* KASAN: use-after-free Read in seccomp_notify_release (2)
@ 2019-03-25 8:02 syzbot
2019-04-23 21:39 ` Kees Cook
0 siblings, 1 reply; 4+ messages in thread
From: syzbot @ 2019-03-25 8:02 UTC (permalink / raw)
To: ast, bpf, coreteam, daniel, davem, fw, kadlec, kafai, keescook,
linux-kernel, luto, netdev, netfilter-devel, pablo,
songliubraving, syzkaller-bugs, wad, wenxu, yhs
Hello,
syzbot found the following crash on:
HEAD commit: 1bdd3dbf Merge tag 'io_uring-20190323' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12ae5b93200000
kernel config: https://syzkaller.appspot.com/x/.config?x=9a31fb246de2a622
dashboard link: https://syzkaller.appspot.com/bug?extid=b562969adb2e04af3442
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162ca25d200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1733b53b200000
The bug was bisected to:
commit a799aea0988ea0d1b1f263e996fdad2f6133c680
Author: wenxu <wenxu@ucloud.cn>
Date: Wed Jan 9 02:40:11 2019 +0000
netfilter: nft_flow_offload: Fix reverse route lookup
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10dcc517200000
final crash: https://syzkaller.appspot.com/x/report.txt?x=12dcc517200000
console output: https://syzkaller.appspot.com/x/log.txt?x=14dcc517200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b562969adb2e04af3442@syzkaller.appspotmail.com
Fixes: a799aea0988e ("netfilter: nft_flow_offload: Fix reverse route
lookup")
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2d5e/0x3fb0
kernel/locking/lockdep.c:3573
Read of size 8 at addr ffff8880a621d080 by task syz-executor365/8267
CPU: 0 PID: 8267 Comm: syz-executor365 Not tainted 5.1.0-rc1+ #35
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
__lock_acquire+0x2d5e/0x3fb0 kernel/locking/lockdep.c:3573
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4211
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1310 kernel/locking/mutex.c:1072
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
seccomp_notify_release+0x62/0x280 kernel/seccomp.c:984
__fput+0x2e5/0x8d0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x14a/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x405621
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe1ebba1e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000405621
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003
RBP: 0000000000000064 R08: 00007f28ae4ca700 R09: 0000000000000000
R10: 00007ffe1ebba1f0 R11: 0000000000000293 R12: 00000000006dbc30
R13: 0000000000000002 R14: 00000000006dbc3c R15: 000000000000002d
Allocated by task 8278:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_kmalloc mm/kasan/common.c:497 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511
kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3621
kmalloc include/linux/slab.h:545 [inline]
kzalloc include/linux/slab.h:740 [inline]
seccomp_prepare_filter kernel/seccomp.c:453 [inline]
seccomp_prepare_user_filter kernel/seccomp.c:493 [inline]
seccomp_set_mode_filter kernel/seccomp.c:1262 [inline]
do_seccomp+0x743/0x2250 kernel/seccomp.c:1376
__do_sys_seccomp kernel/seccomp.c:1395 [inline]
__se_sys_seccomp kernel/seccomp.c:1392 [inline]
__x64_sys_seccomp+0x73/0xb0 kernel/seccomp.c:1392
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8278:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3821
seccomp_filter_free kernel/seccomp.c:567 [inline]
seccomp_filter_free kernel/seccomp.c:563 [inline]
seccomp_set_mode_filter kernel/seccomp.c:1317 [inline]
do_seccomp+0xb00/0x2250 kernel/seccomp.c:1376
__do_sys_seccomp kernel/seccomp.c:1395 [inline]
__se_sys_seccomp kernel/seccomp.c:1392 [inline]
__x64_sys_seccomp+0x73/0xb0 kernel/seccomp.c:1392
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a621d000
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 128 bytes inside of
192-byte region [ffff8880a621d000, ffff8880a621d0c0)
The buggy address belongs to the page:
page:ffffea0002988740 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002981048 ffffea0002988048 ffff88812c3f0040
raw: 0000000000000000 ffff8880a621d000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a621cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a621d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880a621d080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8880a621d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a621d180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KASAN: use-after-free Read in seccomp_notify_release (2)
2019-03-25 8:02 KASAN: use-after-free Read in seccomp_notify_release (2) syzbot
@ 2019-04-23 21:39 ` Kees Cook
2019-04-23 21:51 ` Tycho Andersen
0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2019-04-23 21:39 UTC (permalink / raw)
To: Tycho Andersen
Cc: Alexei Starovoitov, bpf, coreteam, Daniel Borkmann,
David S. Miller, Florian Westphal, Jozsef Kadlecsik,
Martin KaFai Lau, LKML, Andy Lutomirski, Network Development,
netfilter-devel, Pablo Neira Ayuso, Song Liu, syzkaller-bugs,
Will Drewry, wenxu, Yonghong Song, syzbot
On Mon, Mar 25, 2019 at 1:02 AM syzbot
<syzbot+b562969adb2e04af3442@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 1bdd3dbf Merge tag 'io_uring-20190323' of git://git.kernel..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12ae5b93200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9a31fb246de2a622
> dashboard link: https://syzkaller.appspot.com/bug?extid=b562969adb2e04af3442
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162ca25d200000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1733b53b200000
>
> The bug was bisected to:
>
> commit a799aea0988ea0d1b1f263e996fdad2f6133c680
> Author: wenxu <wenxu@ucloud.cn>
> Date: Wed Jan 9 02:40:11 2019 +0000
>
> netfilter: nft_flow_offload: Fix reverse route lookup
This bisection looks bogus?
However, I _can_ trigger the problem on this kernel version with this
config. (And not with Linus's latest tree.)
The PoC is identical to the prior report[1] that we thought was fixed.
Perhaps the fix didn't actually fix it? (I mean
a811dc61559e0c8003f1086c2a4dc8e4d5ae4cb8) But it's been silent for 29
days now, so I'm not sure what's going on.
Tycho are you able to reproduce this on the older tree?
-Kees
[1] https://groups.google.com/forum/#!msg/syzkaller-bugs/BPWo-3V1M2k/0keafXgOCQAJ
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10dcc517200000
> final crash: https://syzkaller.appspot.com/x/report.txt?x=12dcc517200000
> console output: https://syzkaller.appspot.com/x/log.txt?x=14dcc517200000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+b562969adb2e04af3442@syzkaller.appspotmail.com
> Fixes: a799aea0988e ("netfilter: nft_flow_offload: Fix reverse route
> lookup")
>
> ==================================================================
> BUG: KASAN: use-after-free in __lock_acquire+0x2d5e/0x3fb0
> kernel/locking/lockdep.c:3573
> Read of size 8 at addr ffff8880a621d080 by task syz-executor365/8267
>
> CPU: 0 PID: 8267 Comm: syz-executor365 Not tainted 5.1.0-rc1+ #35
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
> kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
> __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
> __lock_acquire+0x2d5e/0x3fb0 kernel/locking/lockdep.c:3573
> lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4211
> __mutex_lock_common kernel/locking/mutex.c:925 [inline]
> __mutex_lock+0xf7/0x1310 kernel/locking/mutex.c:1072
> mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
> seccomp_notify_release+0x62/0x280 kernel/seccomp.c:984
> __fput+0x2e5/0x8d0 fs/file_table.c:278
> ____fput+0x16/0x20 fs/file_table.c:309
> task_work_run+0x14a/0x1c0 kernel/task_work.c:113
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
> prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
> syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
> do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x405621
> Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
> 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
> 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
> RSP: 002b:00007ffe1ebba1e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
> RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000405621
> RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003
> RBP: 0000000000000064 R08: 00007f28ae4ca700 R09: 0000000000000000
> R10: 00007ffe1ebba1f0 R11: 0000000000000293 R12: 00000000006dbc30
> R13: 0000000000000002 R14: 00000000006dbc3c R15: 000000000000002d
>
> Allocated by task 8278:
> save_stack+0x45/0xd0 mm/kasan/common.c:75
> set_track mm/kasan/common.c:87 [inline]
> __kasan_kmalloc mm/kasan/common.c:497 [inline]
> __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
> kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511
> kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3621
> kmalloc include/linux/slab.h:545 [inline]
> kzalloc include/linux/slab.h:740 [inline]
> seccomp_prepare_filter kernel/seccomp.c:453 [inline]
> seccomp_prepare_user_filter kernel/seccomp.c:493 [inline]
> seccomp_set_mode_filter kernel/seccomp.c:1262 [inline]
> do_seccomp+0x743/0x2250 kernel/seccomp.c:1376
> __do_sys_seccomp kernel/seccomp.c:1395 [inline]
> __se_sys_seccomp kernel/seccomp.c:1392 [inline]
> __x64_sys_seccomp+0x73/0xb0 kernel/seccomp.c:1392
> do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 8278:
> save_stack+0x45/0xd0 mm/kasan/common.c:75
> set_track mm/kasan/common.c:87 [inline]
> __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
> kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
> __cache_free mm/slab.c:3498 [inline]
> kfree+0xcf/0x230 mm/slab.c:3821
> seccomp_filter_free kernel/seccomp.c:567 [inline]
> seccomp_filter_free kernel/seccomp.c:563 [inline]
> seccomp_set_mode_filter kernel/seccomp.c:1317 [inline]
> do_seccomp+0xb00/0x2250 kernel/seccomp.c:1376
> __do_sys_seccomp kernel/seccomp.c:1395 [inline]
> __se_sys_seccomp kernel/seccomp.c:1392 [inline]
> __x64_sys_seccomp+0x73/0xb0 kernel/seccomp.c:1392
> do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> The buggy address belongs to the object at ffff8880a621d000
> which belongs to the cache kmalloc-192 of size 192
> The buggy address is located 128 bytes inside of
> 192-byte region [ffff8880a621d000, ffff8880a621d0c0)
> The buggy address belongs to the page:
> page:ffffea0002988740 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0
> flags: 0x1fffc0000000200(slab)
> raw: 01fffc0000000200 ffffea0002981048 ffffea0002988048 ffff88812c3f0040
> raw: 0000000000000000 ffff8880a621d000 0000000100000010 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8880a621cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a621d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff8880a621d080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ^
> ffff8880a621d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880a621d180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KASAN: use-after-free Read in seccomp_notify_release (2)
2019-04-23 21:39 ` Kees Cook
@ 2019-04-23 21:51 ` Tycho Andersen
2019-04-23 22:06 ` Kees Cook
0 siblings, 1 reply; 4+ messages in thread
From: Tycho Andersen @ 2019-04-23 21:51 UTC (permalink / raw)
To: Kees Cook
Cc: Alexei Starovoitov, bpf, coreteam, Daniel Borkmann,
David S. Miller, Florian Westphal, Jozsef Kadlecsik,
Martin KaFai Lau, LKML, Andy Lutomirski, Network Development,
netfilter-devel, Pablo Neira Ayuso, Song Liu, syzkaller-bugs,
Will Drewry, wenxu, Yonghong Song, syzbot
On Tue, Apr 23, 2019 at 02:39:52PM -0700, Kees Cook wrote:
> On Mon, Mar 25, 2019 at 1:02 AM syzbot
> <syzbot+b562969adb2e04af3442@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 1bdd3dbf Merge tag 'io_uring-20190323' of git://git.kernel..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12ae5b93200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=9a31fb246de2a622
> > dashboard link: https://syzkaller.appspot.com/bug?extid=b562969adb2e04af3442
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162ca25d200000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1733b53b200000
> >
> > The bug was bisected to:
> >
> > commit a799aea0988ea0d1b1f263e996fdad2f6133c680
> > Author: wenxu <wenxu@ucloud.cn>
> > Date: Wed Jan 9 02:40:11 2019 +0000
> >
> > netfilter: nft_flow_offload: Fix reverse route lookup
>
> This bisection looks bogus?
>
> However, I _can_ trigger the problem on this kernel version with this
> config. (And not with Linus's latest tree.)
>
> The PoC is identical to the prior report[1] that we thought was fixed.
> Perhaps the fix didn't actually fix it? (I mean
> a811dc61559e0c8003f1086c2a4dc8e4d5ae4cb8) But it's been silent for 29
> days now, so I'm not sure what's going on.
>
> Tycho are you able to reproduce this on the older tree?
It looks like this case is using TSYNC and NEW_LISTENER together:
syscall(__NR_seccomp, 1, 0xb, 0x20000140);
and I did fix a uaf with TSYNC and NEW_LISTENER in this series:
https://lore.kernel.org/lkml/20190306201413.14153-2-tycho@tycho.ws/T/#u
which seems like it's probably related. I don't think the above ever
got applied though?
Tycho
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KASAN: use-after-free Read in seccomp_notify_release (2)
2019-04-23 21:51 ` Tycho Andersen
@ 2019-04-23 22:06 ` Kees Cook
0 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2019-04-23 22:06 UTC (permalink / raw)
To: Tycho Andersen
Cc: Alexei Starovoitov, bpf, coreteam, Daniel Borkmann,
David S. Miller, Florian Westphal, Jozsef Kadlecsik,
Martin KaFai Lau, LKML, Andy Lutomirski, Network Development,
netfilter-devel, Pablo Neira Ayuso, Song Liu, syzkaller-bugs,
Will Drewry, wenxu, Yonghong Song, syzbot
On Tue, Apr 23, 2019 at 2:51 PM Tycho Andersen <tycho@tycho.ws> wrote:
>
> On Tue, Apr 23, 2019 at 02:39:52PM -0700, Kees Cook wrote:
> > On Mon, Mar 25, 2019 at 1:02 AM syzbot
> > <syzbot+b562969adb2e04af3442@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: 1bdd3dbf Merge tag 'io_uring-20190323' of git://git.kernel..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12ae5b93200000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=9a31fb246de2a622
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=b562969adb2e04af3442
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162ca25d200000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1733b53b200000
> > >
> > > The bug was bisected to:
> > >
> > > commit a799aea0988ea0d1b1f263e996fdad2f6133c680
> > > Author: wenxu <wenxu@ucloud.cn>
> > > Date: Wed Jan 9 02:40:11 2019 +0000
> > >
> > > netfilter: nft_flow_offload: Fix reverse route lookup
> >
> > This bisection looks bogus?
> >
> > However, I _can_ trigger the problem on this kernel version with this
> > config. (And not with Linus's latest tree.)
> >
> > The PoC is identical to the prior report[1] that we thought was fixed.
> > Perhaps the fix didn't actually fix it? (I mean
> > a811dc61559e0c8003f1086c2a4dc8e4d5ae4cb8) But it's been silent for 29
> > days now, so I'm not sure what's going on.
> >
> > Tycho are you able to reproduce this on the older tree?
>
> It looks like this case is using TSYNC and NEW_LISTENER together:
>
> syscall(__NR_seccomp, 1, 0xb, 0x20000140);
Ah, thanks. My eye-diff didn't work. :)
> and I did fix a uaf with TSYNC and NEW_LISTENER in this series:
>
> https://lore.kernel.org/lkml/20190306201413.14153-2-tycho@tycho.ws/T/#u
>
> which seems like it's probably related. I don't think the above ever
> got applied though?
Whoops, I lost this. Let me go dig that up. Thanks!
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-04-23 22:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-25 8:02 KASAN: use-after-free Read in seccomp_notify_release (2) syzbot
2019-04-23 21:39 ` Kees Cook
2019-04-23 21:51 ` Tycho Andersen
2019-04-23 22:06 ` Kees Cook
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.