From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932461AbcJSOMW (ORCPT ); Wed, 19 Oct 2016 10:12:22 -0400 Received: from mail-lf0-f41.google.com ([209.85.215.41]:36486 "EHLO mail-lf0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932188AbcJSOMQ (ORCPT ); Wed, 19 Oct 2016 10:12:16 -0400 MIME-Version: 1.0 From: Andrey Konovalov Date: Wed, 19 Oct 2016 14:25:24 +0200 Message-ID: Subject: net/sctp: use-after-free in __sctp_connect To: Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev , LKML Cc: syzkaller , Kostya Serebryany , Alexander Potapenko , Sasha Levin , Eric Dumazet , Dmitry Vyukov Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, I've got the following error report while running the syzkaller fuzzer: ================================================================== BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr ffff88006b1dc610 Read of size 4 by task syz-executor/21837 CPU: 2 PID: 21837 Comm: syz-executor Not tainted 4.9.0-rc1+ #228 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff8800393ef930 ffffffff81b474f4 ffff88003e80ed40 ffff88006b1dc568 ffff88006b1dd6a0 ffff88006b1dc560 ffff8800393ef958 ffffffff8150b33c ffff8800393ef9e8 ffff88003e80ed40 ffff8800eb1dc610 ffff8800393ef9d8 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0xb3/0x10f lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [] kasan_report_error+0x1f7/0x4d0 mm/kasan/report.c:283 [< inline >] kasan_report mm/kasan/report.c:303 [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] __sctp_connect+0xabe/0xbf0 net/sctp/socket.c:1219 [] __sctp_setsockopt_connectx+0x182/0x1b0 net/sctp/socket.c:1329 [< inline >] sctp_setsockopt_connectx net/sctp/socket.c:1361 [] sctp_setsockopt+0x1009/0x3d70 net/sctp/socket.c:3813 [] sock_common_setsockopt+0x96/0xd0 net/core/sock.c:2688 [< inline >] SYSC_setsockopt net/socket.c:1742 [] SyS_setsockopt+0x154/0x240 net/socket.c:1721 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Object at ffff88006b1dc568, in cache kmalloc-4096 size: 4096 Allocated: PID = 21837 [ 270.449111] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 270.449111] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 270.449111] [< inline >] set_track mm/kasan/kasan.c:507 [ 270.449111] [] kasan_kmalloc+0xab/0xe0 mm/kasan/kasan.c:598 [ 270.449111] [] kmem_cache_alloc_trace+0xec/0x270 mm/slub.c:2735 [ 270.449111] [< inline >] kmalloc include/linux/slab.h:490 [ 270.449111] [< inline >] kzalloc include/linux/slab.h:636 [ 270.449111] [] sctp_association_new+0x6f/0x1f50 net/sctp/associola.c:303 [ 270.449111] [] __sctp_connect+0x56a/0xbf0 net/sctp/socket.c:1163 [ 270.449111] [] __sctp_setsockopt_connectx+0x182/0x1b0 net/sctp/socket.c:1329 [ 270.449111] [< inline >] sctp_setsockopt_connectx net/sctp/socket.c:1361 [ 270.449111] [] sctp_setsockopt+0x1009/0x3d70 net/sctp/socket.c:3813 [ 270.449111] [] sock_common_setsockopt+0x96/0xd0 net/core/sock.c:2688 [ 270.449111] [< inline >] SYSC_setsockopt net/socket.c:1742 [ 270.449111] [] SyS_setsockopt+0x154/0x240 net/socket.c:1721 [ 270.449111] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Freed: PID = 21837 [ 270.449111] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 270.449111] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 270.449111] [< inline >] set_track mm/kasan/kasan.c:507 [ 270.449111] [] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 [ 270.449111] [< inline >] slab_free_hook mm/slub.c:1352 [ 270.449111] [< inline >] slab_free_freelist_hook mm/slub.c:1374 [ 270.449111] [< inline >] slab_free mm/slub.c:2951 [ 270.449111] [] kfree+0xe8/0x2b0 mm/slub.c:3871 [ 270.449111] [< inline >] sctp_association_destroy net/sctp/associola.c:426 [ 270.449111] [] sctp_association_put+0x155/0x250 net/sctp/associola.c:866 [ 270.449111] [] sctp_wait_for_connect+0x313/0x460 net/sctp/socket.c:7544 [ 270.449111] [] __sctp_connect+0x97b/0xbf0 net/sctp/socket.c:1217 [ 270.449111] [] __sctp_setsockopt_connectx+0x182/0x1b0 net/sctp/socket.c:1329 [ 270.449111] [< inline >] sctp_setsockopt_connectx net/sctp/socket.c:1361 [ 270.449111] [] sctp_setsockopt+0x1009/0x3d70 net/sctp/socket.c:3813 [ 270.449111] [] sock_common_setsockopt+0x96/0xd0 net/core/sock.c:2688 [ 270.449111] [< inline >] SYSC_setsockopt net/socket.c:1742 [ 270.449111] [] SyS_setsockopt+0x154/0x240 net/socket.c:1721 [ 270.449111] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Memory state around the buggy address: ffff88006b1dc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb ffff88006b1dc580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88006b1dc600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88006b1dc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88006b1dc700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== sctp_wait_for_connect ends up freeing asoc, which is later accessed to read asoc->assoc_id. On commit 1a1891d762d6e64daf07b5be4817e3fbb29e3c59 (Oct 18). From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrey Konovalov Date: Wed, 19 Oct 2016 12:25:24 +0000 Subject: net/sctp: use-after-free in __sctp_connect Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev , LKML Cc: syzkaller , Kostya Serebryany , Alexander Potapenko , Sasha Levin , Eric Dumazet , Dmitry Vyukov Hi, I've got the following error report while running the syzkaller fuzzer: ================================= BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr ffff88006b1dc610 Read of size 4 by task syz-executor/21837 CPU: 2 PID: 21837 Comm: syz-executor Not tainted 4.9.0-rc1+ #228 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff8800393ef930 ffffffff81b474f4 ffff88003e80ed40 ffff88006b1dc568 ffff88006b1dd6a0 ffff88006b1dc560 ffff8800393ef958 ffffffff8150b33c ffff8800393ef9e8 ffff88003e80ed40 ffff8800eb1dc610 ffff8800393ef9d8 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0xb3/0x10f lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [] kasan_report_error+0x1f7/0x4d0 mm/kasan/report.c:283 [< inline >] kasan_report mm/kasan/report.c:303 [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] __sctp_connect+0xabe/0xbf0 net/sctp/socket.c:1219 [] __sctp_setsockopt_connectx+0x182/0x1b0 net/sctp/socket.c:1329 [< inline >] sctp_setsockopt_connectx net/sctp/socket.c:1361 [] sctp_setsockopt+0x1009/0x3d70 net/sctp/socket.c:3813 [] sock_common_setsockopt+0x96/0xd0 net/core/sock.c:2688 [< inline >] SYSC_setsockopt net/socket.c:1742 [] SyS_setsockopt+0x154/0x240 net/socket.c:1721 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Object at ffff88006b1dc568, in cache kmalloc-4096 size: 4096 Allocated: PID = 21837 [ 270.449111] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 270.449111] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 270.449111] [< inline >] set_track mm/kasan/kasan.c:507 [ 270.449111] [] kasan_kmalloc+0xab/0xe0 mm/kasan/kasan.c:598 [ 270.449111] [] kmem_cache_alloc_trace+0xec/0x270 mm/slub.c:2735 [ 270.449111] [< inline >] kmalloc include/linux/slab.h:490 [ 270.449111] [< inline >] kzalloc include/linux/slab.h:636 [ 270.449111] [] sctp_association_new+0x6f/0x1f50 net/sctp/associola.c:303 [ 270.449111] [] __sctp_connect+0x56a/0xbf0 net/sctp/socket.c:1163 [ 270.449111] [] __sctp_setsockopt_connectx+0x182/0x1b0 net/sctp/socket.c:1329 [ 270.449111] [< inline >] sctp_setsockopt_connectx net/sctp/socket.c:1361 [ 270.449111] [] sctp_setsockopt+0x1009/0x3d70 net/sctp/socket.c:3813 [ 270.449111] [] sock_common_setsockopt+0x96/0xd0 net/core/sock.c:2688 [ 270.449111] [< inline >] SYSC_setsockopt net/socket.c:1742 [ 270.449111] [] SyS_setsockopt+0x154/0x240 net/socket.c:1721 [ 270.449111] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Freed: PID = 21837 [ 270.449111] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 270.449111] [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 270.449111] [< inline >] set_track mm/kasan/kasan.c:507 [ 270.449111] [] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 [ 270.449111] [< inline >] slab_free_hook mm/slub.c:1352 [ 270.449111] [< inline >] slab_free_freelist_hook mm/slub.c:1374 [ 270.449111] [< inline >] slab_free mm/slub.c:2951 [ 270.449111] [] kfree+0xe8/0x2b0 mm/slub.c:3871 [ 270.449111] [< inline >] sctp_association_destroy net/sctp/associola.c:426 [ 270.449111] [] sctp_association_put+0x155/0x250 net/sctp/associola.c:866 [ 270.449111] [] sctp_wait_for_connect+0x313/0x460 net/sctp/socket.c:7544 [ 270.449111] [] __sctp_connect+0x97b/0xbf0 net/sctp/socket.c:1217 [ 270.449111] [] __sctp_setsockopt_connectx+0x182/0x1b0 net/sctp/socket.c:1329 [ 270.449111] [< inline >] sctp_setsockopt_connectx net/sctp/socket.c:1361 [ 270.449111] [] sctp_setsockopt+0x1009/0x3d70 net/sctp/socket.c:3813 [ 270.449111] [] sock_common_setsockopt+0x96/0xd0 net/core/sock.c:2688 [ 270.449111] [< inline >] SYSC_setsockopt net/socket.c:1742 [ 270.449111] [] SyS_setsockopt+0x154/0x240 net/socket.c:1721 [ 270.449111] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Memory state around the buggy address: ffff88006b1dc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb ffff88006b1dc580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88006b1dc600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88006b1dc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88006b1dc700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================= sctp_wait_for_connect ends up freeing asoc, which is later accessed to read asoc->assoc_id. On commit 1a1891d762d6e64daf07b5be4817e3fbb29e3c59 (Oct 18).