From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
James Morris <jmorris@namei.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Patrick McHardy <kaber@trash.net>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Cong Wang <xiyou.wangcong@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: net/ipv4: use-after-free in ipv4_datagram_support_cmsg
Date: Wed, 12 Apr 2017 11:39:16 -0400 [thread overview]
Message-ID: <CAF=yD-++XtWeaVmdhnrwiYLOG84JTMEuZr9mxyTRnde8vE7AFQ@mail.gmail.com> (raw)
In-Reply-To: <CAAeHK+ysUb+yuES_XYYPDWGrXS4VUXLmQRrD2dJTeXDPL5BKpw@mail.gmail.com>
===================
> BUG: KASAN: use-after-free in ipv4_datagram_support_cmsg
> net/ipv4/ip_sockglue.c:500 [inline] at addr ffff880059be0128
Thanks for the report. This is accessing skb->dev from within recvmsg() at line
info->ipi_ifindex = skb->dev->ifindex;
Introduced in 829ae9d61165 ("net-timestamp: allow reading recv cmsg on
errqueue with origin tstamp"). At this time the device may indeed have
gone away. I'm having a look at a way to read this in the receive BH
and store the ifindex.
next prev parent reply other threads:[~2017-04-12 15:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-12 14:44 net/ipv4: use-after-free in ipv4_datagram_support_cmsg Andrey Konovalov
2017-04-12 15:39 ` Willem de Bruijn [this message]
2017-04-12 20:07 ` Cong Wang
2017-04-12 20:47 ` Eric Dumazet
2017-04-12 22:25 ` Willem de Bruijn
2017-04-12 23:26 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAF=yD-++XtWeaVmdhnrwiYLOG84JTMEuZr9mxyTRnde8vE7AFQ@mail.gmail.com' \
--to=willemdebruijn.kernel@gmail.com \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kcc@google.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=xiyou.wangcong@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.