Re: KASAN: use-after-free Read in ccid_hc_tx_delete

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: syzbot <syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com>
Cc: alsa-devel@alsa-project.org, davem@davemloft.net,
	dccp@vger.kernel.org, gerrit@erg.abdn.ac.uk,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	perex@perex.cz, syzkaller-bugs@googlegroups.com, tiwai@suse.com,
	tiwai@suse.de, Eric Dumazet <edumazet@google.com>
Subject: Re: KASAN: use-after-free Read in ccid_hc_tx_delete
Date: Thu, 21 Nov 2019 23:14:34 +0300	[thread overview]
Message-ID: <20191121201433.GD617@kadam> (raw)
In-Reply-To: <0000000000002c243a0597dc8d9d@google.com>

On Thu, Nov 21, 2019 at 07:00:00AM -0800, syzbot wrote:
> syzbot has bisected this bug to:
> 
> commit f04684b4d85d6371126f476d3268ebf6a0bd57cf
> Author: Dan Carpenter <dan.carpenter@oracle.com>
> Date:   Thu Jun 21 08:07:21 2018 +0000
> 
>     ALSA: lx6464es: Missing error code in snd_lx6464es_create()
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10dd11cae00000
> start commit:   eb6cf9f8 Merge tag 'arm64-fixes' of git://git.kernel.org/p..
> git tree:       upstream
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=12dd11cae00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=14dd11cae00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c8970c89a0efbb23
> dashboard link: https://syzkaller.appspot.com/bug?extid=3967c1caf256f4d5aefe
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11022ccd400000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124581db400000
> 
> Reported-by: syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com
> Fixes: f04684b4d85d ("ALSA: lx6464es: Missing error code in
> snd_lx6464es_create()")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

This crash isn't related to my commit, it's seems something specific to
DCCP.

My guess is that the fix is probably something like this.  The old sk
and the new sk re-use the same newdp->dccps_hc_rx/tx_ccid pointers.
The first sk destructor frees it and that causes a use after free when
the second destructor tries to free it.

But I don't know DCCP code at all so I might be totally off and I
haven't tested this at all...  It was just easier to write a patch than
to try to explain in words.  Maybe we should clone the ccid instead of
setting it to NULL.  Or I might be completely wrong.

---
 net/dccp/minisocks.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index 25187528c308..4cbfcccbbbbb 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -98,6 +98,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
 		newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
 		newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;
 		newicsk->icsk_rto	    = DCCP_TIMEOUT_INIT;
+		newdp->dccps_hc_rx_ccid     = NULL;
+		newdp->dccps_hc_tx_ccid     = NULL;
 
 		INIT_LIST_HEAD(&newdp->dccps_featneg);
 		/*
-- 
2.11.0

next prev parent reply	other threads:[~2019-11-21 20:17 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-27 17:10 KASAN: use-after-free Read in ccid_hc_tx_delete syzbot
2018-12-14 21:58 ` syzbot
2019-11-21 15:00 ` syzbot
2019-11-21 20:14   ` Dan Carpenter [this message]
2020-01-21 15:39     ` Dan Carpenter

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:25187528c30 dfblob:4cbfcccbbbb )
 OR (
bs:"Re: KASAN: use-after-free Read in ccid_hc_tx_delete" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191121201433.GD617@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=alsa-devel@alsa-project.org \
    --cc=davem@davemloft.net \
    --cc=dccp@vger.kernel.org \
    --cc=edumazet@google.com \
    --cc=gerrit@erg.abdn.ac.uk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=perex@perex.cz \
    --cc=syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tiwai@suse.com \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).