Re: KASAN: use-after-free Read in sctp_packet_transmit

From: Denis Kirjanov
Date: Sat Jan 06 2018 - 12:29:22 EST

Next message: David Woodhouse: "Re: [PATCH v5 02/12] x86/retpoline: Add initial retpoline support"
Previous message: Colin King: "[PATCH] gpu: ipu-v3: make array 'int_reg' static, shrinks object size"
In reply to: Marcelo: "Re: KASAN: use-after-free Read in sctp_packet_transmit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/5/18, syzbot <syzbot+5adcca18fca253b4cb15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Hello,
>
> syzkaller hit the following crash on
> 8a4816cad00bf14642f0ed6043b32d29a05006ce
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> Unfortunately, I don't have any reproducer for this bug yet.
>
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+5adcca18fca253b4cb15@xxxxxxxxxxxxxxxxxxxxxxxxx
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> ==================================================================
> BUG: KASAN: use-after-free in sctp_packet_transmit+0x3505/0x3750
> net/sctp/output.c:643
> Read of size 8 at addr ffff8801bda9fb80 by task modprobe/23740
>

This can be related to the following corruption during send:
#6 [ffff8805945ff940] invalid_op at ffffffff8100c15b
[exception RIP: sctp_chunk_put+91]
RIP: ffffffffa039db3b RSP: ffff8805945ff9f8 RFLAGS: 00010212
RAX: ffff8808b025cb01 RBX: ffff880dbb1b0d80 RCX: ffff8805945ff818
RDX: 0000000000000020 RSI: ffff8809a84746d8 RDI: ffff880dbb1b0d80
RBP: ffff8805945ffa08 R8: ffff880dbb13a0c0 R9: 0000000000000000
R10: ffff880000023820 R11: 0000000000000000 R12: ffff880dbb1b0d80
R13: 0000000000000000 R14: ffff8808b025cb80 R15: 0000000000000000
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffff8805945ffa10] sctp_datamsg_put at ffffffffa039c543 [sctp]
#8 [ffff8805945ffa60] sctp_datamsg_free at ffffffffa039c9dd [sctp]
#9 [ffff8805945ffa80] sctp_sendmsg at ffffffffa03a9440 [sctp]
#10 [ffff8805945ffb70] inet_sendmsg at ffffffff814ef0ba
#11 [ffff8805945ffbb0] sock_sendmsg at ffffffff8146b4c7
#12 [ffff8805945ffd60] __sys_sendmsg at ffffffff8146b976
#13 [ffff8805945fff10] sys_sendmsg at ffffffff8146bb99

In this case we have the chunk with 0 refcounter:
struct sctp_chunk {
list = {
next = 0xffff8809a84746d8,
prev = 0xffff880dbb1b0e80
},
refcnt = {
counter = 0
},
transmitted_list = {
next = 0xffff880dbb1b0d98,
prev = 0xffff880dbb1b0d98
},
frag_list = {
next = 0xffff880dbb1b0da8,
prev = 0xffff880dbb1b0da8
},
skb = 0xffff880dbb1a4700,
param_hdr = {
v = 0x0,
p = 0x0,
life = 0x0,
dns = 0x0,
cookie = 0x0,
....

Previous chunk in the list has the refcounter set to 2:
struct sctp_chunk {
list = {
next = 0xffff880dbb1b0d80,
prev = 0xffff880c657160c0
},
refcnt = {
counter = 2
},
transmitted_list = {
next = 0xffff880dbb1b0e98,
prev = 0xffff880dbb1b0e98
},
frag_list = {
next = 0xffff8808b025c300,
prev = 0xffff8808b025c300
},
skb = 0xffff880dbb1a4840,
param_hdr = {
v = 0x0,
p = 0x0,
life = 0x0,
dns = 0x0,
cookie = 0x0,
...

Next message: David Woodhouse: "Re: [PATCH v5 02/12] x86/retpoline: Add initial retpoline support"
Previous message: Colin King: "[PATCH] gpu: ipu-v3: make array 'int_reg' static, shrinks object size"
In reply to: Marcelo: "Re: KASAN: use-after-free Read in sctp_packet_transmit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]