[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20250903110738.72440-1-takamitz@amazon.co.jp>
Date: Wed, 3 Sep 2025 20:07:38 +0900
From: Takamitsu Iwai <takamitz@...zon.co.jp>
To: <f6bvp@...e.fr>
CC: <bernard.pidoux@...e.fr>, <edumazet@...gle.com>,
<linux-hams@...r.kernel.org>, <netdev@...r.kernel.org>,
<takamitz@...zon.co.jp>
Subject: Re: Re: [BUG] [ROSE] slab-use-after-free in lock_timer_base
Thank you for your reach out, and I'm sorry for the inconvenience
caused by my patch.
I have confirmed that the syzbot report outputs following error.
> ODEBUG: free active (active state 0) object: ffff88804fb25890 object
> type: timer_list hint: rose_t0timer_expiry+0x0/0x150
It seems neigh->t0timer is removed at rose_timer_expiry() when refcount
of rose_neigh becomes 0 even if neigh->t0timer is still alive.
> rose_neigh_put include/net/rose.h:166 [inline]
> rose_timer_expiry+0x53f/0x630 net/rose/rose_timer.c:183
I guess the error you show in this thread is also related to this issue
because the UAF occurs at deleting the timer in rose_remove_neigh().
> [50355.077644] timer_delete_sync (kernel/time/timer.c:1676)
> [50355.077653] rose_remove_neigh (net/rose/rose_route.c:237) rose
I'm not confident, but the aid I can think of now is to increment the
refcount of rose_neigh before setting t0timer or stop t0timer before
freeing at rose_timer_expiry().
Currently, rose_t0timer_expiry() is set to neigh->t0timer at
rose_start_t0timer(), and it is called in rose_transmit_link() firstly.
It seems that refcount is not incremented this paths.
I'm investigating the code paths where we need to increment refcount
exactly, but I'm sorry I'm struggling for tracing the reference count
around timer precisely.
If you have a reproducing steps which can be done in a virtual
environment, I'll try it out too.
Sincerely,
Takamitsu
Powered by blists - more mailing lists