On Wed, Nov 2, 2016 at 11:42 PM, Andrey Konovalov <andreyk...@google.com> wrote: > On Wed, Oct 19, 2016 at 6:57 PM, Marcelo Ricardo Leitner > <marcelo.leit...@gmail.com> wrote: >> On Wed, Oct 19, 2016 at 02:25:24PM +0200, Andrey Konovalov wrote: >>> Hi, >>> >>> I've got the following error report while running the syzkaller fuzzer: >>> >>> ================================================================== >>> BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr >>> ffff88006b1dc610 >> >> Seems this is the same that Dmitry Vyukov had reported back in Jan 13th. >> So far I couldn't identify the reason. >> "Good" to know it's still there, thanks for reporting it.
Hi Marcelo, So I've looked at the code. As far as I understand, the problem is a race condition between setsockopt(SCTP_SOCKOPT_CONNECTX) and shutdown on an sctp socket. setsockopt() calls sctp_wait_for_connect(), which exits the for loop on the sk->sk_shutdown & RCV_SHUTDOWN if clause, and then frees asoc with sctp_association_put() and returns err = 0. Then __sctp_connect() checks that err == 0 and reads asoc->assoc_id from the freed asoc.
