lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <26e1fe2c-d067-4d4d-81ad-742fd2789dcc@blackwall.org>
Date: Fri, 23 Jan 2026 13:59:14 +0200
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: Chen Zhen <chenzhen126@...wei.com>, jv@...sburgh.net,
 andrew+netdev@...n.ch, davem@...emloft.net, edumazet@...gle.com,
 Jakub Kicinski <kuba@...nel.org>, pabeni@...hat.com
Cc: netdev@...r.kernel.org, huyizhen2@...wei.com
Subject: Re: [BUG] KASAN: slab-use-after-free in bond_3ad_xor_xmit

On 23/01/2026 11:41, Chen Zhen wrote:
> Hi all,
> 
> We found a UAF in bond_3ad_xor_xmit() with syzkaller test on stable 6.6:
> ==================================================================
> BUG: KASAN: slab-use-after-free in bond_3ad_xor_xmit+0x104/0x2f0 drivers/net/bonding/bond_main.c:5340
> Read of size 8 at addr ffff0000c267e000 by task syz-executor/1084
> 
> CPU: 3 PID: 1084 Comm: syz-executor Not tainted 6.6.0-72.qmp_cmd_name: qmp_capabilities, arguments: {}
> Call trace:
>   dump_backtrace+0x12c/0x220 arch/arm64/kernel/stacktrace.c:233
>   show_stack+0x34/0x50 arch/arm64/kernel/stacktrace.c:240
>   __dump_stack lib/dump_stack.c:88 [inline]
>   dump_stack_lvl+0x80/0x118 lib/dump_stack.c:106
>   print_address_description.constprop.0+0x84/0x3b8 mm/kasan/report.c:364
>   print_report+0xb0/0x280 mm/kasan/report.c:468
>   kasan_report+0x7c/0xc8 mm/kasan/report.c:581
>   check_region_inline mm/kasan/generic.c:181 [inline]
>   __asan_load8+0x9c/0xc0 mm/kasan/generic.c:260
>   bond_3ad_xor_xmit+0x104/0x2f0 drivers/net/bonding/bond_main.c:5340
[snip]

Hi,
I saw the problem and have prepared and tested a fix that I'll send in a minute.
In the future please reproduce these bugs with latest kernels, 6.6 is old.
I'd appreciate it if you can also test it.

Thanks,
  Nik

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ