Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-07 Thread Cong Wang
On Thu, Apr 6, 2017 at 3:49 AM, Eric Dumazet wrote: > On Wed, 2017-04-05 at 15:33 -0700, Cong Wang wrote: > >> Good find! I missed the refcnt in rt_set_nexthop() before that commit. >> >> We need to revert that commit to restore the refcnt for fib_info. > > Well, there are

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-07 Thread Cong Wang
On Thu, Apr 6, 2017 at 3:49 AM, Eric Dumazet wrote: > On Wed, 2017-04-05 at 15:33 -0700, Cong Wang wrote: > >> Good find! I missed the refcnt in rt_set_nexthop() before that commit. >> >> We need to revert that commit to restore the refcnt for fib_info. > > Well, there are other spots , in decnet

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-06 Thread Eric Dumazet
On Wed, 2017-04-05 at 15:33 -0700, Cong Wang wrote: > Good find! I missed the refcnt in rt_set_nexthop() before that commit. > > We need to revert that commit to restore the refcnt for fib_info. Well, there are other spots , in decnet and IPv6. This is why my original mail stated the problem

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-06 Thread Eric Dumazet
On Wed, 2017-04-05 at 15:33 -0700, Cong Wang wrote: > Good find! I missed the refcnt in rt_set_nexthop() before that commit. > > We need to revert that commit to restore the refcnt for fib_info. Well, there are other spots , in decnet and IPv6. This is why my original mail stated the problem

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-05 Thread Cong Wang
On Tue, Apr 4, 2017 at 7:45 PM, Eric Dumazet wrote: > On Tue, 2017-04-04 at 18:11 -0700, Cong Wang wrote: >> On Tue, Apr 4, 2017 at 11:51 AM, Eric Dumazet wrote: >> > Looking at fib->fib_metrics, I fail to understand how the following can >> > work :

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-05 Thread Cong Wang
On Tue, Apr 4, 2017 at 7:45 PM, Eric Dumazet wrote: > On Tue, 2017-04-04 at 18:11 -0700, Cong Wang wrote: >> On Tue, Apr 4, 2017 at 11:51 AM, Eric Dumazet wrote: >> > Looking at fib->fib_metrics, I fail to understand how the following can >> > work : >> > >> > dst_init_metrics(>dst,

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-05 Thread Subash Abhinov Kasiviswanathan
Interesting. I might had too many beers tonight, but ... refcount was removed in 2860583fe840 many months later -static void rt_init_metrics(struct rtable *rt, struct fib_info *fi) -{ - if (fi->fib_metrics != (u32 *) dst_default_metrics) { - rt->fi = fi; -

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-05 Thread Subash Abhinov Kasiviswanathan
Interesting. I might had too many beers tonight, but ... refcount was removed in 2860583fe840 many months later -static void rt_init_metrics(struct rtable *rt, struct fib_info *fi) -{ - if (fi->fib_metrics != (u32 *) dst_default_metrics) { - rt->fi = fi; -

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-04 Thread Eric Dumazet
On Tue, 2017-04-04 at 18:11 -0700, Cong Wang wrote: > On Tue, Apr 4, 2017 at 11:51 AM, Eric Dumazet wrote: > > On Tue, Apr 4, 2017 at 7:50 AM, Andrey Konovalov > > wrote: > >> > >> Hi, > >> > >> I've got the following error report while fuzzing the

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-04 Thread Eric Dumazet
On Tue, 2017-04-04 at 18:11 -0700, Cong Wang wrote: > On Tue, Apr 4, 2017 at 11:51 AM, Eric Dumazet wrote: > > On Tue, Apr 4, 2017 at 7:50 AM, Andrey Konovalov > > wrote: > >> > >> Hi, > >> > >> I've got the following error report while fuzzing the kernel with > >> syzkaller. > >> > >> On

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-04 Thread Cong Wang
On Tue, Apr 4, 2017 at 11:51 AM, Eric Dumazet wrote: > On Tue, Apr 4, 2017 at 7:50 AM, Andrey Konovalov > wrote: >> >> Hi, >> >> I've got the following error report while fuzzing the kernel with syzkaller. >> >> On commit

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-04 Thread Cong Wang
On Tue, Apr 4, 2017 at 11:51 AM, Eric Dumazet wrote: > On Tue, Apr 4, 2017 at 7:50 AM, Andrey Konovalov > wrote: >> >> Hi, >> >> I've got the following error report while fuzzing the kernel with syzkaller. >> >> On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5). >> >> Unfortunately

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-04 Thread Eric Dumazet
On Tue, Apr 4, 2017 at 7:50 AM, Andrey Konovalov wrote: > > Hi, > > I've got the following error report while fuzzing the kernel with syzkaller. > > On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5). > > Unfortunately it's not reproducible. > >

Re: net/ipv4: use-after-free in ipv4_mtu

2017-04-04 Thread Eric Dumazet
On Tue, Apr 4, 2017 at 7:50 AM, Andrey Konovalov wrote: > > Hi, > > I've got the following error report while fuzzing the kernel with syzkaller. > > On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5). > > Unfortunately it's not reproducible. > >

net/ipv4: use-after-free in ipv4_mtu

2017-04-04 Thread Andrey Konovalov
Hi, I've got the following error report while fuzzing the kernel with syzkaller. On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5). Unfortunately it's not reproducible. == BUG: KASAN: use-after-free in dst_metric_raw

net/ipv4: use-after-free in ipv4_mtu

2017-04-04 Thread Andrey Konovalov
Hi, I've got the following error report while fuzzing the kernel with syzkaller. On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5). Unfortunately it's not reproducible. == BUG: KASAN: use-after-free in dst_metric_raw