Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen
From: Hao Sun <hidden>
Date: 2021-09-17 01:02:03
Also in:
lkml
Jason Gunthorpe [off-list ref] 于2021年9月17日周五 上午2:35写道:
On Tue, Apr 13, 2021 at 10:19:25PM +0800, Hao Sun wrote:quoted
Jason Gunthorpe [off-list ref] 于2021年4月13日周二 下午9:45写道:quoted
On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:quoted
Jason Gunthorpe [off-list ref] 于2021年4月13日周二 下午9:34写道:quoted
On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:quoted
Hi When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz the Linux kernel, I found two use-after-free bugs which have been reported a long time ago by Syzbot. Although the corresponding patches have been merged into upstream, these two bugs can still be triggered easily. The original information about Syzbot report can be found here: https://syzkaller.appspot.com/bug?id=8dc0bcd9dd6ec915ba10b3354740eb420884acaa https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719bThen why hasn't syzbot seen this in a year's time? Seems strangeSeems strange to me too, but the fact is that the reproduction program in attachment can trigger these two bugs quickly.Do you have this in the C format?Just tried to use syz-prog2c to convert the repro-prog to C format. The repro program of rdma_listen was successfully reproduced (uploaded in attachment), the other one failed. it looks like syz-prog2c may not be able to do the equivalent conversion. You can use syz-execprog to execute the reprogram directly, this method can reproduce both crashes, I have tried it.Can you check this patch that should solve it? https://patchwork.kernel.org/project/linux-rdma/patch/0-v1-9fbb33f5e201+2a-cma_listen_jgg@nvidia.com/
Just executed the original Syz prog on the latest Linux kernel (ff1ffd71d5f0 Merge tag 'hyperv-fixes-signed-20210915'), it did not crash the kernel. I've checked that the above patch has not been merged into the latest commit. Therefore, there might be some other commits that fixed that issue. Regards Hao