Hello, The following program triggers use-after-free in ip6_xmit: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <syscall.h> #include <string.h> #include <stdint.h> #include <pthread.h> #include <sys/types.h> #include <sys/socket.h> #include <linux/socket.h> #include <linux/in.h> #include <linux/in6.h> #include <unistd.h> #include <stdlib.h> void *thr0(void *arg) { *(uint32_t*)0x20000000 = 0x5; long r5 = syscall(SYS_setsockopt, arg, 0x29ul, 0x6ul, 0x20000000ul, 0x4ul, 0); return 0; } void *thr1(void *arg) { struct sockaddr_in6 sa = {}; sa.sin6_family = AF_INET6; sa.sin6_port = getpid(); sa.sin6_addr.s6_addr[15] = 1; syscall(SYS_bind, arg, &sa, sizeof(sa), 0, 0, 0); return 0; } void *thr2(void *arg) { struct sockaddr_in6 sa = {}; sa.sin6_family = AF_INET6; sa.sin6_port = getpid(); sa.sin6_addr.s6_addr[15] = 1; syscall(SYS_connect, arg, &sa, sizeof(sa), 0, 0, 0); return 0; } void *thr3(void *arg) { syscall(SYS_listen, arg, 0x3ul, 0, 0, 0, 0); return 0; } void *thr4(void *arg) { syscall(SYS_accept4, arg, 0, 0, 0x800ul, 0, 0); return 0; } int main() { srand(getpid()); syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x2ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); int fd[2]; fd[0] = syscall(SYS_socket, PF_INET6, SOCK_STREAM, IPPROTO_TCP); fd[1] = syscall(SYS_socket, PF_INET6, SOCK_STREAM, IPPROTO_TCP); pthread_t th; pthread_create(&th, 0, thr0, (void*)(long)fd[0]); pthread_create(&th, 0, thr1, (void*)(long)fd[0]); pthread_create(&th, 0, thr2, (void*)(long)fd[0]); pthread_create(&th, 0, thr3, (void*)(long)fd[0]); pthread_create(&th, 0, thr4, (void*)(long)fd[0]); pthread_create(&th, 0, thr0, (void*)(long)fd[0]); pthread_create(&th, 0, thr1, (void*)(long)fd[0]); pthread_create(&th, 0, thr2, (void*)(long)fd[0]); pthread_create(&th, 0, thr3, (void*)(long)fd[0]); pthread_create(&th, 0, thr4, (void*)(long)fd[0]); pthread_create(&th, 0, thr0, (void*)(long)fd[1]); pthread_create(&th, 0, thr1, (void*)(long)fd[1]); pthread_create(&th, 0, thr2, (void*)(long)fd[1]); pthread_create(&th, 0, thr3, (void*)(long)fd[1]); pthread_create(&th, 0, thr4, (void*)(long)fd[1]); pthread_create(&th, 0, thr0, (void*)(long)fd[1]); pthread_create(&th, 0, thr1, (void*)(long)fd[1]); pthread_create(&th, 0, thr2, (void*)(long)fd[1]); pthread_create(&th, 0, thr3, (void*)(long)fd[1]); pthread_create(&th, 0, thr4, (void*)(long)fd[1]); usleep(20000); return 0; } ================================================================== BUG: KASAN: use-after-free in ip6_xmit+0x15e3/0x1f50 at addr ffff88003991c786 Read of size 2 by task a.out/6864 ============================================================================= BUG kmalloc-64 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: Allocated in sock_kmalloc+0x93/0x100 age=40 cpu=1 pid=6850 [< none >] ___slab_alloc+0x648/0x8c0 mm/slub.c:2438 [< none >] __slab_alloc+0x4c/0x90 mm/slub.c:2467 [< inline >] slab_alloc_node mm/slub.c:2530 [< inline >] slab_alloc mm/slub.c:2572 [< none >] __kmalloc+0x2d9/0x480 mm/slub.c:3532 [< inline >] kmalloc include/linux/slab.h:463 [< none >] sock_kmalloc+0x93/0x100 net/core/sock.c:1772 [< none >] do_ipv6_setsockopt.isra.5+0xf4d/0x2d30 net/ipv6/ipv6_sockglue.c:483 [< none >] ipv6_setsockopt+0x4f/0x150 net/ipv6/ipv6_sockglue.c:885 [< none >] sctp_setsockopt+0x194/0x4020 net/sctp/socket.c:3702 [< none >] sock_common_setsockopt+0xb4/0x140 net/core/sock.c:2643 [< inline >] SYSC_setsockopt net/socket.c:1757 [< none >] SyS_setsockopt+0x161/0x290 net/socket.c:1736 [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 INFO: Freed in sock_kfree_s+0x29/0x90 age=34 cpu=0 pid=6855 [< none >] __slab_free+0x21e/0x3e0 mm/slub.c:2648 [< inline >] slab_free mm/slub.c:2803 [< none >] kfree+0x26f/0x3e0 mm/slub.c:3632 [< inline >] __sock_kfree_s net/core/sock.c:1793 [< none >] sock_kfree_s+0x29/0x90 net/core/sock.c:1799 [< none >] do_ipv6_setsockopt.isra.5+0x100f/0x2d30 net/ipv6/ipv6_sockglue.c:506 [< none >] ipv6_setsockopt+0x4f/0x150 net/ipv6/ipv6_sockglue.c:885 [< none >] sctp_setsockopt+0x194/0x4020 net/sctp/socket.c:3702 [< none >] sock_common_setsockopt+0xb4/0x140 net/core/sock.c:2643 [< inline >] SYSC_setsockopt net/socket.c:1757 [< none >] SyS_setsockopt+0x161/0x290 net/socket.c:1736 [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 INFO: Slab 0xffffea0000e64700 objects=21 used=19 fp=0xffff88003991cc00 flags=0x1fffc0000004080 INFO: Object 0xffff88003991c780 @offset=1920 fp=0x (null) CPU: 2 PID: 6864 Comm: a.out Tainted: G B 4.4.0-rc3+ #150 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 0000000000000002 ffff88005f3f6e18 ffffffff82c6f2a8 0000000041b58ab3 ffffffff8788bf8d ffffffff82c6f1f6 ffff880062045a00 ffffffff878ac723 ffff88003e807700 0000000000000008 ffff88003991c780 ffff88005f3f6e18 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82c6f2a8>] dump_stack+0xb2/0xfa lib/dump_stack.c:50 [<ffffffff81788e3c>] print_trailer+0x12c/0x210 mm/slub.c:652 [<ffffffff81793c5f>] object_err+0x2f/0x40 mm/slub.c:659 [< inline >] print_address_description mm/kasan/report.c:138 [<ffffffff817979c9>] kasan_report_error+0x5d9/0x860 mm/kasan/report.c:251 [< inline >] kasan_report mm/kasan/report.c:274 [<ffffffff81797d14>] __asan_report_load2_noabort+0x54/0x70 mm/kasan/report.c:293 [<ffffffff85bc06e3>] ip6_xmit+0x15e3/0x1f50 net/ipv6/ip6_output.c:176 [<ffffffff8635a0b9>] sctp_v6_xmit+0x319/0x530 net/sctp/ipv6.c:223 [<ffffffff8634595d>] sctp_packet_transmit+0x113d/0x2680 net/sctp/output.c:595 [<ffffffff8630e897>] sctp_outq_flush+0x717/0x2840 net/sctp/outqueue.c:1090 [<ffffffff86315d67>] sctp_outq_uncork+0x57/0x80 net/sctp/outqueue.c:692 [< inline >] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1750 [< inline >] sctp_side_effects net/sctp/sm_sideeffect.c:1153 [<ffffffff862d9e83>] sctp_do_sm+0x38a3/0x5be0 net/sctp/sm_sideeffect.c:1125 [<ffffffff863423c9>] sctp_primitive_SHUTDOWN+0xa9/0xd0 net/sctp/primitive.c:104 [<ffffffff8632e94d>] sctp_close+0x6fd/0x9b0 net/sctp/socket.c:1519 [<ffffffff85a4b2a1>] inet_release+0x111/0x270 net/ipv4/af_inet.c:413 [<ffffffff85bac8c5>] inet6_release+0x55/0x90 net/ipv6/af_inet6.c:406 [<ffffffff85501586>] sock_release+0x96/0x260 net/socket.c:571 [<ffffffff85501766>] sock_close+0x16/0x20 net/socket.c:1022 [<ffffffff817f0014>] __fput+0x244/0x860 fs/file_table.c:208 [<ffffffff817f06c5>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff8133a5e0>] task_work_run+0x130/0x240 kernel/task_work.c:115 [< inline >] exit_task_work include/linux/task_work.h:21 [<ffffffff812d4a05>] do_exit+0x885/0x3050 kernel/exit.c:750 [<ffffffff812d732c>] do_group_exit+0xec/0x390 kernel/exit.c:880 [<ffffffff81302177>] get_signal+0x677/0x1bf0 kernel/signal.c:2307 [<ffffffff8118645e>] do_signal+0x7e/0x2170 arch/x86/kernel/signal.c:709 [<ffffffff81003a1e>] exit_to_usermode_loop+0xfe/0x1e0 arch/x86/entry/common.c:247 [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282 [<ffffffff8100733b>] syscall_return_slowpath+0x16b/0x240 arch/x86/entry/common.c:344 [<ffffffff868dafe2>] int_ret_from_sys_call+0x25/0x9f arch/x86/entry/entry_64.S:281 ================================================================== On commit 31ade3b83e1821da5fbb2f11b5b3d4ab2ec39db8. The allocation/free stacks look similar to the ones I reported in "memory leak in do_ipv6_setsockopt". However, the fix for that leak suggests that it could lead only to leaks, not to use-after-frees. -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
