From: Oleksij Rempel <o.rempel@pengutronix.de>
To: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Cc: eadavis@qq.com, davem@davemloft.net, edumazet@google.com,
kernel@pengutronix.de, kuba@kernel.org, leitao@debian.org,
linux-can@vger.kernel.org, linux-kernel@vger.kernel.org,
mkl@pengutronix.de, netdev@vger.kernel.org, pabeni@redhat.com,
robin@protonic.nl, socketcan@hartkopp.net,
syzbot+ad601904231505ad6617@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH net-next V2] can: j1939: fix uaf warning in j1939_session_destroy
Date: Fri, 11 Oct 2024 16:10:18 +0200 [thread overview]
Message-ID: <Zwkxyr-MndeD6mmB@pengutronix.de> (raw)
In-Reply-To: <20241011134124.3048936-1-snovitoll@gmail.com>
Hi Sabyrzhan,
On Fri, Oct 11, 2024 at 06:41:24PM +0500, Sabyrzhan Tasbolatov wrote:
> On Thu, 8 Aug 2024 19:07:55 +0800, Edward Adam Davis wrote:
> > On Thu, 8 Aug 2024 09:49:18 +0200, Oleksij Rempel wrote:
> > > > the skb to the queue and increase the skb reference count through it.
> > > >
> > > > Reported-and-tested-by: syzbot+ad601904231505ad6617@syzkaller.appspotmail.com
> > > > Closes: https://syzkaller.appspot.com/bug?extid=ad601904231505ad6617
> > > > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > >
> > > This patch breaks j1939.
> > > The issue can be reproduced by running following commands:
> > I tried to reproduce the problem using the following command, but was
> > unsuccessful. Prompt me to install j1939cat and j1939acd, and there are
> > some other errors.
> >
> > Can you share the logs from when you reproduced the problem?
ah, i was on vacation and it went under my radar, sorry :(
> Hello,
>
> Here is the log of can-tests/j1939/run_all.sh:
>
> # ip link add type vcan
> # ip l s dev vcan0 up
> # ./run_all.sh vcan0 vcan0
> ##############################################
> run: j1939_ac_100k_dual_can.sh
> generate random data for the test
> 1+0 records in
> 1+0 records out
> 102400 bytes (102 kB, 100 KiB) copied, 0.00191192 s, 53.6 MB/s
> start j1939acd and j1939cat on vcan0
> 8321
> 8323
> start j1939acd and j1939cat on vcan0
> [ 132.211317][ T8326] vcan0: tx drop: invalid sa for name 0x0000000011223340
> j1939cat: j1939cat_send_one: transfer error: -99: Cannot assign requested address
>
> It fails here:
> https://github.com/linux-can/can-tests/blob/master/j1939/j1939_ac_100k_dual_can.sh#L70
I assume it is just secondary fail, it probably failed on address claim
stage in j1939acd, so the j1939cat was not able to start transfer due to
missing (not claimed) address.
> The error message is printed in this condition:
> https://elixir.bootlin.com/linux/v6.12-rc2/source/net/can/j1939/address-claim.c#L104-L108
>
> I've applied your patch on the current 6.12.0-rc2 and the syzkaller C repro
> doesn't trigger WARNING uaf, refcount anymore though.
Yes, because transfer protocol is broken now.
> == Offtopic:
> I wonder if can-tests/j1939 should be refactored from shell to C tests in the
> same linux-can/can-tests repository (or even migrate to KUnit tests)
> to improve debugging, test coverage. I'd like to understand which syscalls
> and params are used j1939cat and j1939acd utils -- currently, tracing with
> strace and trace-cmd (ftrace).
I have nothing against it, some of them I implemented in C:
https://github.com/linux-can/can-tests/blob/master/j1939/tst-j1939-ac.c#L1160
Right now I do not have enough time to port it, but I can support anyone
who is willing to do it.
Best Regards,
Oleksij
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
prev parent reply other threads:[~2024-10-11 14:10 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-05 21:18 [syzbot] [can?] WARNING: refcount bug in j1939_session_put syzbot
2024-08-07 1:42 ` Edward Adam Davis
2024-08-07 2:00 ` syzbot
2024-08-07 8:02 ` Breno Leitao
2024-08-07 23:06 ` Edward Adam Davis
2024-08-07 12:35 ` [PATCH net-next] can: j1939: fix uaf in j1939_session_destroy Edward Adam Davis
2024-08-07 14:16 ` Jakub Kicinski
2024-08-07 23:08 ` [PATCH net-next V2] can: j1939: fix uaf warning " Edward Adam Davis
2024-08-08 7:49 ` Oleksij Rempel
2024-08-08 11:07 ` Edward Adam Davis
2024-08-08 11:57 ` Marc Kleine-Budde
2024-10-11 13:41 ` Sabyrzhan Tasbolatov
2024-10-11 14:10 ` Oleksij Rempel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zwkxyr-MndeD6mmB@pengutronix.de \
--to=o.rempel@pengutronix.de \
--cc=davem@davemloft.net \
--cc=eadavis@qq.com \
--cc=edumazet@google.com \
--cc=kernel@pengutronix.de \
--cc=kuba@kernel.org \
--cc=leitao@debian.org \
--cc=linux-can@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=robin@protonic.nl \
--cc=snovitoll@gmail.com \
--cc=socketcan@hartkopp.net \
--cc=syzbot+ad601904231505ad6617@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).