Re: KASAN: use-after-free Read in decode_session6
From: Xin Long
Date: Tue Nov 03 2020 - 08:52:26 EST
On Tue, Nov 3, 2020 at 9:14 PM Xin Long <lucien.xin@xxxxxxxxx> wrote:
>
> On Sun, Nov 1, 2020 at 1:40 PM syzbot
> <syzbot+5be8aebb1b7dfa90ef31@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > syzbot has bisected this issue to:
> >
> > commit bcd623d8e9fa5f82bbd8cd464dc418d24139157b
> > Author: Xin Long <lucien.xin@xxxxxxxxx>
> > Date: Thu Oct 29 07:05:05 2020 +0000
> >
> > sctp: call sk_setup_caps in sctp_packet_transmit instead
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14df9cb8500000
> > start commit: 68bb4665 Merge branch 'l2-multicast-forwarding-for-ocelot-..
> > git tree: net-next
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=16df9cb8500000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12df9cb8500000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=eac680ae76558a0e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5be8aebb1b7dfa90ef31
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11286398500000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11bbf398500000
> >
> > Reported-by: syzbot+5be8aebb1b7dfa90ef31@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Fixes: bcd623d8e9fa ("sctp: call sk_setup_caps in sctp_packet_transmit instead")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> I'm looking into this, Thanks.
This was actually caused by:
commit a1dd2cf2f1aedabc2ca9bb4f90231a521c52d8eb
Author: Xin Long <lucien.xin@xxxxxxxxx>
Date: Thu Oct 29 15:05:03 2020 +0800
sctp: allow changing transport encap_port by peer packets
where the IP6CB was overwritten by SCTP_INPUT_CB.
inet6_skb_parmI will fix it by bringing inet6_skb_parm back to sctp_input_cb:
struct sctp_input_cb {
+ union {
+ struct inet_skb_parm h4;
+#if IS_ENABLED(CONFIG_IPV6)
+ struct inet6_skb_parm h6;
+#endif
+ } header;
+ __be16 encap_port;
struct sctp_chunk *chunk;
struct sctp_af *af;
- __be16 encap_port;
};
Will post it soon, Thanks.