KASAN: use-after-free Write in cipso_v4_doi_putdef
paul at paul-moore.com
Wed Mar 3 22:55:04 UTC 2021
On Wed, Mar 3, 2021 at 11:20 AM Paul Moore <paul at paul-moore.com> wrote:
> On Wed, Mar 3, 2021 at 10:53 AM syzbot
> <syzbot+521772a90166b3fca21f at syzkaller.appspotmail.com> wrote:
> > Hello,
> > syzbot found the following issue on:
> > HEAD commit: 7a7fd0de Merge branch 'kmap-conversion-for-5.12' of git://..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=164a74dad00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=779a2568b654c1c6
> > dashboard link: https://syzkaller.appspot.com/bug?extid=521772a90166b3fca21f
> > compiler: Debian clang version 11.0.1-2
> > Unfortunately, I don't have any reproducer for this issue yet.
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+521772a90166b3fca21f at syzkaller.appspotmail.com
> > ==================================================================
> > BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> > BUG: KASAN: use-after-free in atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
> > BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
> > BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
> > BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
> > BUG: KASAN: use-after-free in cipso_v4_doi_putdef+0x2d/0x190 net/ipv4/cipso_ipv4.c:586
> > Write of size 4 at addr ffff8880179ecb18 by task syz-executor.5/20110
> Almost surely the same problem as the others, I'm currently chasing
> down a few remaining spots to make sure the fix I'm working on is
I think I've now managed to convince myself that the patch I've got
here is reasonable. I'm looping over a series of tests right now and
plan to let it continue overnight; assuming everything still looks
good in the morning I'll post it.
Thanks for your help.
More information about the Linux-security-module-archive