From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rainer Weikusat Subject: Re: Use-after-free in ppoll Date: Sun, 22 Nov 2015 14:32:16 +0000 Message-ID: <8737vym7f3.fsf@doppelsaurus.mobileactivedefense.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Rainer Weikusat , Jason Baron , Al Viro , David Miller , LKML , David Howells , netdev , syzkaller , Kostya Serebryany , Alexander Potapenko , Sasha Levin , Eric Dumazet To: Dmitry Vyukov Return-path: In-Reply-To: (Dmitry Vyukov's message of "Sun, 22 Nov 2015 15:14:31 +0100") Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org Dmitry Vyukov writes: > Hello, > > On commit f2d10565b9bdbb722bd43e6e1a759eeddb9645c8 (Nov 20). > > The following program triggers use-after-free: > > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #include > #include > #include > #include > > void *thread(void *p) > { > syscall(SYS_write, (long)p, 0x2000278ful, 0x1ul, 0, 0, 0); > return 0; > } [...] > long r1 = syscall(SYS_socketpair, 0x1ul, 0x3ul, 0x0ul, [...] > long r5 = syscall(SYS_close, r2, 0, 0, 0, 0, 0); > pthread_t th; > pthread_create(&th, 0, thread, (void*)(long)r3); [...] > long r21 = syscall(SYS_ppoll, 0x20000ffful, 0x3ul, 0x20000ffcul, 0x20000ffdul, 0x8ul, 0); > return 0; > } That's one of the already known sequences for triggering this issue: The close will clear the peer pointer of the closed socket, hence, the 2nd sock_poll_wait will be called by unix_dgram_poll. The write will execute unix_dgram_sendmsg which detects that the peer is dead and disconnects from it, causing the corresponding structures to be freed despite they're still used. NB: I didn't execute this but I spend a fair amount of time with the af_unix.c code during the last couple of weeks and consider myself "reasonably familiar" with it and that's IMO what should happen here.