lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250903110738.72440-1-takamitz@amazon.co.jp>
Date: Wed, 3 Sep 2025 20:07:38 +0900
From: Takamitsu Iwai <takamitz@...zon.co.jp>
To: <f6bvp@...e.fr>
CC: <bernard.pidoux@...e.fr>, <edumazet@...gle.com>,
	<linux-hams@...r.kernel.org>, <netdev@...r.kernel.org>,
	<takamitz@...zon.co.jp>
Subject: Re: Re: [BUG] [ROSE] slab-use-after-free in lock_timer_base


Thank you for your reach out, and I'm sorry for the inconvenience
caused by my patch.

I have confirmed that the syzbot report outputs following error.

> ODEBUG: free active (active state 0) object: ffff88804fb25890 object
> type: timer_list hint: rose_t0timer_expiry+0x0/0x150

It seems neigh->t0timer is removed at rose_timer_expiry() when refcount
of rose_neigh becomes 0 even if neigh->t0timer is still alive.

> rose_neigh_put include/net/rose.h:166 [inline]
> rose_timer_expiry+0x53f/0x630 net/rose/rose_timer.c:183

I guess the error you show in this thread is also related to this issue
because the UAF occurs at deleting the timer in rose_remove_neigh().

> [50355.077644] timer_delete_sync (kernel/time/timer.c:1676)
> [50355.077653] rose_remove_neigh (net/rose/rose_route.c:237) rose

I'm not confident, but the aid I can think of now is to increment the
refcount of rose_neigh before setting t0timer or stop t0timer before
freeing at rose_timer_expiry().

Currently, rose_t0timer_expiry() is set to neigh->t0timer at
rose_start_t0timer(), and it is called in rose_transmit_link() firstly.
It seems that refcount is not incremented this paths.

I'm investigating the code paths where we need to increment refcount
exactly, but I'm sorry I'm struggling for tracing the reference count
around timer precisely.

If you have a reproducing steps which can be done in a virtual
environment, I'll try it out too.



Sincerely,
Takamitsu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ