* net/sctp: sctp_datamsg memory leak
@ 2015-12-30 21:24 Dmitry Vyukov
2016-01-08 15:25 ` Marcelo Ricardo Leitner
0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Vyukov @ 2015-12-30 21:24 UTC (permalink / raw)
To: Vlad Yasevich, Marcelo Ricardo Leitner, Neil Horman,
David S. Miller, linux-sctp, netdev, LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin,
Eric Dumazet
Hello,
The following program leads to leak of multiple objects allocated in
sctp_datamsg_from_user:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
long r[50];
int main()
{
memset(r, -1, sizeof(r));
r[0] = syscall(SYS_mmap, 0x20000000ul, 0x100000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
r[1] = syscall(SYS_socket, 0x2ul, 0x80801ul, 0x84ul, 0, 0, 0);
memcpy((void*)0x20002f80,
"\x02\x00\x33\xd9\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
128);
r[3] = syscall(SYS_bind, r[1], 0x20002f80ul, 0x80ul, 0, 0, 0);
memcpy((void*)0x20003f80,
"\x02\x00\x33\xd9\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
128);
r[5] = syscall(SYS_connect, r[1], 0x20003f80ul, 0x80ul, 0, 0, 0);
r[6] = syscall(SYS_pread64, r[1], 0x20000feeul, 0xe5ul, 0x0ul, 0, 0);
memcpy((void*)0x20003000,
"\xdb\x4c\xcc\xa8\x07\xbd\xaa\x58\x7c\x57\x37\x63\xa1\x4d\xdb\x5b\x85\x4e\x37\x3b\x20\xb3\x12\xef\x9b\x75\xf0\x88\x28\xa5\x43\x8e\x56\x59\x3c\x16\xfd\xa0\x01\x4f\x90\x83\x4c\x1b\x22\x3e\xd4\xea\x36\x6f\xb5\x43\x96\x02\x8e\x82\xa1\xc6\x47\xd7\xeb\x08\x56\x6f\x40\xb6\x00\x3f\x52\x38\x99\x2f\x57\x63\x9b\xe4\x0e\xb2\x59\xb2\x59\xbc\x9d\x46\xd0\x52\xd4\x91\xe8\xee\x7f\xcf\x81\xa0\xd5\x10\xc4\x77\xf6\xa1\xa1\x35\xb3\xeb\xb5\x46\xfe\xbc\x83\x74\x9f\x78\xa4\xf1\x0b\xf2\x3a\x41\xc3\x2d\x78\x32\x3b\x88\xe9\xb7\x9f\x56",
128);
r[8] = syscall(SYS_write, r[1], 0x20003000ul, 0x80ul, 0, 0, 0);
memcpy((void*)0x2000332a,
"\xdf\x9a\x13\x9f\x3d\xc5\xd9\xbb\xba\x6d\x46\xb4\xd9\x55\xc0\x39\x0d\xf7\xd0\x9d\x1b\x2b\x8c\xb7\xb2\x52\x8b\xe9\xb8\x73\x6d\x47\x24\x4e\xa3\x1d\xb9\x31\xf1\xae\xa3\x4f\x0f\xd7\xbb\xad\xa7\x4f\xa9\xa3\x2b\x04\xf7\xa8\x5e\x81\x93\x75\x03\x9d\xec\x9a\x03\xbf\xc5\x6c\xb2\xf3\x8b",
69);
r[10] = syscall(SYS_write, r[1], 0x2000332aul, 0x45ul, 0, 0, 0);
r[11] = syscall(SYS_shutdown, r[1], 0x1ul, 0, 0, 0, 0);
memcpy((void*)0x20001919, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
memcpy((void*)0x20001000, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
r[14] = syscall(SYS_rename, 0x20001919ul, 0x20001000ul, 0, 0, 0, 0);
*(uint32_t*)0x200013b2 = r[1];
*(uint16_t*)0x200013b6 = (uint16_t)0x9;
*(uint16_t*)0x200013b8 = (uint16_t)0x8;
*(uint32_t*)0x200013ba = r[1];
*(uint16_t*)0x200013be = (uint16_t)0xe77;
*(uint16_t*)0x200013c0 = (uint16_t)0xa036af6cbe637e9d;
*(uint32_t*)0x200013c2 = r[1];
*(uint16_t*)0x200013c6 = (uint16_t)0x8;
*(uint16_t*)0x200013c8 = (uint16_t)0xfffffffffffff1de;
*(uint64_t*)0x20000ff9 = (uint64_t)0x0;
*(uint64_t*)0x20001001 = (uint64_t)0x989680;
*(uint64_t*)0x20001000 = (uint64_t)0x2;
r[27] = syscall(SYS_ppoll, 0x200013b2ul, 0x3ul, 0x20000ff9ul,
0x20001000ul, 0x8ul, 0);
*(uint64_t*)0x20001000 = (uint64_t)0x20001d27;
*(uint64_t*)0x20001008 = (uint64_t)0x39;
*(uint64_t*)0x20001010 = (uint64_t)0x20001ffe;
*(uint64_t*)0x20001018 = (uint64_t)0xd9;
*(uint64_t*)0x20001020 = (uint64_t)0x20001323;
*(uint64_t*)0x20001028 = (uint64_t)0xfb;
*(uint64_t*)0x20001030 = (uint64_t)0x20000fe3;
*(uint64_t*)0x20001038 = (uint64_t)0x1c;
*(uint64_t*)0x20001040 = (uint64_t)0x20001fc6;
*(uint64_t*)0x20001048 = (uint64_t)0xea;
memcpy((void*)0x20001d27,
"\x5d\x27\xd4\x12\xc2\x99\xce\x3f\x64\x88\x1f\x2f\xb1\xe9\xcb\x5c\x1e\x23\x13\xa1\xbb\x1c\xf0\xb3\x76\xa5\xfd\xf6\x0e\x87\xaf\x9f\x68\x47\xb2\x7a\x2e\xb2\xea\x18\xd6\x2a\x9b\xf5\xce\xaa\x33\x6c\x0a\x2d\xdb\x2b\xf7\x6c\xb5\x38\x31",
57);
memcpy((void*)0x20001ffe,
"\x01\xea\x49\xef\x6c\x2c\x8c\x64\xcd\x39\xcf\xc2\x8c\xba\xd0\x02\x04\x31\x51\x56\x62\x19\xdf\x09\x07\x87\x4f\xf6\x5d\x57\xcc\xea\x52\x02\xc3\x2b\xae\x62\x8e\xf1\x31\xa2\x5e\xf8\x69\x83\xe2\x47\x03\x5a\x2e\x35\x75\x07\xd0\xe6\x8e\x1b\x31\x4b\xef\xf4\x8a\xb4\x7b\xf1\x3a\x9c\x96\xa6\x90\xa0\x3a\x52\x83\x40\xff\x91\x50\x9f\xeb\x98\x9f\xcc\x24\xf6\x46\x1e\xe9\xa5\x34\x35\x9e\x1d\x03\xf4\x9e\x05\x6c\x26\xa0\x09\x07\x55\x26\xdd\x7e\x42\x3c\x59\x80\xdc\x86\x3d\xf7\xed\x87\x92\x27\xf0\x83\x03\x44\xaa\xce\x73\x5e\x51\x69\xd3\xce\xbb\xb7\x6d\x67\x04\xaa\x5c\x34\x0c\xa7\x0e\xd3\xc8\x9c\xd2\x9a\x61\xf2\xeb\x4a\xbf\x89\x30\xfb\xef\x76\x9a\xe6\x6a\xac\x32\x5e\xa3\xc3\x5d\x09\xe2\xc5\x2a\xe4\x83\x81\x76\xa5\x3d\x7f\xa2\xf3\xa4\x7a\x28\x00\x9a\xfe\xcc\x8f\x5b\x24\x74\x73\x72\x2a\x5d\xbb\xd2\xe7\xc3\xb9\xab\xfd\x20\x74\xc9\xc0\x67\xeb\x1b\x06\x8d\x01\x7b\x85\x5f\x11\xbe\x76",
217);
memcpy((void*)0x20001323,
"\xd7\x13\xc9\x4c\x56\x6e\x36\x52\x01\xcc\x2d\xf6\xbf\xdf\x25\xfb\x80\xb3\x4c\xbb\xcd\x6c\x20\x5b\xdb\x31\x38\x6a\x3f\x1a\xd1\x03\xf8\x2a\x4f\x0f\xe0\x61\xe3\x78\x09\x90\x4f\xea\x4e\x56\x87\x30\x3c\xea\xc2\xb2\x68\xaf\x3b\x40\x73\x78\xa1\x0e\xe9\x26\x50\x2a\x36\x83\xfb\x09\x0d\x23\x70\xc4\x9b\xef\xae\x19\x7a\x3d\x4d\x11\xfb\x8f\xa1\xbc\x0f\xac\xed\x59\x53\xf2\xc2\xce\xdd\x9b\x17\xd9\x1a\xbd\xfe\xe2\x33\x92\xbc\x29\x44\xb1\xa7\xc2\x99\xb9\x5c\xab\xff\x21\x91\xb3\xc3\xc1\xd4\xc6\x35\x4c\xdd\x01\x5a\x4c\x11\x6a\x90\xe6\xe3\x06\xcc\xdc\x99\x26\xfa\xba\x53\xe8\xdb\x4a\x96\x68\x16\xd3\x81\x92\xa7\x33\x97\x96\xbd\x2a\xc0\xc5\x3c\x07\x8a\x43\x1a\x32\x75\x1e\xbb\x9b\xee\xe9\x57\x04\x9d\xd2\xcd\x79\xaf\xf9\x92\x22\x85\xe3\x96\x6b\xb5\xc0\x4d\xe1\x2f\x74\x0c\x4e\xc8\x98\x35\xa8\xa2\xbc\x78\x2f\xbe\x54\x65\xbe\xde\xce\x89\xf0\xdd\xa4\x04\x31\xfb\x0c\x84\x27\x56\xde\x87\xfc\xa1\xb2\xb7\x5a\xc0\x8d\x40\x00\x18\xd2\x8f\x88\x4b\xa7\x30\xe0\x71\xf0\x6a\xff\x52\x1c\x0a\x62\x9b\xe5\x15\x03\xd6\xe9\x32\xde\x36",
251);
memcpy((void*)0x20000fe3,
"\xdc\xdd\x73\x8c\x00\xdc\x12\xed\xb6\xcb\x96\x7b\x86\x51\x8a\xe4\xdb\x36\xd4\x8a\xd5\xf4\xc1\x09\x0d\xc9\x1b\xea",
28);
memcpy((void*)0x20001fc6,
"\x57\x66\x78\x5b\x85\xc6\x5a\x46\xdf\x4b\x5e\x57\x62\xa1\x0b\x6b\x8c\xe0\x98\x82\x69\xea\x9e\xba\x25\xfe\xb7\x0c\xf4\xb1\xc6\x5d\x75\x47\xea\x87\x7b\x71\xd5\x0e\xb3\xdc\x2a\x2e\x18\xd8\x3a\xf6\x92\xa1\x1f\x1d\xaf\xde\x8c\xb4\x1e\x12\x94\xac\x0f\x89\xc4\xfd\xb0\x64\xd6\x54\x36\x3d\x5f\xd7\x71\x29\x1c\x5e\xc4\xab\x45\x4b\x46\x25\xea\xda\x0d\x2b\xff\x71\x62\x75\xcd\xc2\xea\x2f\x93\x5e\x96\x49\x11\xfe\xdf\x4f\x1f\x8f\x0d\x95\xf8\xd8\x97\xd2\x5c\x51\x43\xbc\xe6\x49\xfd\xe6\x1d\xe4\x20\x75\xf0\x17\xaa\xb4\xc6\x9c\x99\x2c\x41\x82\xe4\x20\x98\x64\x3a\xf5\xb5\x94\x44\xa7\x83\x0a\xe5\x72\x4f\xa7\x7d\xef\xa1\x29\x09\x1b\xa2\xf4\x92\x5c\x82\xf5\xa1\x34\x2f\xb9\x2c\x73\x37\xa5\x07\x43\x8d\xe0\xf5\xc5\xac\x39\x60\x38\x01\xcd\x98\x03\x96\x19\x64\x88\x9b\x5d\xfc\xd2\x7d\x8f\xe2\x11\x2a\xd1\x05\x13\xda\x4e\x33\x5d\xca\x38\xfa\x33\x93\xe0\xfe\x85\x2d\x88\xab\xfa\x7f\x0b\x4e\xeb\xda\xae\xe5\x4e\xbc\x69\x26\xeb\xc5\x19\x09\x4d\x1a\xae\x33\x1d",
234);
r[43] = syscall(SYS_writev, r[1], 0x20001000ul, 0x5ul, 0, 0, 0);
memcpy((void*)0x20000fe4,
"\x6e\x92\x02\x38\x9b\x31\xb5\x3b\x48\xda\x1a\x8a\x7c\x28\x5f\xea\x7e\x94\x87\xf5\x1b\xc5\xe5\xf5\x8a\x9e\x65\x59\x5e\x17\xe4\xca\x25\x6c\xa3\xaa\x49\x30\xe7\x2a\xf4\x17\x53\xfe\x27\x2d\xf4\x66\x87\x36\x97\xbf\xc8\x7d\x43\xdd\x31\x96\x91\x93\x68\xcb\x9b\x8e\x2e\x66\x10\xe9\xc3\xf5\xae\xa6\x57\x15\x18\x13\xbc\xa9\x29\x7c\x26\x04\xb1\x42\xb7\xcd\x86\x15\xb6\xae\xcd\x3b\xb5\xb6\x2f\x79\xec\xa0\x80\x6c\x22\x8d\x38\x1a\x19\x03\x6d\x81\x90\xb7\x96\xeb\xba\x69\xf8\x08\xf7\x6b\x00\x25\x29\x4f\x14\x85\x01\xf6\x98\x96\xe8\x98\x67\x19\x0b\x6b\xfe\xd0\x0d\xee\x89\x15\xdc\x31\x28\x25\x9a\xfc\x62\xdf\xd9\x75\x99\x2e\xdb\xa6\xe4\xd7\x20\x37\x7a\x3a\x27\x6d\x4c\x5a\xf0\xfc\x8c\x05\x11\xde\x3e\x40\x33\x7d\x85\x3d\x4a\xad\x86\x77\x26\x29\xcc\x2b\xf6\x6d\x01\xdd\x71\x8b\x94\x6f\xda\x7a\x6e\x74\x38\x0d\x1f\x73\xc4\x13\x6c\x49\x0c\x10\x07\xe2\x5f\xd0\xdc\xe7\x75\x71\xfa\x52\xe7\x0f\x00\x96\xef\x33\xae\x37\x50\x11\x80\x7d\x22\x96\x7d\x4c\xfe\xd3\x55\x3c\x28\xff\x62\xa3\xf8\x51\x7f\x01\x7e\x26\x00\x3d\x27\x0c\x25\x13",
252);
r[45] = syscall(SYS_setsockopt, r[1], 0x0ul, 0xdul,
0x20000fe4ul, 0xfcul, 0);
r[46] = syscall(SYS_epoll_create1, 0x80000ul, 0, 0, 0, 0, 0);
*(uint32_t*)0x20004000 = (uint32_t)0x80000006;
*(uint64_t*)0x20004004 = (uint64_t)0x8;
r[49] = syscall(SYS_epoll_ctl, r[46], 0x1ul, r[1], 0x20004000ul, 0, 0);
return 0;
}
unreferenced object 0xffff8800678c9920 (size 64):
comm "a.out", pid 6754, jiffies 4294757478 (age 24.056s)
hex dump (first 32 bytes):
28 cc 48 65 00 88 ff ff 28 cc 48 65 00 88 ff ff (.He....(.He....
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915
[< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47
[< inline >] slab_post_alloc_hook mm/slub.c:1335
[< inline >] slab_alloc_node mm/slub.c:2594
[< inline >] slab_alloc mm/slub.c:2602
[<ffffffff816cc6f8>] kmem_cache_alloc_trace+0x138/0x2f0 mm/slub.c:2619
[< inline >] kmalloc include/linux/slab.h:458
[< inline >] sctp_datamsg_new net/sctp/chunk.c:65
[<ffffffff856f96d4>] sctp_datamsg_from_user+0x84/0xf20 net/sctp/chunk.c:178
[<ffffffff8572ce2a>] sctp_sendmsg+0x18da/0x29f0 net/sctp/socket.c:1947
[<ffffffff84fa4565>] inet_sendmsg+0x2f5/0x4c0 net/ipv4/af_inet.c:736
[< inline >] sock_sendmsg_nosec net/socket.c:610
[<ffffffff84b5cc5a>] sock_sendmsg+0xca/0x110 net/socket.c:620
[<ffffffff84b5ceb6>] sock_write_iter+0x216/0x3a0 net/socket.c:819
[<ffffffff8171320b>] do_iter_readv_writev+0x18b/0x250 fs/read_write.c:664
[<ffffffff81715499>] do_readv_writev+0x3b9/0x6e0 fs/read_write.c:808
[<ffffffff817158f6>] vfs_writev+0x86/0xc0 fs/read_write.c:847
[< inline >] SYSC_writev fs/read_write.c:880
[<ffffffff817183d1>] SyS_writev+0x111/0x2b0 fs/read_write.c:872
[<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
[<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffff880064567700 (size 224):
comm "a.out", pid 6754, jiffies 4294757478 (age 24.056s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 95 66 00 88 ff ff ...........f....
backtrace:
[<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915
[< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47
[< inline >] slab_post_alloc_hook mm/slub.c:1335
[< inline >] slab_alloc_node mm/slub.c:2594
[<ffffffff816cc44d>] kmem_cache_alloc_node+0x16d/0x2e0 mm/slub.c:2630
[<ffffffff84b782ba>] __alloc_skb+0xba/0x5f0 net/core/skbuff.c:216
[< inline >] alloc_skb include/linux/skbuff.h:814
[<ffffffff856fae54>] _sctp_make_chunk+0x34/0x270
net/sctp/sm_make_chunk.c:1372
[< inline >] sctp_make_data net/sctp/sm_make_chunk.c:1405
[<ffffffff856fe270>] sctp_make_datafrag_empty+0x160/0x240
net/sctp/sm_make_chunk.c:737
[<ffffffff856fa136>] sctp_datamsg_from_user+0xae6/0xf20 net/sctp/chunk.c:312
[<ffffffff8572ce2a>] sctp_sendmsg+0x18da/0x29f0 net/sctp/socket.c:1947
[<ffffffff84fa4565>] inet_sendmsg+0x2f5/0x4c0 net/ipv4/af_inet.c:736
[< inline >] sock_sendmsg_nosec net/socket.c:610
[<ffffffff84b5cc5a>] sock_sendmsg+0xca/0x110 net/socket.c:620
[<ffffffff84b5ceb6>] sock_write_iter+0x216/0x3a0 net/socket.c:819
[<ffffffff8171320b>] do_iter_readv_writev+0x18b/0x250 fs/read_write.c:664
[<ffffffff81715499>] do_readv_writev+0x3b9/0x6e0 fs/read_write.c:808
[<ffffffff817158f6>] vfs_writev+0x86/0xc0 fs/read_write.c:847
[< inline >] SYSC_writev fs/read_write.c:880
[<ffffffff817183d1>] SyS_writev+0x111/0x2b0 fs/read_write.c:872
[<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
[<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffff88006ac513b0 (size 2048):
comm "a.out", pid 6754, jiffies 4294757478 (age 24.056s)
hex dump (first 32 bytes):
00 03 03 23 00 00 00 00 00 00 00 00 00 00 00 00 ...#............
5d 27 d4 12 c2 99 ce 3f 64 88 1f 2f b1 e9 cb 5c ]'.....?d../...\
backtrace:
[<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915
[< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47
[< inline >] slab_post_alloc_hook mm/slub.c:1335
[< inline >] slab_alloc_node mm/slub.c:2594
[<ffffffff816d0b77>] __kmalloc_node_track_caller+0x217/0x3e0 mm/slub.c:4096
[<ffffffff84b75f71>] __kmalloc_reserve.isra.31+0x41/0xe0
net/core/skbuff.c:135
[<ffffffff84b782f0>] __alloc_skb+0xf0/0x5f0 net/core/skbuff.c:228
[< inline >] alloc_skb include/linux/skbuff.h:814
[<ffffffff856fae54>] _sctp_make_chunk+0x34/0x270
net/sctp/sm_make_chunk.c:1372
[< inline >] sctp_make_data net/sctp/sm_make_chunk.c:1405
[<ffffffff856fe270>] sctp_make_datafrag_empty+0x160/0x240
net/sctp/sm_make_chunk.c:737
[<ffffffff856fa136>] sctp_datamsg_from_user+0xae6/0xf20 net/sctp/chunk.c:312
[<ffffffff8572ce2a>] sctp_sendmsg+0x18da/0x29f0 net/sctp/socket.c:1947
[<ffffffff84fa4565>] inet_sendmsg+0x2f5/0x4c0 net/ipv4/af_inet.c:736
[< inline >] sock_sendmsg_nosec net/socket.c:610
[<ffffffff84b5cc5a>] sock_sendmsg+0xca/0x110 net/socket.c:620
[<ffffffff84b5ceb6>] sock_write_iter+0x216/0x3a0 net/socket.c:819
[<ffffffff8171320b>] do_iter_readv_writev+0x18b/0x250 fs/read_write.c:664
[<ffffffff81715499>] do_readv_writev+0x3b9/0x6e0 fs/read_write.c:808
[<ffffffff817158f6>] vfs_writev+0x86/0xc0 fs/read_write.c:847
[< inline >] SYSC_writev fs/read_write.c:880
[<ffffffff817183d1>] SyS_writev+0x111/0x2b0 fs/read_write.c:872
[<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
unreferenced object 0xffff88006548cc00 (size 248):
comm "a.out", pid 6754, jiffies 4294757478 (age 24.075s)
hex dump (first 32 bytes):
00 cc 48 65 00 88 ff ff 00 cc 48 65 00 88 ff ff ..He......He....
01 00 00 00 00 00 00 00 18 cc 48 65 00 88 ff ff ..........He....
backtrace:
[<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915
[< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47
[< inline >] slab_post_alloc_hook mm/slub.c:1335
[< inline >] slab_alloc_node mm/slub.c:2594
[< inline >] slab_alloc mm/slub.c:2602
[<ffffffff816cc14d>] kmem_cache_alloc+0x12d/0x2c0 mm/slub.c:2607
[< inline >] kmem_cache_zalloc include/linux/slab.h:592
[<ffffffff856fabcc>] sctp_chunkify+0x4c/0x2a0 net/sctp/sm_make_chunk.c:1316
[<ffffffff856faf73>] _sctp_make_chunk+0x153/0x270
net/sctp/sm_make_chunk.c:1384
[< inline >] sctp_make_data net/sctp/sm_make_chunk.c:1405
[<ffffffff856fe270>] sctp_make_datafrag_empty+0x160/0x240
net/sctp/sm_make_chunk.c:737
[<ffffffff856fa136>] sctp_datamsg_from_user+0xae6/0xf20 net/sctp/chunk.c:312
[<ffffffff8572ce2a>] sctp_sendmsg+0x18da/0x29f0 net/sctp/socket.c:1947
[<ffffffff84fa4565>] inet_sendmsg+0x2f5/0x4c0 net/ipv4/af_inet.c:736
[< inline >] sock_sendmsg_nosec net/socket.c:610
[<ffffffff84b5cc5a>] sock_sendmsg+0xca/0x110 net/socket.c:620
[<ffffffff84b5ceb6>] sock_write_iter+0x216/0x3a0 net/socket.c:819
[<ffffffff8171320b>] do_iter_readv_writev+0x18b/0x250 fs/read_write.c:664
[<ffffffff81715499>] do_readv_writev+0x3b9/0x6e0 fs/read_write.c:808
[<ffffffff817158f6>] vfs_writev+0x86/0xc0 fs/read_write.c:847
[< inline >] SYSC_writev fs/read_write.c:880
[<ffffffff817183d1>] SyS_writev+0x111/0x2b0 fs/read_write.c:872
[<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
[<ffffffffffffffff>] 0xffffffffffffffff
On commit 8513342170278468bac126640a5d2d12ffbff106 (Dec 28).
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net/sctp: sctp_datamsg memory leak
2015-12-30 21:24 net/sctp: sctp_datamsg memory leak Dmitry Vyukov
@ 2016-01-08 15:25 ` Marcelo Ricardo Leitner
2016-01-15 18:47 ` Marcelo Ricardo Leitner
2016-01-15 18:55 ` Dmitry Vyukov
0 siblings, 2 replies; 5+ messages in thread
From: Marcelo Ricardo Leitner @ 2016-01-08 15:25 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Vlad Yasevich, Neil Horman, David S. Miller, linux-sctp, netdev,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
Sasha Levin, Eric Dumazet
On Wed, Dec 30, 2015 at 10:24:19PM +0100, Dmitry Vyukov wrote:
> Hello,
>
> The following program leads to leak of multiple objects allocated in
> sctp_datamsg_from_user:
>
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <unistd.h>
> #include <sys/syscall.h>
> #include <string.h>
> #include <stdint.h>
> #include <pthread.h>
>
> long r[50];
>
> int main()
> {
> memset(r, -1, sizeof(r));
> r[0] = syscall(SYS_mmap, 0x20000000ul, 0x100000ul, 0x3ul,
> 0x32ul, 0xfffffffffffffffful, 0x0ul);
> r[1] = syscall(SYS_socket, 0x2ul, 0x80801ul, 0x84ul, 0, 0, 0);
> memcpy((void*)0x20002f80,
> "\x02\x00\x33\xd9\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
> 128);
> r[3] = syscall(SYS_bind, r[1], 0x20002f80ul, 0x80ul, 0, 0, 0);
> memcpy((void*)0x20003f80,
> "\x02\x00\x33\xd9\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
> 128);
> r[5] = syscall(SYS_connect, r[1], 0x20003f80ul, 0x80ul, 0, 0, 0);
> r[6] = syscall(SYS_pread64, r[1], 0x20000feeul, 0xe5ul, 0x0ul, 0, 0);
> memcpy((void*)0x20003000,
> "\xdb\x4c\xcc\xa8\x07\xbd\xaa\x58\x7c\x57\x37\x63\xa1\x4d\xdb\x5b\x85\x4e\x37\x3b\x20\xb3\x12\xef\x9b\x75\xf0\x88\x28\xa5\x43\x8e\x56\x59\x3c\x16\xfd\xa0\x01\x4f\x90\x83\x4c\x1b\x22\x3e\xd4\xea\x36\x6f\xb5\x43\x96\x02\x8e\x82\xa1\xc6\x47\xd7\xeb\x08\x56\x6f\x40\xb6\x00\x3f\x52\x38\x99\x2f\x57\x63\x9b\xe4\x0e\xb2\x59\xb2\x59\xbc\x9d\x46\xd0\x52\xd4\x91\xe8\xee\x7f\xcf\x81\xa0\xd5\x10\xc4\x77\xf6\xa1\xa1\x35\xb3\xeb\xb5\x46\xfe\xbc\x83\x74\x9f\x78\xa4\xf1\x0b\xf2\x3a\x41\xc3\x2d\x78\x32\x3b\x88\xe9\xb7\x9f\x56",
> 128);
> r[8] = syscall(SYS_write, r[1], 0x20003000ul, 0x80ul, 0, 0, 0);
> memcpy((void*)0x2000332a,
> "\xdf\x9a\x13\x9f\x3d\xc5\xd9\xbb\xba\x6d\x46\xb4\xd9\x55\xc0\x39\x0d\xf7\xd0\x9d\x1b\x2b\x8c\xb7\xb2\x52\x8b\xe9\xb8\x73\x6d\x47\x24\x4e\xa3\x1d\xb9\x31\xf1\xae\xa3\x4f\x0f\xd7\xbb\xad\xa7\x4f\xa9\xa3\x2b\x04\xf7\xa8\x5e\x81\x93\x75\x03\x9d\xec\x9a\x03\xbf\xc5\x6c\xb2\xf3\x8b",
> 69);
> r[10] = syscall(SYS_write, r[1], 0x2000332aul, 0x45ul, 0, 0, 0);
> r[11] = syscall(SYS_shutdown, r[1], 0x1ul, 0, 0, 0, 0);
> memcpy((void*)0x20001919, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
> memcpy((void*)0x20001000, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
> r[14] = syscall(SYS_rename, 0x20001919ul, 0x20001000ul, 0, 0, 0, 0);
> *(uint32_t*)0x200013b2 = r[1];
> *(uint16_t*)0x200013b6 = (uint16_t)0x9;
> *(uint16_t*)0x200013b8 = (uint16_t)0x8;
> *(uint32_t*)0x200013ba = r[1];
> *(uint16_t*)0x200013be = (uint16_t)0xe77;
> *(uint16_t*)0x200013c0 = (uint16_t)0xa036af6cbe637e9d;
> *(uint32_t*)0x200013c2 = r[1];
> *(uint16_t*)0x200013c6 = (uint16_t)0x8;
> *(uint16_t*)0x200013c8 = (uint16_t)0xfffffffffffff1de;
> *(uint64_t*)0x20000ff9 = (uint64_t)0x0;
> *(uint64_t*)0x20001001 = (uint64_t)0x989680;
> *(uint64_t*)0x20001000 = (uint64_t)0x2;
> r[27] = syscall(SYS_ppoll, 0x200013b2ul, 0x3ul, 0x20000ff9ul,
> 0x20001000ul, 0x8ul, 0);
> *(uint64_t*)0x20001000 = (uint64_t)0x20001d27;
> *(uint64_t*)0x20001008 = (uint64_t)0x39;
> *(uint64_t*)0x20001010 = (uint64_t)0x20001ffe;
> *(uint64_t*)0x20001018 = (uint64_t)0xd9;
> *(uint64_t*)0x20001020 = (uint64_t)0x20001323;
> *(uint64_t*)0x20001028 = (uint64_t)0xfb;
> *(uint64_t*)0x20001030 = (uint64_t)0x20000fe3;
> *(uint64_t*)0x20001038 = (uint64_t)0x1c;
> *(uint64_t*)0x20001040 = (uint64_t)0x20001fc6;
> *(uint64_t*)0x20001048 = (uint64_t)0xea;
> memcpy((void*)0x20001d27,
> "\x5d\x27\xd4\x12\xc2\x99\xce\x3f\x64\x88\x1f\x2f\xb1\xe9\xcb\x5c\x1e\x23\x13\xa1\xbb\x1c\xf0\xb3\x76\xa5\xfd\xf6\x0e\x87\xaf\x9f\x68\x47\xb2\x7a\x2e\xb2\xea\x18\xd6\x2a\x9b\xf5\xce\xaa\x33\x6c\x0a\x2d\xdb\x2b\xf7\x6c\xb5\x38\x31",
> 57);
> memcpy((void*)0x20001ffe,
> "\x01\xea\x49\xef\x6c\x2c\x8c\x64\xcd\x39\xcf\xc2\x8c\xba\xd0\x02\x04\x31\x51\x56\x62\x19\xdf\x09\x07\x87\x4f\xf6\x5d\x57\xcc\xea\x52\x02\xc3\x2b\xae\x62\x8e\xf1\x31\xa2\x5e\xf8\x69\x83\xe2\x47\x03\x5a\x2e\x35\x75\x07\xd0\xe6\x8e\x1b\x31\x4b\xef\xf4\x8a\xb4\x7b\xf1\x3a\x9c\x96\xa6\x90\xa0\x3a\x52\x83\x40\xff\x91\x50\x9f\xeb\x98\x9f\xcc\x24\xf6\x46\x1e\xe9\xa5\x34\x35\x9e\x1d\x03\xf4\x9e\x05\x6c\x26\xa0\x09\x07\x55\x26\xdd\x7e\x42\x3c\x59\x80\xdc\x86\x3d\xf7\xed\x87\x92\x27\xf0\x83\x03\x44\xaa\xce\x73\x5e\x51\x69\xd3\xce\xbb\xb7\x6d\x67\x04\xaa\x5c\x34\x0c\xa7\x0e\xd3\xc8\x9c\xd2\x9a\x61\xf2\xeb\x4a\xbf\x89\x30\xfb\xef\x76\x9a\xe6\x6a\xac\x32\x5e\xa3\xc3\x5d\x09\xe2\xc5\x2a\xe4\x83\x81\x76\xa5\x3d\x7f\xa2\xf3\xa4\x7a\x28\x00\x9a\xfe\xcc\x8f\x5b\x24\x74\x73\x72\x2a\x5d\xbb\xd2\xe7\xc3\xb9\xab\xfd\x20\x74\xc9\xc0\x67\xeb\x1b\x06\x8d\x01\x7b\x85\x5f\x11\xbe\x76",
> 217);
> memcpy((void*)0x20001323,
> "\xd7\x13\xc9\x4c\x56\x6e\x36\x52\x01\xcc\x2d\xf6\xbf\xdf\x25\xfb\x80\xb3\x4c\xbb\xcd\x6c\x20\x5b\xdb\x31\x38\x6a\x3f\x1a\xd1\x03\xf8\x2a\x4f\x0f\xe0\x61\xe3\x78\x09\x90\x4f\xea\x4e\x56\x87\x30\x3c\xea\xc2\xb2\x68\xaf\x3b\x40\x73\x78\xa1\x0e\xe9\x26\x50\x2a\x36\x83\xfb\x09\x0d\x23\x70\xc4\x9b\xef\xae\x19\x7a\x3d\x4d\x11\xfb\x8f\xa1\xbc\x0f\xac\xed\x59\x53\xf2\xc2\xce\xdd\x9b\x17\xd9\x1a\xbd\xfe\xe2\x33\x92\xbc\x29\x44\xb1\xa7\xc2\x99\xb9\x5c\xab\xff\x21\x91\xb3\xc3\xc1\xd4\xc6\x35\x4c\xdd\x01\x5a\x4c\x11\x6a\x90\xe6\xe3\x06\xcc\xdc\x99\x26\xfa\xba\x53\xe8\xdb\x4a\x96\x68\x16\xd3\x81\x92\xa7\x33\x97\x96\xbd\x2a\xc0\xc5\x3c\x07\x8a\x43\x1a\x32\x75\x1e\xbb\x9b\xee\xe9\x57\x04\x9d\xd2\xcd\x79\xaf\xf9\x92\x22\x85\xe3\x96\x6b\xb5\xc0\x4d\xe1\x2f\x74\x0c\x4e\xc8\x98\x35\xa8\xa2\xbc\x78\x2f\xbe\x54\x65\xbe\xde\xce\x89\xf0\xdd\xa4\x04\x31\xfb\x0c\x84\x27\x56\xde\x87\xfc\xa1\xb2\xb7\x5a\xc0\x8d\x40\x00\x18\xd2\x8f\x88\x4b\xa7\x30\xe0\x71\xf0\x6a\xff\x52\x1c\x0a\x62\x9b\xe5\x15\x03\xd6!
> \xe9\x32\
> xde\x36",
> 251);
Please clarify this line. It doesn't compile as-is and the len doesn't
match the data itself.
> memcpy((void*)0x20000fe3,
> "\xdc\xdd\x73\x8c\x00\xdc\x12\xed\xb6\xcb\x96\x7b\x86\x51\x8a\xe4\xdb\x36\xd4\x8a\xd5\xf4\xc1\x09\x0d\xc9\x1b\xea",
> 28);
> memcpy((void*)0x20001fc6,
> "\x57\x66\x78\x5b\x85\xc6\x5a\x46\xdf\x4b\x5e\x57\x62\xa1\x0b\x6b\x8c\xe0\x98\x82\x69\xea\x9e\xba\x25\xfe\xb7\x0c\xf4\xb1\xc6\x5d\x75\x47\xea\x87\x7b\x71\xd5\x0e\xb3\xdc\x2a\x2e\x18\xd8\x3a\xf6\x92\xa1\x1f\x1d\xaf\xde\x8c\xb4\x1e\x12\x94\xac\x0f\x89\xc4\xfd\xb0\x64\xd6\x54\x36\x3d\x5f\xd7\x71\x29\x1c\x5e\xc4\xab\x45\x4b\x46\x25\xea\xda\x0d\x2b\xff\x71\x62\x75\xcd\xc2\xea\x2f\x93\x5e\x96\x49\x11\xfe\xdf\x4f\x1f\x8f\x0d\x95\xf8\xd8\x97\xd2\x5c\x51\x43\xbc\xe6\x49\xfd\xe6\x1d\xe4\x20\x75\xf0\x17\xaa\xb4\xc6\x9c\x99\x2c\x41\x82\xe4\x20\x98\x64\x3a\xf5\xb5\x94\x44\xa7\x83\x0a\xe5\x72\x4f\xa7\x7d\xef\xa1\x29\x09\x1b\xa2\xf4\x92\x5c\x82\xf5\xa1\x34\x2f\xb9\x2c\x73\x37\xa5\x07\x43\x8d\xe0\xf5\xc5\xac\x39\x60\x38\x01\xcd\x98\x03\x96\x19\x64\x88\x9b\x5d\xfc\xd2\x7d\x8f\xe2\x11\x2a\xd1\x05\x13\xda\x4e\x33\x5d\xca\x38\xfa\x33\x93\xe0\xfe\x85\x2d\x88\xab\xfa\x7f\x0b\x4e\xeb\xda\xae\xe5\x4e\xbc\x69\x26\xeb\xc5\x19\x09\x4d\x1a\xae\x33\x1d",
> 234);
> r[43] = syscall(SYS_writev, r[1], 0x20001000ul, 0x5ul, 0, 0, 0);
> memcpy((void*)0x20000fe4,
> "\x6e\x92\x02\x38\x9b\x31\xb5\x3b\x48\xda\x1a\x8a\x7c\x28\x5f\xea\x7e\x94\x87\xf5\x1b\xc5\xe5\xf5\x8a\x9e\x65\x59\x5e\x17\xe4\xca\x25\x6c\xa3\xaa\x49\x30\xe7\x2a\xf4\x17\x53\xfe\x27\x2d\xf4\x66\x87\x36\x97\xbf\xc8\x7d\x43\xdd\x31\x96\x91\x93\x68\xcb\x9b\x8e\x2e\x66\x10\xe9\xc3\xf5\xae\xa6\x57\x15\x18\x13\xbc\xa9\x29\x7c\x26\x04\xb1\x42\xb7\xcd\x86\x15\xb6\xae\xcd\x3b\xb5\xb6\x2f\x79\xec\xa0\x80\x6c\x22\x8d\x38\x1a\x19\x03\x6d\x81\x90\xb7\x96\xeb\xba\x69\xf8\x08\xf7\x6b\x00\x25\x29\x4f\x14\x85\x01\xf6\x98\x96\xe8\x98\x67\x19\x0b\x6b\xfe\xd0\x0d\xee\x89\x15\xdc\x31\x28\x25\x9a\xfc\x62\xdf\xd9\x75\x99\x2e\xdb\xa6\xe4\xd7\x20\x37\x7a\x3a\x27\x6d\x4c\x5a\xf0\xfc\x8c\x05\x11\xde\x3e\x40\x33\x7d\x85\x3d\x4a\xad\x86\x77\x26\x29\xcc\x2b\xf6\x6d\x01\xdd\x71\x8b\x94\x6f\xda\x7a\x6e\x74\x38\x0d\x1f\x73\xc4\x13\x6c\x49\x0c\x10\x07\xe2\x5f\xd0\xdc\xe7\x75\x71\xfa\x52\xe7\x0f\x00\x96\xef\x33\xae\x37\x50\x11\x80\x7d\x22\x96\x7d\x4c\xfe\xd3\x55\x3c\x28\xff\x62\xa3\xf8\x51\x7f\x01\x7e\x26\x00!
> \x3d\x27\
> x0c\x25\x13",
> 252);
Also happened here
> r[45] = syscall(SYS_setsockopt, r[1], 0x0ul, 0xdul,
> 0x20000fe4ul, 0xfcul, 0);
> r[46] = syscall(SYS_epoll_create1, 0x80000ul, 0, 0, 0, 0, 0);
> *(uint32_t*)0x20004000 = (uint32_t)0x80000006;
> *(uint64_t*)0x20004004 = (uint64_t)0x8;
> r[49] = syscall(SYS_epoll_ctl, r[46], 0x1ul, r[1], 0x20004000ul, 0, 0);
> return 0;
> }
All these leaks, due to the leak of a single sctp_datamsg, and all it's
bundled with it. Probably from the last writev, but not sure yet.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net/sctp: sctp_datamsg memory leak
2016-01-08 15:25 ` Marcelo Ricardo Leitner
@ 2016-01-15 18:47 ` Marcelo Ricardo Leitner
2016-01-15 18:55 ` Dmitry Vyukov
1 sibling, 0 replies; 5+ messages in thread
From: Marcelo Ricardo Leitner @ 2016-01-15 18:47 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Vlad Yasevich, Neil Horman, David S. Miller, linux-sctp, netdev,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
Sasha Levin, Eric Dumazet
On Fri, Jan 08, 2016 at 01:25:07PM -0200, Marcelo Ricardo Leitner wrote:
> On Wed, Dec 30, 2015 at 10:24:19PM +0100, Dmitry Vyukov wrote:
> > Hello,
> >
> > The following program leads to leak of multiple objects allocated in
> > sctp_datamsg_from_user:
> >
> >
> > // autogenerated by syzkaller (http://github.com/google/syzkaller)
> > #include <unistd.h>
> > #include <sys/syscall.h>
> > #include <string.h>
> > #include <stdint.h>
> > #include <pthread.h>
> >
> > long r[50];
> >
> > int main()
> > {
> > memset(r, -1, sizeof(r));
> > r[0] = syscall(SYS_mmap, 0x20000000ul, 0x100000ul, 0x3ul,
> > 0x32ul, 0xfffffffffffffffful, 0x0ul);
> > r[1] = syscall(SYS_socket, 0x2ul, 0x80801ul, 0x84ul, 0, 0, 0);
> > memcpy((void*)0x20002f80,
> > "\x02\x00\x33\xd9\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
> > 128);
> > r[3] = syscall(SYS_bind, r[1], 0x20002f80ul, 0x80ul, 0, 0, 0);
> > memcpy((void*)0x20003f80,
> > "\x02\x00\x33\xd9\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
> > 128);
> > r[5] = syscall(SYS_connect, r[1], 0x20003f80ul, 0x80ul, 0, 0, 0);
> > r[6] = syscall(SYS_pread64, r[1], 0x20000feeul, 0xe5ul, 0x0ul, 0, 0);
> > memcpy((void*)0x20003000,
> > "\xdb\x4c\xcc\xa8\x07\xbd\xaa\x58\x7c\x57\x37\x63\xa1\x4d\xdb\x5b\x85\x4e\x37\x3b\x20\xb3\x12\xef\x9b\x75\xf0\x88\x28\xa5\x43\x8e\x56\x59\x3c\x16\xfd\xa0\x01\x4f\x90\x83\x4c\x1b\x22\x3e\xd4\xea\x36\x6f\xb5\x43\x96\x02\x8e\x82\xa1\xc6\x47\xd7\xeb\x08\x56\x6f\x40\xb6\x00\x3f\x52\x38\x99\x2f\x57\x63\x9b\xe4\x0e\xb2\x59\xb2\x59\xbc\x9d\x46\xd0\x52\xd4\x91\xe8\xee\x7f\xcf\x81\xa0\xd5\x10\xc4\x77\xf6\xa1\xa1\x35\xb3\xeb\xb5\x46\xfe\xbc\x83\x74\x9f\x78\xa4\xf1\x0b\xf2\x3a\x41\xc3\x2d\x78\x32\x3b\x88\xe9\xb7\x9f\x56",
> > 128);
> > r[8] = syscall(SYS_write, r[1], 0x20003000ul, 0x80ul, 0, 0, 0);
> > memcpy((void*)0x2000332a,
> > "\xdf\x9a\x13\x9f\x3d\xc5\xd9\xbb\xba\x6d\x46\xb4\xd9\x55\xc0\x39\x0d\xf7\xd0\x9d\x1b\x2b\x8c\xb7\xb2\x52\x8b\xe9\xb8\x73\x6d\x47\x24\x4e\xa3\x1d\xb9\x31\xf1\xae\xa3\x4f\x0f\xd7\xbb\xad\xa7\x4f\xa9\xa3\x2b\x04\xf7\xa8\x5e\x81\x93\x75\x03\x9d\xec\x9a\x03\xbf\xc5\x6c\xb2\xf3\x8b",
> > 69);
> > r[10] = syscall(SYS_write, r[1], 0x2000332aul, 0x45ul, 0, 0, 0);
> > r[11] = syscall(SYS_shutdown, r[1], 0x1ul, 0, 0, 0, 0);
> > memcpy((void*)0x20001919, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
> > memcpy((void*)0x20001000, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
> > r[14] = syscall(SYS_rename, 0x20001919ul, 0x20001000ul, 0, 0, 0, 0);
> > *(uint32_t*)0x200013b2 = r[1];
> > *(uint16_t*)0x200013b6 = (uint16_t)0x9;
> > *(uint16_t*)0x200013b8 = (uint16_t)0x8;
> > *(uint32_t*)0x200013ba = r[1];
> > *(uint16_t*)0x200013be = (uint16_t)0xe77;
> > *(uint16_t*)0x200013c0 = (uint16_t)0xa036af6cbe637e9d;
> > *(uint32_t*)0x200013c2 = r[1];
> > *(uint16_t*)0x200013c6 = (uint16_t)0x8;
> > *(uint16_t*)0x200013c8 = (uint16_t)0xfffffffffffff1de;
> > *(uint64_t*)0x20000ff9 = (uint64_t)0x0;
> > *(uint64_t*)0x20001001 = (uint64_t)0x989680;
> > *(uint64_t*)0x20001000 = (uint64_t)0x2;
> > r[27] = syscall(SYS_ppoll, 0x200013b2ul, 0x3ul, 0x20000ff9ul,
> > 0x20001000ul, 0x8ul, 0);
> > *(uint64_t*)0x20001000 = (uint64_t)0x20001d27;
> > *(uint64_t*)0x20001008 = (uint64_t)0x39;
> > *(uint64_t*)0x20001010 = (uint64_t)0x20001ffe;
> > *(uint64_t*)0x20001018 = (uint64_t)0xd9;
> > *(uint64_t*)0x20001020 = (uint64_t)0x20001323;
> > *(uint64_t*)0x20001028 = (uint64_t)0xfb;
> > *(uint64_t*)0x20001030 = (uint64_t)0x20000fe3;
> > *(uint64_t*)0x20001038 = (uint64_t)0x1c;
> > *(uint64_t*)0x20001040 = (uint64_t)0x20001fc6;
> > *(uint64_t*)0x20001048 = (uint64_t)0xea;
> > memcpy((void*)0x20001d27,
> > "\x5d\x27\xd4\x12\xc2\x99\xce\x3f\x64\x88\x1f\x2f\xb1\xe9\xcb\x5c\x1e\x23\x13\xa1\xbb\x1c\xf0\xb3\x76\xa5\xfd\xf6\x0e\x87\xaf\x9f\x68\x47\xb2\x7a\x2e\xb2\xea\x18\xd6\x2a\x9b\xf5\xce\xaa\x33\x6c\x0a\x2d\xdb\x2b\xf7\x6c\xb5\x38\x31",
> > 57);
> > memcpy((void*)0x20001ffe,
> > "\x01\xea\x49\xef\x6c\x2c\x8c\x64\xcd\x39\xcf\xc2\x8c\xba\xd0\x02\x04\x31\x51\x56\x62\x19\xdf\x09\x07\x87\x4f\xf6\x5d\x57\xcc\xea\x52\x02\xc3\x2b\xae\x62\x8e\xf1\x31\xa2\x5e\xf8\x69\x83\xe2\x47\x03\x5a\x2e\x35\x75\x07\xd0\xe6\x8e\x1b\x31\x4b\xef\xf4\x8a\xb4\x7b\xf1\x3a\x9c\x96\xa6\x90\xa0\x3a\x52\x83\x40\xff\x91\x50\x9f\xeb\x98\x9f\xcc\x24\xf6\x46\x1e\xe9\xa5\x34\x35\x9e\x1d\x03\xf4\x9e\x05\x6c\x26\xa0\x09\x07\x55\x26\xdd\x7e\x42\x3c\x59\x80\xdc\x86\x3d\xf7\xed\x87\x92\x27\xf0\x83\x03\x44\xaa\xce\x73\x5e\x51\x69\xd3\xce\xbb\xb7\x6d\x67\x04\xaa\x5c\x34\x0c\xa7\x0e\xd3\xc8\x9c\xd2\x9a\x61\xf2\xeb\x4a\xbf\x89\x30\xfb\xef\x76\x9a\xe6\x6a\xac\x32\x5e\xa3\xc3\x5d\x09\xe2\xc5\x2a\xe4\x83\x81\x76\xa5\x3d\x7f\xa2\xf3\xa4\x7a\x28\x00\x9a\xfe\xcc\x8f\x5b\x24\x74\x73\x72\x2a\x5d\xbb\xd2\xe7\xc3\xb9\xab\xfd\x20\x74\xc9\xc0\x67\xeb\x1b\x06\x8d\x01\x7b\x85\x5f\x11\xbe\x76",
> > 217);
> > memcpy((void*)0x20001323,
> > "\xd7\x13\xc9\x4c\x56\x6e\x36\x52\x01\xcc\x2d\xf6\xbf\xdf\x25\xfb\x80\xb3\x4c\xbb\xcd\x6c\x20\x5b\xdb\x31\x38\x6a\x3f\x1a\xd1\x03\xf8\x2a\x4f\x0f\xe0\x61\xe3\x78\x09\x90\x4f\xea\x4e\x56\x87\x30\x3c\xea\xc2\xb2\x68\xaf\x3b\x40\x73\x78\xa1\x0e\xe9\x26\x50\x2a\x36\x83\xfb\x09\x0d\x23\x70\xc4\x9b\xef\xae\x19\x7a\x3d\x4d\x11\xfb\x8f\xa1\xbc\x0f\xac\xed\x59\x53\xf2\xc2\xce\xdd\x9b\x17\xd9\x1a\xbd\xfe\xe2\x33\x92\xbc\x29\x44\xb1\xa7\xc2\x99\xb9\x5c\xab\xff\x21\x91\xb3\xc3\xc1\xd4\xc6\x35\x4c\xdd\x01\x5a\x4c\x11\x6a\x90\xe6\xe3\x06\xcc\xdc\x99\x26\xfa\xba\x53\xe8\xdb\x4a\x96\x68\x16\xd3\x81\x92\xa7\x33\x97\x96\xbd\x2a\xc0\xc5\x3c\x07\x8a\x43\x1a\x32\x75\x1e\xbb\x9b\xee\xe9\x57\x04\x9d\xd2\xcd\x79\xaf\xf9\x92\x22\x85\xe3\x96\x6b\xb5\xc0\x4d\xe1\x2f\x74\x0c\x4e\xc8\x98\x35\xa8\xa2\xbc\x78\x2f\xbe\x54\x65\xbe\xde\xce\x89\xf0\xdd\xa4\x04\x31\xfb\x0c\x84\x27\x56\xde\x87\xfc\xa1\xb2\xb7\x5a\xc0\x8d\x40\x00\x18\xd2\x8f\x88\x4b\xa7\x30\xe0\x71\xf0\x6a\xff\x52\x1c\x0a\x62\x9b\xe5\x15\x03\x!
> d6!
> > \xe9\x32\
> > xde\x36",
> > 251);
>
> Please clarify this line. It doesn't compile as-is and the len doesn't
> match the data itself.
What should I use here?
Marcelo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net/sctp: sctp_datamsg memory leak
2016-01-08 15:25 ` Marcelo Ricardo Leitner
2016-01-15 18:47 ` Marcelo Ricardo Leitner
@ 2016-01-15 18:55 ` Dmitry Vyukov
2016-01-15 19:07 ` Marcelo Ricardo Leitner
1 sibling, 1 reply; 5+ messages in thread
From: Dmitry Vyukov @ 2016-01-15 18:55 UTC (permalink / raw)
To: Marcelo Ricardo Leitner
Cc: Vlad Yasevich, Neil Horman, David S. Miller, linux-sctp, netdev,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
Sasha Levin, Eric Dumazet
On Fri, Jan 8, 2016 at 4:25 PM, Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
> On Wed, Dec 30, 2015 at 10:24:19PM +0100, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program leads to leak of multiple objects allocated in
>> sctp_datamsg_from_user:
>>
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <unistd.h>
>> #include <sys/syscall.h>
>> #include <string.h>
>> #include <stdint.h>
>> #include <pthread.h>
>>
>> long r[50];
>>
>> int main()
>> {
>> memset(r, -1, sizeof(r));
>> r[0] = syscall(SYS_mmap, 0x20000000ul, 0x100000ul, 0x3ul,
>> 0x32ul, 0xfffffffffffffffful, 0x0ul);
>> r[1] = syscall(SYS_socket, 0x2ul, 0x80801ul, 0x84ul, 0, 0, 0);
>> memcpy((void*)0x20002f80,
>> "\x02\x00\x33\xd9\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
>> 128);
>> r[3] = syscall(SYS_bind, r[1], 0x20002f80ul, 0x80ul, 0, 0, 0);
>> memcpy((void*)0x20003f80,
>> "\x02\x00\x33\xd9\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
>> 128);
>> r[5] = syscall(SYS_connect, r[1], 0x20003f80ul, 0x80ul, 0, 0, 0);
>> r[6] = syscall(SYS_pread64, r[1], 0x20000feeul, 0xe5ul, 0x0ul, 0, 0);
>> memcpy((void*)0x20003000,
>> "\xdb\x4c\xcc\xa8\x07\xbd\xaa\x58\x7c\x57\x37\x63\xa1\x4d\xdb\x5b\x85\x4e\x37\x3b\x20\xb3\x12\xef\x9b\x75\xf0\x88\x28\xa5\x43\x8e\x56\x59\x3c\x16\xfd\xa0\x01\x4f\x90\x83\x4c\x1b\x22\x3e\xd4\xea\x36\x6f\xb5\x43\x96\x02\x8e\x82\xa1\xc6\x47\xd7\xeb\x08\x56\x6f\x40\xb6\x00\x3f\x52\x38\x99\x2f\x57\x63\x9b\xe4\x0e\xb2\x59\xb2\x59\xbc\x9d\x46\xd0\x52\xd4\x91\xe8\xee\x7f\xcf\x81\xa0\xd5\x10\xc4\x77\xf6\xa1\xa1\x35\xb3\xeb\xb5\x46\xfe\xbc\x83\x74\x9f\x78\xa4\xf1\x0b\xf2\x3a\x41\xc3\x2d\x78\x32\x3b\x88\xe9\xb7\x9f\x56",
>> 128);
>> r[8] = syscall(SYS_write, r[1], 0x20003000ul, 0x80ul, 0, 0, 0);
>> memcpy((void*)0x2000332a,
>> "\xdf\x9a\x13\x9f\x3d\xc5\xd9\xbb\xba\x6d\x46\xb4\xd9\x55\xc0\x39\x0d\xf7\xd0\x9d\x1b\x2b\x8c\xb7\xb2\x52\x8b\xe9\xb8\x73\x6d\x47\x24\x4e\xa3\x1d\xb9\x31\xf1\xae\xa3\x4f\x0f\xd7\xbb\xad\xa7\x4f\xa9\xa3\x2b\x04\xf7\xa8\x5e\x81\x93\x75\x03\x9d\xec\x9a\x03\xbf\xc5\x6c\xb2\xf3\x8b",
>> 69);
>> r[10] = syscall(SYS_write, r[1], 0x2000332aul, 0x45ul, 0, 0, 0);
>> r[11] = syscall(SYS_shutdown, r[1], 0x1ul, 0, 0, 0, 0);
>> memcpy((void*)0x20001919, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
>> memcpy((void*)0x20001000, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8);
>> r[14] = syscall(SYS_rename, 0x20001919ul, 0x20001000ul, 0, 0, 0, 0);
>> *(uint32_t*)0x200013b2 = r[1];
>> *(uint16_t*)0x200013b6 = (uint16_t)0x9;
>> *(uint16_t*)0x200013b8 = (uint16_t)0x8;
>> *(uint32_t*)0x200013ba = r[1];
>> *(uint16_t*)0x200013be = (uint16_t)0xe77;
>> *(uint16_t*)0x200013c0 = (uint16_t)0xa036af6cbe637e9d;
>> *(uint32_t*)0x200013c2 = r[1];
>> *(uint16_t*)0x200013c6 = (uint16_t)0x8;
>> *(uint16_t*)0x200013c8 = (uint16_t)0xfffffffffffff1de;
>> *(uint64_t*)0x20000ff9 = (uint64_t)0x0;
>> *(uint64_t*)0x20001001 = (uint64_t)0x989680;
>> *(uint64_t*)0x20001000 = (uint64_t)0x2;
>> r[27] = syscall(SYS_ppoll, 0x200013b2ul, 0x3ul, 0x20000ff9ul,
>> 0x20001000ul, 0x8ul, 0);
>> *(uint64_t*)0x20001000 = (uint64_t)0x20001d27;
>> *(uint64_t*)0x20001008 = (uint64_t)0x39;
>> *(uint64_t*)0x20001010 = (uint64_t)0x20001ffe;
>> *(uint64_t*)0x20001018 = (uint64_t)0xd9;
>> *(uint64_t*)0x20001020 = (uint64_t)0x20001323;
>> *(uint64_t*)0x20001028 = (uint64_t)0xfb;
>> *(uint64_t*)0x20001030 = (uint64_t)0x20000fe3;
>> *(uint64_t*)0x20001038 = (uint64_t)0x1c;
>> *(uint64_t*)0x20001040 = (uint64_t)0x20001fc6;
>> *(uint64_t*)0x20001048 = (uint64_t)0xea;
>> memcpy((void*)0x20001d27,
>> "\x5d\x27\xd4\x12\xc2\x99\xce\x3f\x64\x88\x1f\x2f\xb1\xe9\xcb\x5c\x1e\x23\x13\xa1\xbb\x1c\xf0\xb3\x76\xa5\xfd\xf6\x0e\x87\xaf\x9f\x68\x47\xb2\x7a\x2e\xb2\xea\x18\xd6\x2a\x9b\xf5\xce\xaa\x33\x6c\x0a\x2d\xdb\x2b\xf7\x6c\xb5\x38\x31",
>> 57);
>> memcpy((void*)0x20001ffe,
>> "\x01\xea\x49\xef\x6c\x2c\x8c\x64\xcd\x39\xcf\xc2\x8c\xba\xd0\x02\x04\x31\x51\x56\x62\x19\xdf\x09\x07\x87\x4f\xf6\x5d\x57\xcc\xea\x52\x02\xc3\x2b\xae\x62\x8e\xf1\x31\xa2\x5e\xf8\x69\x83\xe2\x47\x03\x5a\x2e\x35\x75\x07\xd0\xe6\x8e\x1b\x31\x4b\xef\xf4\x8a\xb4\x7b\xf1\x3a\x9c\x96\xa6\x90\xa0\x3a\x52\x83\x40\xff\x91\x50\x9f\xeb\x98\x9f\xcc\x24\xf6\x46\x1e\xe9\xa5\x34\x35\x9e\x1d\x03\xf4\x9e\x05\x6c\x26\xa0\x09\x07\x55\x26\xdd\x7e\x42\x3c\x59\x80\xdc\x86\x3d\xf7\xed\x87\x92\x27\xf0\x83\x03\x44\xaa\xce\x73\x5e\x51\x69\xd3\xce\xbb\xb7\x6d\x67\x04\xaa\x5c\x34\x0c\xa7\x0e\xd3\xc8\x9c\xd2\x9a\x61\xf2\xeb\x4a\xbf\x89\x30\xfb\xef\x76\x9a\xe6\x6a\xac\x32\x5e\xa3\xc3\x5d\x09\xe2\xc5\x2a\xe4\x83\x81\x76\xa5\x3d\x7f\xa2\xf3\xa4\x7a\x28\x00\x9a\xfe\xcc\x8f\x5b\x24\x74\x73\x72\x2a\x5d\xbb\xd2\xe7\xc3\xb9\xab\xfd\x20\x74\xc9\xc0\x67\xeb\x1b\x06\x8d\x01\x7b\x85\x5f\x11\xbe\x76",
>> 217);
>> memcpy((void*)0x20001323,
>> "\xd7\x13\xc9\x4c\x56\x6e\x36\x52\x01\xcc\x2d\xf6\xbf\xdf\x25\xfb\x80\xb3\x4c\xbb\xcd\x6c\x20\x5b\xdb\x31\x38\x6a\x3f\x1a\xd1\x03\xf8\x2a\x4f\x0f\xe0\x61\xe3\x78\x09\x90\x4f\xea\x4e\x56\x87\x30\x3c\xea\xc2\xb2\x68\xaf\x3b\x40\x73\x78\xa1\x0e\xe9\x26\x50\x2a\x36\x83\xfb\x09\x0d\x23\x70\xc4\x9b\xef\xae\x19\x7a\x3d\x4d\x11\xfb\x8f\xa1\xbc\x0f\xac\xed\x59\x53\xf2\xc2\xce\xdd\x9b\x17\xd9\x1a\xbd\xfe\xe2\x33\x92\xbc\x29\x44\xb1\xa7\xc2\x99\xb9\x5c\xab\xff\x21\x91\xb3\xc3\xc1\xd4\xc6\x35\x4c\xdd\x01\x5a\x4c\x11\x6a\x90\xe6\xe3\x06\xcc\xdc\x99\x26\xfa\xba\x53\xe8\xdb\x4a\x96\x68\x16\xd3\x81\x92\xa7\x33\x97\x96\xbd\x2a\xc0\xc5\x3c\x07\x8a\x43\x1a\x32\x75\x1e\xbb\x9b\xee\xe9\x57\x04\x9d\xd2\xcd\x79\xaf\xf9\x92\x22\x85\xe3\x96\x6b\xb5\xc0\x4d\xe1\x2f\x74\x0c\x4e\xc8\x98\x35\xa8\xa2\xbc\x78\x2f\xbe\x54\x65\xbe\xde\xce\x89\xf0\xdd\xa4\x04\x31\xfb\x0c\x84\x27\x56\xde\x87\xfc\xa1\xb2\xb7\x5a\xc0\x8d\x40\x00\x18\xd2\x8f\x88\x4b\xa7\x30\xe0\x71\xf0\x6a\xff\x52\x1c\x0a\x62\x9b\xe5\x15\x03\xd6!
>> \xe9\x32\
>> xde\x36",
>> 251);
>
> Please clarify this line. It doesn't compile as-is and the len doesn't
> match the data itself.
I am not sure why there a ! at the end of the line, it wasn't present
in my original program.
Here is a source that compiles for me with -Wall:
https://gist.githubusercontent.com/dvyukov/662ee19898ed25f7db31/raw/3a6cbfa462f8eba67fda90f16198c62159b6b42f/gistfile1.txt
>> memcpy((void*)0x20000fe3,
>> "\xdc\xdd\x73\x8c\x00\xdc\x12\xed\xb6\xcb\x96\x7b\x86\x51\x8a\xe4\xdb\x36\xd4\x8a\xd5\xf4\xc1\x09\x0d\xc9\x1b\xea",
>> 28);
>> memcpy((void*)0x20001fc6,
>> "\x57\x66\x78\x5b\x85\xc6\x5a\x46\xdf\x4b\x5e\x57\x62\xa1\x0b\x6b\x8c\xe0\x98\x82\x69\xea\x9e\xba\x25\xfe\xb7\x0c\xf4\xb1\xc6\x5d\x75\x47\xea\x87\x7b\x71\xd5\x0e\xb3\xdc\x2a\x2e\x18\xd8\x3a\xf6\x92\xa1\x1f\x1d\xaf\xde\x8c\xb4\x1e\x12\x94\xac\x0f\x89\xc4\xfd\xb0\x64\xd6\x54\x36\x3d\x5f\xd7\x71\x29\x1c\x5e\xc4\xab\x45\x4b\x46\x25\xea\xda\x0d\x2b\xff\x71\x62\x75\xcd\xc2\xea\x2f\x93\x5e\x96\x49\x11\xfe\xdf\x4f\x1f\x8f\x0d\x95\xf8\xd8\x97\xd2\x5c\x51\x43\xbc\xe6\x49\xfd\xe6\x1d\xe4\x20\x75\xf0\x17\xaa\xb4\xc6\x9c\x99\x2c\x41\x82\xe4\x20\x98\x64\x3a\xf5\xb5\x94\x44\xa7\x83\x0a\xe5\x72\x4f\xa7\x7d\xef\xa1\x29\x09\x1b\xa2\xf4\x92\x5c\x82\xf5\xa1\x34\x2f\xb9\x2c\x73\x37\xa5\x07\x43\x8d\xe0\xf5\xc5\xac\x39\x60\x38\x01\xcd\x98\x03\x96\x19\x64\x88\x9b\x5d\xfc\xd2\x7d\x8f\xe2\x11\x2a\xd1\x05\x13\xda\x4e\x33\x5d\xca\x38\xfa\x33\x93\xe0\xfe\x85\x2d\x88\xab\xfa\x7f\x0b\x4e\xeb\xda\xae\xe5\x4e\xbc\x69\x26\xeb\xc5\x19\x09\x4d\x1a\xae\x33\x1d",
>> 234);
>> r[43] = syscall(SYS_writev, r[1], 0x20001000ul, 0x5ul, 0, 0, 0);
>> memcpy((void*)0x20000fe4,
>> "\x6e\x92\x02\x38\x9b\x31\xb5\x3b\x48\xda\x1a\x8a\x7c\x28\x5f\xea\x7e\x94\x87\xf5\x1b\xc5\xe5\xf5\x8a\x9e\x65\x59\x5e\x17\xe4\xca\x25\x6c\xa3\xaa\x49\x30\xe7\x2a\xf4\x17\x53\xfe\x27\x2d\xf4\x66\x87\x36\x97\xbf\xc8\x7d\x43\xdd\x31\x96\x91\x93\x68\xcb\x9b\x8e\x2e\x66\x10\xe9\xc3\xf5\xae\xa6\x57\x15\x18\x13\xbc\xa9\x29\x7c\x26\x04\xb1\x42\xb7\xcd\x86\x15\xb6\xae\xcd\x3b\xb5\xb6\x2f\x79\xec\xa0\x80\x6c\x22\x8d\x38\x1a\x19\x03\x6d\x81\x90\xb7\x96\xeb\xba\x69\xf8\x08\xf7\x6b\x00\x25\x29\x4f\x14\x85\x01\xf6\x98\x96\xe8\x98\x67\x19\x0b\x6b\xfe\xd0\x0d\xee\x89\x15\xdc\x31\x28\x25\x9a\xfc\x62\xdf\xd9\x75\x99\x2e\xdb\xa6\xe4\xd7\x20\x37\x7a\x3a\x27\x6d\x4c\x5a\xf0\xfc\x8c\x05\x11\xde\x3e\x40\x33\x7d\x85\x3d\x4a\xad\x86\x77\x26\x29\xcc\x2b\xf6\x6d\x01\xdd\x71\x8b\x94\x6f\xda\x7a\x6e\x74\x38\x0d\x1f\x73\xc4\x13\x6c\x49\x0c\x10\x07\xe2\x5f\xd0\xdc\xe7\x75\x71\xfa\x52\xe7\x0f\x00\x96\xef\x33\xae\x37\x50\x11\x80\x7d\x22\x96\x7d\x4c\xfe\xd3\x55\x3c\x28\xff\x62\xa3\xf8\x51\x7f\x01\x7e\x26\x00!
>> \x3d\x27\
>> x0c\x25\x13",
>> 252);
>
> Also happened here
>
>> r[45] = syscall(SYS_setsockopt, r[1], 0x0ul, 0xdul,
>> 0x20000fe4ul, 0xfcul, 0);
>> r[46] = syscall(SYS_epoll_create1, 0x80000ul, 0, 0, 0, 0, 0);
>> *(uint32_t*)0x20004000 = (uint32_t)0x80000006;
>> *(uint64_t*)0x20004004 = (uint64_t)0x8;
>> r[49] = syscall(SYS_epoll_ctl, r[46], 0x1ul, r[1], 0x20004000ul, 0, 0);
>> return 0;
>> }
>
> All these leaks, due to the leak of a single sctp_datamsg, and all it's
> bundled with it. Probably from the last writev, but not sure yet.
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net/sctp: sctp_datamsg memory leak
2016-01-15 18:55 ` Dmitry Vyukov
@ 2016-01-15 19:07 ` Marcelo Ricardo Leitner
0 siblings, 0 replies; 5+ messages in thread
From: Marcelo Ricardo Leitner @ 2016-01-15 19:07 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Vlad Yasevich, Neil Horman, David S. Miller, linux-sctp, netdev,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
Sasha Levin, Eric Dumazet
On Fri, Jan 15, 2016 at 07:55:56PM +0100, Dmitry Vyukov wrote:
> On Fri, Jan 8, 2016 at 4:25 PM, Marcelo Ricardo Leitner
> <marcelo.leitner@gmail.com> wrote:
...
> >> \xe9\x32\
> >> xde\x36",
> >> 251);
> >
> > Please clarify this line. It doesn't compile as-is and the len doesn't
> > match the data itself.
>
> I am not sure why there a ! at the end of the line, it wasn't present
> in my original program.
> Here is a source that compiles for me with -Wall:
> https://gist.githubusercontent.com/dvyukov/662ee19898ed25f7db31/raw/3a6cbfa462f8eba67fda90f16198c62159b6b42f/gistfile1.txt
>
Got it, thanks
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-15 19:07 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-30 21:24 net/sctp: sctp_datamsg memory leak Dmitry Vyukov
2016-01-08 15:25 ` Marcelo Ricardo Leitner
2016-01-15 18:47 ` Marcelo Ricardo Leitner
2016-01-15 18:55 ` Dmitry Vyukov
2016-01-15 19:07 ` Marcelo Ricardo Leitner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).