lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 3 Nov 2020 21:52:10 +0800
From:   Xin Long <lucien.xin@...il.com>
To:     syzbot <syzbot+5be8aebb1b7dfa90ef31@...kaller.appspotmail.com>
Cc:     davem <davem@...emloft.net>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        Jakub Kicinski <kuba@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
        network dev <netdev@...r.kernel.org>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: use-after-free Read in decode_session6

On Tue, Nov 3, 2020 at 9:14 PM Xin Long <lucien.xin@...il.com> wrote:
>
> On Sun, Nov 1, 2020 at 1:40 PM syzbot
> <syzbot+5be8aebb1b7dfa90ef31@...kaller.appspotmail.com> wrote:
> >
> > syzbot has bisected this issue to:
> >
> > commit bcd623d8e9fa5f82bbd8cd464dc418d24139157b
> > Author: Xin Long <lucien.xin@...il.com>
> > Date:   Thu Oct 29 07:05:05 2020 +0000
> >
> >     sctp: call sk_setup_caps in sctp_packet_transmit instead
> >
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14df9cb8500000
> > start commit:   68bb4665 Merge branch 'l2-multicast-forwarding-for-ocelot-..
> > git tree:       net-next
> > final oops:     https://syzkaller.appspot.com/x/report.txt?x=16df9cb8500000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12df9cb8500000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=eac680ae76558a0e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5be8aebb1b7dfa90ef31
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11286398500000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11bbf398500000
> >
> > Reported-by: syzbot+5be8aebb1b7dfa90ef31@...kaller.appspotmail.com
> > Fixes: bcd623d8e9fa ("sctp: call sk_setup_caps in sctp_packet_transmit instead")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> I'm looking into this, Thanks.
This was actually caused by:

commit a1dd2cf2f1aedabc2ca9bb4f90231a521c52d8eb
Author: Xin Long <lucien.xin@...il.com>
Date:   Thu Oct 29 15:05:03 2020 +0800

    sctp: allow changing transport encap_port by peer packets

where the IP6CB was overwritten by SCTP_INPUT_CB.

inet6_skb_parmI will fix it by bringing inet6_skb_parm back to sctp_input_cb:

 struct sctp_input_cb {
+       union {
+               struct inet_skb_parm    h4;
+#if IS_ENABLED(CONFIG_IPV6)
+               struct inet6_skb_parm   h6;
+#endif
+       } header;
+       __be16 encap_port;
        struct sctp_chunk *chunk;
        struct sctp_af *af;
-       __be16 encap_port;
 };

Will post it soon, Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ