diff for duplicates of <20161104130307.GI8514@localhost.localdomain> diff --git a/a/1.txt b/N1/1.txt index b8410b7..d622897 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -12,7 +12,7 @@ On Fri, Nov 04, 2016 at 08:59:58AM -0400, Neil Horman wrote: > > > >> >>> > > > >> >>> I've got the following error report while running the syzkaller fuzzer: > > > >> >>> -> > > >> >>> ================================= +> > > >> >>> ================================================================== > > > >> >>> BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr > > > >> >>> ffff88006b1dc610 > > > >> >> @@ -31,7 +31,7 @@ On Fri, Nov 04, 2016 at 08:59:58AM -0400, Neil Horman wrote: > > > >> setsockopt() calls sctp_wait_for_connect(), which exits the for loop > > > >> on the sk->sk_shutdown & RCV_SHUTDOWN if clause, and then frees asoc > > > >> with sctp_association_put() and returns err = 0. -> > > >> Then __sctp_connect() checks that err = 0 and reads asoc->assoc_id +> > > >> Then __sctp_connect() checks that err == 0 and reads asoc->assoc_id > > > >> from the freed asoc. > > > > > > > > Suddenly this seems familiar. Your description makes sense, thanks for @@ -64,7 +64,7 @@ On Fri, Nov 04, 2016 at 08:59:58AM -0400, Neil Horman wrote: > > timeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK); > > > > - err = sctp_wait_for_connect(asoc, &timeo); -> > - if ((err = 0 || err = -EINPROGRESS) && assoc_id) +> > - if ((err == 0 || err == -EINPROGRESS) && assoc_id) > > + if (assoc_id) > > *assoc_id = asoc->assoc_id; > > + err = sctp_wait_for_connect(asoc, &timeo); diff --git a/a/content_digest b/N1/content_digest index 76184c6..35f99eb 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -8,7 +8,7 @@ "ref\020161104125958.GA13691@hmsreliant.think-freely.org\0" "From\0Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>\0" "Subject\0Re: net/sctp: use-after-free in __sctp_connect\0" - "Date\0Fri, 04 Nov 2016 13:03:07 +0000\0" + "Date\0Fri, 4 Nov 2016 11:03:07 -0200\0" "To\0Neil Horman <nhorman@tuxdriver.com>\0" "Cc\0Andrey Konovalov <andreyknvl@google.com>" Vlad Yasevich <vyasevich@gmail.com> @@ -37,7 +37,7 @@ "> > > >> >>>\n" "> > > >> >>> I've got the following error report while running the syzkaller fuzzer:\n" "> > > >> >>>\n" - "> > > >> >>> =================================\n" + "> > > >> >>> ==================================================================\n" "> > > >> >>> BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr\n" "> > > >> >>> ffff88006b1dc610\n" "> > > >> >>\n" @@ -56,7 +56,7 @@ "> > > >> setsockopt() calls sctp_wait_for_connect(), which exits the for loop\n" "> > > >> on the sk->sk_shutdown & RCV_SHUTDOWN if clause, and then frees asoc\n" "> > > >> with sctp_association_put() and returns err = 0.\n" - "> > > >> Then __sctp_connect() checks that err = 0 and reads asoc->assoc_id\n" + "> > > >> Then __sctp_connect() checks that err == 0 and reads asoc->assoc_id\n" "> > > >> from the freed asoc.\n" "> > > >\n" "> > > > Suddenly this seems familiar. Your description makes sense, thanks for\n" @@ -89,7 +89,7 @@ "> > \ttimeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK);\n" "> > \n" "> > -\terr = sctp_wait_for_connect(asoc, &timeo);\n" - "> > -\tif ((err = 0 || err = -EINPROGRESS) && assoc_id)\n" + "> > -\tif ((err == 0 || err == -EINPROGRESS) && assoc_id)\n" "> > +\tif (assoc_id)\n" "> > \t\t*assoc_id = asoc->assoc_id;\n" "> > +\terr = sctp_wait_for_connect(asoc, &timeo);\n" @@ -111,4 +111,4 @@ "Thanks,\n" Marcelo -ee2e3eb99b1b4741590e3c6acfcf5f1fd0d9ce5388313ae1117e933aa9b7aef1 +31e1edb0c150730db0f5670c6ac0e9d8fc834c401c1364d9d53a6b3a26f5d9b6
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.