin@...il.com> wrote:
>
> On Sun, Nov 1, 2020 at 1:40 PM syzbot
> <syzbot+5be8aebb1b7dfa90ef31@...kaller.appspotmail.com> wrote:
> >
> > syzbot has bisected this issue to:
> >
> > commit bcd623d8e9fa5f82bbd8cd464dc418d24139157b
> > Author: Xin Long <lucien.xin@...il.com>
> > Date: Thu Oct 29 07:05:05 2020 +0000
> >
> > sctp: call sk_setup_caps in sctp_packet_transmit instead
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14df9cb8500000
> > start commit: 68bb4665 Merge branch 'l2-multicast-forwarding-for-ocelot-..
> > git tree: net-next
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=16df9cb8500000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12df9cb8500000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=eac680ae76558a0e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5be8aebb1b7dfa90ef31
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11286398500000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11bbf398500000
> >
> > Reported-by: syzbot+5be8aebb1b7dfa90ef31@...kaller.appspotmail.com
> > Fixes: bcd623d8e9fa ("sctp: call sk_setup_caps in sctp_packet_transmit instead")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> I'm looking into this, Thanks.
This was actually caused by:
commit a1dd2cf2f1aedabc2ca9bb4f90231a521c52d8eb
Author: Xin Long <lucien.xin@...il.com>
Date: Thu Oct 29 15:05:03 2020 +0800
sctp: allow changing transport encap_port by peer packets
where the IP6CB was overwritten by SCTP_INPUT_CB.
inet6_skb_parmI will fix it by bringing inet6_skb_parm back to sctp_input_cb:
struct sctp_input_cb {
+ union {
+ struct inet_skb_parm h4;
+#if IS_ENABLED(CONFIG_IPV6)
+ struct inet6_skb_parm h6;
+#endif
+ } header;
+ __be16 encap_port;
struct sctp_chunk *chunk;
struct sctp_af *af;
- __be16 encap_port;
};
Will post it soon, Thanks.
Powered by blists - more mailing lists