From: Florian Westphal <fw@strlen.de>
To: Eric Dumazet <edumazet@google.com>
Cc: xingwei lee <xrivendell7@gmail.com>,
Florian Westphal <fw@strlen.de>,
pabeni@redhat.com, davem@davemloft.net, kuba@kernel.org,
linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, ralf@linux-mips.org,
syzkaller-bugs@googlegroups.com, samsun1006219@gmail.com
Subject: Re: KASAN: slab-use-after-free Read in ip_finish_output
Date: Wed, 6 Mar 2024 11:36:32 +0100 [thread overview]
Message-ID: <20240306103632.GC4420@breakpoint.cc> (raw)
In-Reply-To: <CANn89i+qLwyPLztPt6Mavjimyv0H_UihVVNfJXWLjcwrqOudTw@mail.gmail.com>
Eric Dumazet <edumazet@google.com> wrote:
> On Wed, Mar 6, 2024 at 11:00 AM xingwei lee <xrivendell7@gmail.com> wrote:
> >
> > Hello, I found a new bug titled "KASAN: slab-use-after-free Read in
> > ip_finish_output” or “KASAN: slab-use-after-free in sk_to_full_sk" and
> > confirmed it in the latest net and net-next branch. After my simple
> > analysis, it may be related to the net/rose or AF_PACKET/PF_PACKET
> > socket.
>
> I already had a syzbot report for this issue, thanks.
>
> Adding Florian to the discussion.
> The issue is cause by ip defrag layer, which calls skb_orphan()
> These were my notes, I had little time to work on it so far.
> Calling ip_defrag() in output path is also implying skb_orphan(),
> which is buggy because output path relies on sk not disappearing.
Ugh. Thanks for your annotations and notes, this is very helpful.
ipvlan (and two spots in ip_output.c do):
err = ip_local_out(net, skb->sk, skb);
so skb->sk gets propagated down to __ip_finish_output(), long
after connrack defrag has called skb_orphan().
No idea yet how to fix it,
next prev parent reply other threads:[~2024-03-06 10:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-06 10:00 KASAN: slab-use-after-free Read in ip_finish_output xingwei lee
2024-03-06 10:07 ` Eric Dumazet
2024-03-06 10:36 ` Florian Westphal [this message]
2024-03-06 10:41 ` Eric Dumazet
2024-03-12 13:21 ` Florian Westphal
2024-03-12 13:48 ` Eric Dumazet
2024-03-12 14:30 ` Florian Westphal
2024-03-14 11:26 ` Florian Westphal
2024-03-15 0:07 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240306103632.GC4420@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ralf@linux-mips.org \
--cc=samsun1006219@gmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=xrivendell7@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.