Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752499AbbKVOcm (ORCPT <rfc822;w@1wt.eu>);
	Sun, 22 Nov 2015 09:32:42 -0500
Received: from tiger.mobileactivedefense.com ([217.174.251.109]:34510 "EHLO
	tiger.mobileactivedefense.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1752226AbbKVOck (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 22 Nov 2015 09:32:40 -0500
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>,
        Jason Baron <jbaron@akamai.com>, Al Viro <viro@zeniv.linux.org.uk>,
        David Miller <davem@davemloft.net>,
        LKML <linux-kernel@vger.kernel.org>,
        David Howells <dhowells@redhat.com>, netdev <netdev@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Sasha Levin <sasha.levin@oracle.com>,
        Eric Dumazet <edumazet@google.com>
Subject: Re: Use-after-free in ppoll
In-Reply-To: <CACT4Y+YRbhn+vUZqb9zY0X3fw_VSc_Ab5JKiEa5L-0g4U9zoSA@mail.gmail.com>
	(Dmitry Vyukov's message of "Sun, 22 Nov 2015 15:14:31 +0100")
References: <CACT4Y+YRbhn+vUZqb9zY0X3fw_VSc_Ab5JKiEa5L-0g4U9zoSA@mail.gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
Date: Sun, 22 Nov 2015 14:32:16 +0000
Message-ID: <8737vym7f3.fsf@doppelsaurus.mobileactivedefense.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (tiger.mobileactivedefense.com [217.174.251.109]); Sun, 22 Nov 2015 14:32:24 +0000 (GMT)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1635
Lines: 51

Dmitry Vyukov <dvyukov@google.com> writes:
> Hello,
>
> On commit f2d10565b9bdbb722bd43e6e1a759eeddb9645c8 (Nov 20).
>
> The following program triggers use-after-free:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <syscall.h>
> #include <string.h>
> #include <stdint.h>
> #include <pthread.h>
>
> void *thread(void *p)
> {
>         syscall(SYS_write, (long)p, 0x2000278ful, 0x1ul, 0, 0, 0);
>         return 0;
> }

[...]


>         long r1 = syscall(SYS_socketpair, 0x1ul, 0x3ul, 0x0ul,

[...]

>         long r5 = syscall(SYS_close, r2, 0, 0, 0, 0, 0);
>         pthread_t th;
>         pthread_create(&th, 0, thread, (void*)(long)r3);

[...]

>         long r21 = syscall(SYS_ppoll, 0x20000ffful, 0x3ul, 0x20000ffcul, 0x20000ffdul, 0x8ul, 0);
>         return 0;
> }

That's one of the already known sequences for triggering this issue: The
close will clear the peer pointer of the closed socket, hence, the 2nd
sock_poll_wait will be called by unix_dgram_poll. The write will
execute unix_dgram_sendmsg which detects that the peer is dead and
disconnects from it, causing the corresponding structures to be freed
despite they're still used.

NB: I didn't execute this but I spend a fair amount of time with the
af_unix.c code during the last couple of weeks and consider myself
"reasonably familiar" with it and that's IMO what should happen here.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/