| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210723194932.6c3b77a8@gmail.com>
Date: Fri, 23 Jul 2021 19:49:32 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: syzbot <syzbot+e6741b97d5552f97c24d@...kaller.appspotmail.com>
Cc: davem@...emloft.net, devicetree@...r.kernel.org,
frowand.list@...il.com, gregkh@...uxfoundation.org,
jmaloy@...hat.com, kuba@...nel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, rafael@...nel.org, robh+dt@...nel.org,
robh@...nel.org, syzkaller-bugs@...glegroups.com,
tipc-discussion@...ts.sourceforge.net, ying.xue@...driver.com
Subject: Re: [syzbot] KASAN: use-after-free Read in tipc_recvmsg
On Fri, 23 Jul 2021 19:36:11 +0300
Pavel Skripkin <paskripkin@...il.com> wrote:
> On Sun, 18 Jul 2021 10:15:19 -0700
> syzbot <syzbot+e6741b97d5552f97c24d@...kaller.appspotmail.com> wrote:
>
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: ab0441b4a920 Merge branch 'vmxnet3-version-6'
> > git tree: net-next
> > console output:
> > https://syzkaller.appspot.com/x/log.txt?x=1744ac6a300000 kernel
> > config: https://syzkaller.appspot.com/x/.config?x=da140227e4f25b17
> > dashboard link:
> > https://syzkaller.appspot.com/bug?extid=e6741b97d5552f97c24d syz
> > repro:
> > https://syzkaller.appspot.com/x/repro.syz?x=13973a74300000 C
> > reproducer:
> > https://syzkaller.appspot.com/x/repro.c?x=17ffc902300000
> >
> > The issue was bisected to:
> >
> > commit 67a3156453859ceb40dc4448b7a6a99ea0ad27c7
> > Author: Rob Herring <robh@...nel.org>
> > Date: Thu May 27 19:45:47 2021 +0000
> >
> > of: Merge of_address_to_resource() and
> > of_pci_address_to_resource() implementations
> >
> > bisection log:
> > https://syzkaller.appspot.com/x/bisect.txt?x=129b0438300000 final
> > oops:
> > https://syzkaller.appspot.com/x/report.txt?x=119b0438300000 console
> > output: https://syzkaller.appspot.com/x/log.txt?x=169b0438300000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the
> > commit: Reported-by:
> > syzbot+e6741b97d5552f97c24d@...kaller.appspotmail.com Fixes:
> > 67a315645385 ("of: Merge of_address_to_resource() and
> > of_pci_address_to_resource() implementations")
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in tipc_recvmsg+0xf77/0xf90
> > net/tipc/socket.c:1979 Read of size 4 at addr ffff8880328cf1c0 by
> > task kworker/u4:0/8
> >
>
> Since code accesing skb_cb after possible kfree_skb() call let's just
> store bytes_read to variable and use it instead of acessing
> skb_cb->bytes_read
>
> #syz test
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> master
>
>
Oops... The buggy code is in -next tree.
#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
With regards,
Pavel Skripkin
View attachment "0001-tipc-fix-use-after-free-in-tipc_recvmsg.patch" of type "text/x-patch" (1232 bytes)
Powered by blists - more mailing lists