| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fae17c21-4940-5605-85b2-1d5e17342358@huawei.com>
Date: Fri, 23 Jan 2026 17:41:49 +0800
From: Chen Zhen <chenzhen126@...wei.com>
To: <jv@...sburgh.net>, <andrew+netdev@...n.ch>, <davem@...emloft.net>,
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, <pabeni@...hat.com>
CC: <netdev@...r.kernel.org>, <huyizhen2@...wei.com>
Subject: [BUG] KASAN: slab-use-after-free in bond_3ad_xor_xmit
Hi all,
We found a UAF in bond_3ad_xor_xmit() with syzkaller test on stable 6.6:
==================================================================
BUG: KASAN: slab-use-after-free in bond_3ad_xor_xmit+0x104/0x2f0 drivers/net/bonding/bond_main.c:5340
Read of size 8 at addr ffff0000c267e000 by task syz-executor/1084
CPU: 3 PID: 1084 Comm: syz-executor Not tainted 6.6.0-72.qmp_cmd_name: qmp_capabilities, arguments: {}
Call trace:
dump_backtrace+0x12c/0x220 arch/arm64/kernel/stacktrace.c:233
show_stack+0x34/0x50 arch/arm64/kernel/stacktrace.c:240
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x80/0x118 lib/dump_stack.c:106
print_address_description.constprop.0+0x84/0x3b8 mm/kasan/report.c:364
print_report+0xb0/0x280 mm/kasan/report.c:468
kasan_report+0x7c/0xc8 mm/kasan/report.c:581
check_region_inline mm/kasan/generic.c:181 [inline]
__asan_load8+0x9c/0xc0 mm/kasan/generic.c:260
bond_3ad_xor_xmit+0x104/0x2f0 drivers/net/bonding/bond_main.c:5340
__bond_start_xmit+0x1c0/0x430 drivers/net/bonding/bond_main.c:5629
bond_start_xmit+0x8c/0x178 drivers/net/bonding/bond_main.c:5657
__netdev_start_xmit include/linux/netdevice.h:4995 [inline]
netdev_start_xmit include/linux/netdevice.h:5009 [inline]
xmit_one.constprop.0+0xbc/0x250 net/core/dev.c:3623
dev_hard_start_xmit+0x9c/0x110 net/core/dev.c:3639
__dev_queue_xmit+0x183c/0x2248 net/core/dev.c:4435
dev_queue_xmit include/linux/netdevice.h:3155 [inline]
tipc_l2_send_msg+0x12c/0x1c0 net/tipc/bearer.c:516
tipc_bearer_xmit_skb+0x15c/0x218 net/tipc/bearer.c:575
tipc_disc_timeout+0x41c/0x528 net/tipc/discover.c:338
call_timer_fn+0x50/0x260 kernel/time/timer.c:1701
expire_timers+0x23c/0x408 kernel/time/timer.c:1752
__run_timers kernel/time/timer.c:2023 [inline]
run_timer_softirq+0x2ac/0x700 kernel/time/timer.c:2036
handle_softirqs+0x198/0x4e8 kernel/softirq.c:578
__do_softirq+0x1c/0x28 kernel/softirq.c:612
____do_softirq+0x1c/0x30 arch/arm64/kernel/irq.c:81
...
Allocated by task 3544:
kasan_save_stack+0x2c/0x58 mm/kasan/common.c:45
kasan_set_track+0x2c/0x40 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x38 mm/kasan/generic.c:511
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xb8/0xc0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:201 [inline]
kmalloc_trace+0x60/0x100 mm/slab_common.c:1055
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
bond_alloc_slave drivers/net/bonding/bond_main.c:1800 [inline]
bond_enslave+0x2e8/0x2c60 drivers/net/bonding/bond_main.c:2060
do_set_master+0x134/0x170 net/core/rtnetlink.c:2730
rtnl_newlink_create+0x4f4/0x660 net/core/rtnetlink.c:3558
__rtnl_newlink+0x994/0x9e8 net/core/rtnetlink.c:3761
rtnl_newlink+0x6c/0xa8 net/core/rtnetlink.c:3774
rtnetlink_rcv_msg+0x4b4/0x658 net/core/rtnetlink.c:6531
netlink_rcv_skb+0x100/0x2d0 net/netlink/af_netlink.c:2545
rtnetlink_rcv+0x30/0x48 net/core/rtnetlink.c:6549
netlink_unicast_kernel+0x10c/0x270 net/netlink/af_netlink.c:1320
netlink_unicast+0x378/0x490 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x468/0x8d0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:735 [inline]
__sock_sendmsg net/socket.c:750 [inline]
__sock_sendmsg+0x90/0x118 net/socket.c:745
____sys_sendmsg+0x550/0x670 net/socket.c:2611
___sys_sendmsg+0x12c/0x1c8 net/socket.c:2665
__sys_sendmsg+0xfc/0x1a8 net/socket.c:2694
__do_sys_sendmsg net/socket.c:2703 [inline]
__se_sys_sendmsg net/socket.c:2701 [inline]
__arm64_sys_sendmsg+0x58/0x78 net/socket.c:2701
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x80/0x208 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x19c/0x1e8 arch/arm64/kernel/syscall.c:134
do_el0_svc+0x3c/0x58 arch/arm64/kernel/syscall.c:176
el0_svc+0x44/0x200 arch/arm64/kernel/entry-common.c:829
el0t_64_sync_handler+0x100/0x130 arch/arm64/kernel/entry-common.c:869
el0t_64_sync+0x3c8/0x3d0 arch/arm64/kernel/entry.S:757
Freed by task 3544:
kasan_save_stack+0x2c/0x58 mm/kasan/common.c:45
kasan_set_track+0x2c/0x40 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x60 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
__kasan_slab_free+0xe8/0x180 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:167 [inline]
slab_free_hook mm/slub.c:1835 [inline]
slab_free_freelist_hook mm/slub.c:1861 [inline]
slab_free mm/slub.c:3838 [inline]
__kmem_cache_free+0x14c/0x390 mm/slub.c:3851
kfree+0x74/0x130 mm/slab_common.c:1008
slave_kobj_release+0x68/0xb8 drivers/net/bonding/bond_main.c:1773
kobject_cleanup+0xac/0x278 lib/kobject.c:689
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x108/0x190 lib/kobject.c:737
bond_enslave+0x1214/0x2c60 drivers/net/bonding/bond_main.c:2440
do_set_master+0x134/0x170 net/core/rtnetlink.c:2730
rtnl_newlink_create+0x4f4/0x660 net/core/rtnetlink.c:3558
__rtnl_newlink+0x994/0x9e8 net/core/rtnetlink.c:3761
rtnl_newlink+0x6c/0xa8 net/core/rtnetlink.c:3774
rtnetlink_rcv_msg+0x4b4/0x658 net/core/rtnetlink.c:6531
netlink_rcv_skb+0x100/0x2d0 net/netlink/af_netlink.c:2545
rtnetlink_rcv+0x30/0x48 net/core/rtnetlink.c:6549
netlink_unicast_kernel+0x10c/0x270 net/netlink/af_netlink.c:1320
netlink_unicast+0x378/0x490 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x468/0x8d0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:735 [inline]
__sock_sendmsg net/socket.c:750 [inline]
__sock_sendmsg+0x90/0x118 net/socket.c:745
____sys_sendmsg+0x550/0x670 net/socket.c:2611
___sys_sendmsg+0x12c/0x1c8 net/socket.c:2665
__sys_sendmsg+0xfc/0x1a8 net/socket.c:2694
__do_sys_sendmsg net/socket.c:2703 [inline]
__se_sys_sendmsg net/socket.c:2701 [inline]
__arm64_sys_sendmsg+0x58/0x78 net/socket.c:2701
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x80/0x208 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x19c/0x1e8 arch/arm64/kernel/syscall.c:134
do_el0_svc+0x3c/0x58 arch/arm64/kernel/syscall.c:176
el0_svc+0x44/0x200 arch/arm64/kernel/entry-common.c:829
el0t_64_sync_handler+0x100/0x130 arch/arm64/kernel/entry-common.c:869
el0t_64_sync+0x3c8/0x3d0 arch/arm64/kernel/entry.S:757
==================================================================
It seems that the bug occurs when:
1)A XDP related failure is triggered in bond_enslave() after
bond_update_slave_arr()
2)The code jumps to err_sysfs_del label and the slave is freed
3)Concurrently, network traffic triggers bond_3ad_xor_xmit() which
accesses the freed slave.
Any confirmation of the bug or guidance on its fix will be greatly
appreciated, and we are very willing to assist with subsequent testing
and validation.
Best Regard,
Chen Zhen
Powered by blists - more mailing lists