From: Dan Carpenter <dan.carpenter@oracle.com>
To: syzbot <syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com>
Cc: gerrit@erg.abdn.ac.uk, alsa-devel@alsa-project.org,
dccp@vger.kernel.org, tiwai@suse.de, netdev@vger.kernel.org,
tiwai@suse.com, syzkaller-bugs@googlegroups.com,
linux-kernel@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
davem@davemloft.net
Subject: Re: [alsa-devel] KASAN: use-after-free Read in ccid_hc_tx_delete
Date: Tue, 21 Jan 2020 18:39:04 +0300 [thread overview]
Message-ID: <20200121153904.GA9856@kadam> (raw)
In-Reply-To: <20191121201433.GD617@kadam>
On Thu, Nov 21, 2019 at 11:14:33PM +0300, Dan Carpenter wrote:
> On Thu, Nov 21, 2019 at 07:00:00AM -0800, syzbot wrote:
> > syzbot has bisected this bug to:
> >
> > commit f04684b4d85d6371126f476d3268ebf6a0bd57cf
> > Author: Dan Carpenter <dan.carpenter@oracle.com>
> > Date: Thu Jun 21 08:07:21 2018 +0000
> >
> > ALSA: lx6464es: Missing error code in snd_lx6464es_create()
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10dd11cae00000
> > start commit: eb6cf9f8 Merge tag 'arm64-fixes' of git://git.kernel.org/p..
> > git tree: upstream
> > final crash: https://syzkaller.appspot.com/x/report.txt?x=12dd11cae00000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=14dd11cae00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=c8970c89a0efbb23
> > dashboard link: https://syzkaller.appspot.com/bug?extid=3967c1caf256f4d5aefe
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11022ccd400000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124581db400000
> >
> > Reported-by: syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com
> > Fixes: f04684b4d85d ("ALSA: lx6464es: Missing error code in
> > snd_lx6464es_create()")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> This crash isn't related to my commit, it's seems something specific to
> DCCP.
>
> My guess is that the fix is probably something like this. The old sk
> and the new sk re-use the same newdp->dccps_hc_rx/tx_ccid pointers.
> The first sk destructor frees it and that causes a use after free when
> the second destructor tries to free it.
>
> But I don't know DCCP code at all so I might be totally off and I
> haven't tested this at all... It was just easier to write a patch than
> to try to explain in words. Maybe we should clone the ccid instead of
> setting it to NULL. Or I might be completely wrong.
>
> ---
> net/dccp/minisocks.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
> index 25187528c308..4cbfcccbbbbb 100644
> --- a/net/dccp/minisocks.c
> +++ b/net/dccp/minisocks.c
> @@ -98,6 +98,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
> newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
> newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;
> newicsk->icsk_rto = DCCP_TIMEOUT_INIT;
> + newdp->dccps_hc_rx_ccid = NULL;
> + newdp->dccps_hc_tx_ccid = NULL;
>
> INIT_LIST_HEAD(&newdp->dccps_featneg);
> /*
Could someone take a look at this? It seem like a pretty serious bug
but DCCP is not very actively maintained and a lot of distributions
disable it.
regards,
dan carpenter
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: dccp@vger.kernel.org
Subject: Re: KASAN: use-after-free Read in ccid_hc_tx_delete
Date: Tue, 21 Jan 2020 15:39:04 +0000 [thread overview]
Message-ID: <20200121153904.GA9856@kadam> (raw)
On Thu, Nov 21, 2019 at 11:14:33PM +0300, Dan Carpenter wrote:
> On Thu, Nov 21, 2019 at 07:00:00AM -0800, syzbot wrote:
> > syzbot has bisected this bug to:
> >
> > commit f04684b4d85d6371126f476d3268ebf6a0bd57cf
> > Author: Dan Carpenter <dan.carpenter@oracle.com>
> > Date: Thu Jun 21 08:07:21 2018 +0000
> >
> > ALSA: lx6464es: Missing error code in snd_lx6464es_create()
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x\x10dd11cae00000
> > start commit: eb6cf9f8 Merge tag 'arm64-fixes' of git://git.kernel.org/p..
> > git tree: upstream
> > final crash: https://syzkaller.appspot.com/x/report.txt?x\x12dd11cae00000
> > console output: https://syzkaller.appspot.com/x/log.txt?x\x14dd11cae00000
> > kernel config: https://syzkaller.appspot.com/x/.config?xÈ970c89a0efbb23
> > dashboard link: https://syzkaller.appspot.com/bug?extid967c1caf256f4d5aefe
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11022ccd400000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x124581db400000
> >
> > Reported-by: syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com
> > Fixes: f04684b4d85d ("ALSA: lx6464es: Missing error code in
> > snd_lx6464es_create()")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> This crash isn't related to my commit, it's seems something specific to
> DCCP.
>
> My guess is that the fix is probably something like this. The old sk
> and the new sk re-use the same newdp->dccps_hc_rx/tx_ccid pointers.
> The first sk destructor frees it and that causes a use after free when
> the second destructor tries to free it.
>
> But I don't know DCCP code at all so I might be totally off and I
> haven't tested this at all... It was just easier to write a patch than
> to try to explain in words. Maybe we should clone the ccid instead of
> setting it to NULL. Or I might be completely wrong.
>
> ---
> net/dccp/minisocks.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
> index 25187528c308..4cbfcccbbbbb 100644
> --- a/net/dccp/minisocks.c
> +++ b/net/dccp/minisocks.c
> @@ -98,6 +98,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
> newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
> newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;
> newicsk->icsk_rto = DCCP_TIMEOUT_INIT;
> + newdp->dccps_hc_rx_ccid = NULL;
> + newdp->dccps_hc_tx_ccid = NULL;
>
> INIT_LIST_HEAD(&newdp->dccps_featneg);
> /*
Could someone take a look at this? It seem like a pretty serious bug
but DCCP is not very actively maintained and a lot of distributions
disable it.
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: syzbot <syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com>
Cc: alsa-devel@alsa-project.org, davem@davemloft.net,
dccp@vger.kernel.org, gerrit@erg.abdn.ac.uk,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
perex@perex.cz, syzkaller-bugs@googlegroups.com, tiwai@suse.com,
tiwai@suse.de, Eric Dumazet <edumazet@google.com>
Subject: Re: KASAN: use-after-free Read in ccid_hc_tx_delete
Date: Tue, 21 Jan 2020 18:39:04 +0300 [thread overview]
Message-ID: <20200121153904.GA9856@kadam> (raw)
In-Reply-To: <20191121201433.GD617@kadam>
On Thu, Nov 21, 2019 at 11:14:33PM +0300, Dan Carpenter wrote:
> On Thu, Nov 21, 2019 at 07:00:00AM -0800, syzbot wrote:
> > syzbot has bisected this bug to:
> >
> > commit f04684b4d85d6371126f476d3268ebf6a0bd57cf
> > Author: Dan Carpenter <dan.carpenter@oracle.com>
> > Date: Thu Jun 21 08:07:21 2018 +0000
> >
> > ALSA: lx6464es: Missing error code in snd_lx6464es_create()
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10dd11cae00000
> > start commit: eb6cf9f8 Merge tag 'arm64-fixes' of git://git.kernel.org/p..
> > git tree: upstream
> > final crash: https://syzkaller.appspot.com/x/report.txt?x=12dd11cae00000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=14dd11cae00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=c8970c89a0efbb23
> > dashboard link: https://syzkaller.appspot.com/bug?extid=3967c1caf256f4d5aefe
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11022ccd400000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124581db400000
> >
> > Reported-by: syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com
> > Fixes: f04684b4d85d ("ALSA: lx6464es: Missing error code in
> > snd_lx6464es_create()")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> This crash isn't related to my commit, it's seems something specific to
> DCCP.
>
> My guess is that the fix is probably something like this. The old sk
> and the new sk re-use the same newdp->dccps_hc_rx/tx_ccid pointers.
> The first sk destructor frees it and that causes a use after free when
> the second destructor tries to free it.
>
> But I don't know DCCP code at all so I might be totally off and I
> haven't tested this at all... It was just easier to write a patch than
> to try to explain in words. Maybe we should clone the ccid instead of
> setting it to NULL. Or I might be completely wrong.
>
> ---
> net/dccp/minisocks.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
> index 25187528c308..4cbfcccbbbbb 100644
> --- a/net/dccp/minisocks.c
> +++ b/net/dccp/minisocks.c
> @@ -98,6 +98,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
> newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
> newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;
> newicsk->icsk_rto = DCCP_TIMEOUT_INIT;
> + newdp->dccps_hc_rx_ccid = NULL;
> + newdp->dccps_hc_tx_ccid = NULL;
>
> INIT_LIST_HEAD(&newdp->dccps_featneg);
> /*
Could someone take a look at this? It seem like a pretty serious bug
but DCCP is not very actively maintained and a lot of distributions
disable it.
regards,
dan carpenter
next prev parent reply other threads:[~2020-01-21 15:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-27 17:10 KASAN: use-after-free Read in ccid_hc_tx_delete syzbot
2018-08-27 17:10 ` syzbot
2019-11-21 15:00 ` [alsa-devel] " syzbot
2019-11-21 15:00 ` syzbot
2019-11-21 15:00 ` syzbot
2019-11-21 20:14 ` [alsa-devel] " Dan Carpenter
2019-11-21 20:14 ` Dan Carpenter
2019-11-21 20:14 ` Dan Carpenter
2020-01-21 15:39 ` Dan Carpenter [this message]
2020-01-21 15:39 ` Dan Carpenter
2020-01-21 15:39 ` Dan Carpenter
-- strict thread matches above, loose matches on Subject: below --
2018-12-14 21:58 syzbot
2018-12-14 21:58 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200121153904.GA9856@kadam \
--to=dan.carpenter@oracle.com \
--cc=alsa-devel@alsa-project.org \
--cc=davem@davemloft.net \
--cc=dccp@vger.kernel.org \
--cc=edumazet@google.com \
--cc=gerrit@erg.abdn.ac.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.