Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, May 9, 2018 at 5:05 PM, Willem de Bruijn wrote: > On Wed, May 9, 2018 at 3:36 PM, Eric Dumazet wrote: >> >> >> On 05/09/2018 12:21 PM, Willem de Bruijn wrote: >> >>> Indeed. The skb shared info struct is zeroed by

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, May 9, 2018 at 5:05 PM, Willem de Bruijn wrote: > On Wed, May 9, 2018 at 3:36 PM, Eric Dumazet wrote: >> >> >> On 05/09/2018 12:21 PM, Willem de Bruijn wrote: >> >>> Indeed. The skb shared info struct is zeroed by dev_validate_header >>> as a result of dev->hard_header_len exceeding

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, May 9, 2018 at 3:36 PM, Eric Dumazet wrote: > > > On 05/09/2018 12:21 PM, Willem de Bruijn wrote: > >> Indeed. The skb shared info struct is zeroed by dev_validate_header >> as a result of dev->hard_header_len exceeding skb->end - skb->data. >> >> Not exactly sure

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, May 9, 2018 at 3:36 PM, Eric Dumazet wrote: > > > On 05/09/2018 12:21 PM, Willem de Bruijn wrote: > >> Indeed. The skb shared info struct is zeroed by dev_validate_header >> as a result of dev->hard_header_len exceeding skb->end - skb->data. >> >> Not exactly sure yet how this can happen.

Re: KASAN: use-after-free Read in __dev_queue_xmit

On 05/09/2018 12:21 PM, Willem de Bruijn wrote: > Indeed. The skb shared info struct is zeroed by dev_validate_header > as a result of dev->hard_header_len exceeding skb->end - skb->data. > > Not exactly sure yet how this can happen. The hard header length space > is accounted for during

Re: KASAN: use-after-free Read in __dev_queue_xmit

On 05/09/2018 12:21 PM, Willem de Bruijn wrote: > Indeed. The skb shared info struct is zeroed by dev_validate_header > as a result of dev->hard_header_len exceeding skb->end - skb->data. > > Not exactly sure yet how this can happen. The hard header length space > is accounted for during

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, May 9, 2018 at 12:38 PM, Willem de Bruijn wrote: >>> But a crash with the same signature is still occurring, so it should >>> eventually >>> get reported again. C reproducer is here, it works on Linus' tree (commit >>> 036db8bd963):

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, May 9, 2018 at 12:38 PM, Willem de Bruijn wrote: >>> But a crash with the same signature is still occurring, so it should >>> eventually >>> get reported again. C reproducer is here, it works on Linus' tree (commit >>> 036db8bd963):

Re: KASAN: use-after-free Read in __dev_queue_xmit

>> But a crash with the same signature is still occurring, so it should >> eventually >> get reported again. C reproducer is here, it works on Linus' tree (commit >> 036db8bd963): https://syzkaller.appspot.com/text?tag=ReproC=105b1ae780 > > This appears to be a separate issue. > > This

Re: KASAN: use-after-free Read in __dev_queue_xmit

>> But a crash with the same signature is still occurring, so it should >> eventually >> get reported again. C reproducer is here, it works on Linus' tree (commit >> 036db8bd963): https://syzkaller.appspot.com/text?tag=ReproC=105b1ae780 > > This appears to be a separate issue. > > This

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, May 9, 2018 at 3:37 AM, Eric Biggers wrote: > On Wed, Jan 03, 2018 at 10:53:14PM -0800, Eric Dumazet wrote: >> On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote: >> > Note: all commands must start from beginning of the line in the email body. >> > >> > I guess

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, May 9, 2018 at 3:37 AM, Eric Biggers wrote: > On Wed, Jan 03, 2018 at 10:53:14PM -0800, Eric Dumazet wrote: >> On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote: >> > Note: all commands must start from beginning of the line in the email body. >> > >> > I guess

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, Jan 03, 2018 at 10:53:14PM -0800, Eric Dumazet wrote: > On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote: > > Note: all commands must start from beginning of the line in the email body. > > > > I guess skb_probe_transport_header() should be hardened to reject malicious > > packets

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, Jan 03, 2018 at 10:53:14PM -0800, Eric Dumazet wrote: > On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote: > > Note: all commands must start from beginning of the line in the email body. > > > > I guess skb_probe_transport_header() should be hardened to reject malicious > > packets

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote: > Note: all commands must start from beginning of the line in the email body. > > I guess skb_probe_transport_header() should be hardened to reject malicious > packets given by user space, instead of being gentle. Although bug triggered for

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote: > Note: all commands must start from beginning of the line in the email body. > > I guess skb_probe_transport_header() should be hardened to reject malicious > packets given by user space, instead of being gentle. Although bug triggered for

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, Jan 3, 2018 at 8:58 PM, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 37759fa6d0fa9e4d6036d19ac12f555bfc0aeafd > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, Jan 3, 2018 at 8:58 PM, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 37759fa6d0fa9e4d6036d19ac12f555bfc0aeafd > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C reproducer is