Re: [PATCH net] net/ipv6: prevent use after free in ip6_route_mpath_notify

From: dsah...@kernel.org Date: Mon, 4 Jun 2018 13:41:42 -0700 > From: David Ahern > > syzbot reported a use-after-free: ... > The problem is that rt_last can point to a deleted route if the insert > fails. > > One reproducer is to insert a route and then add a multipath route that > has a

Re: [PATCH net] net/ipv6: prevent use after free in ip6_route_mpath_notify

On 06/04/2018 01:41 PM, dsah...@kernel.org wrote: > From: David Ahern > > syzbot reported a use-after-free: > > BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 > net/ipv6/route.c:4180 > Read of size 4 at addr 8801bf789cf0 by task syz-executor756/4555 > > Fix by not

[PATCH net] net/ipv6: prevent use after free in ip6_route_mpath_notify

From: David Ahern syzbot reported a use-after-free: BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 net/ipv6/route.c:4180 Read of size 4 at addr 8801bf789cf0 by task syz-executor756/4555 CPU: 1 PID: 4555 Comm: syz-executor756 Not tainted 4.17.0-rc7+ #78 Hardware name:

Re: [PATCH net] net: ipv6: prevent use after free in ip6_route_mpath_notify()

On 06/03/2018 07:46 AM, David Ahern wrote: > It was a mistake to set rt_last before checking err. So the > use-after-free exposed the semantic error. > SGTM, please send the formal patch then, thanks !

Re: [PATCH net] net: ipv6: prevent use after free in ip6_route_mpath_notify()

On 6/3/18 8:31 AM, Eric Dumazet wrote: > > > On 06/03/2018 07:01 AM, David Ahern wrote: >> On 6/3/18 7:35 AM, Eric Dumazet wrote: >>> diff --git a/net/ipv6/route.c b/net/ipv6/route.c >>> index >>> f4d61736c41abe8cd7f439c4a37100e90c1eacca..830eefdbdb6734eb81ea0322fb6077ee20be1889 >>> 100644 >>>

Re: [PATCH net] net: ipv6: prevent use after free in ip6_route_mpath_notify()

On 6/3/18 8:01 AM, David Ahern wrote: > Is there a reproducer for the syzbot case? One reproducer is to insert a route and then add a multipath route that has a duplicate nexthop.e.g,: ip -6 ro add vrf red 2001:db8:101::/64 nexthop via 2001:db8:1::2 ip -6 ro append vrf red 2001:db8:101::/64

Re: [PATCH net] net: ipv6: prevent use after free in ip6_route_mpath_notify()

On 06/03/2018 07:01 AM, David Ahern wrote: > On 6/3/18 7:35 AM, Eric Dumazet wrote: >> diff --git a/net/ipv6/route.c b/net/ipv6/route.c >> index >> f4d61736c41abe8cd7f439c4a37100e90c1eacca..830eefdbdb6734eb81ea0322fb6077ee20be1889 >> 100644 >> --- a/net/ipv6/route.c >> +++ b/net/ipv6/route.c

Re: [PATCH net] net: ipv6: prevent use after free in ip6_route_mpath_notify()

On 6/3/18 7:35 AM, Eric Dumazet wrote: > diff --git a/net/ipv6/route.c b/net/ipv6/route.c > index > f4d61736c41abe8cd7f439c4a37100e90c1eacca..830eefdbdb6734eb81ea0322fb6077ee20be1889 > 100644 > --- a/net/ipv6/route.c > +++ b/net/ipv6/route.c > @@ -4263,7 +4263,9 @@ static int

[PATCH net] net: ipv6: prevent use after free in ip6_route_mpath_notify()

syzbot reported a use-after-free [1] Issue here is that rt_last might have been freed already. We need to grab a refcount on it to prevent this. [1] BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 net/ipv6/route.c:4180 Read of size 4 at addr 8801bf789cf0 by task