Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752488AbbKVOsQ (ORCPT <rfc822;w@1wt.eu>);
	Sun, 22 Nov 2015 09:48:16 -0500
Received: from mail-wm0-f43.google.com ([74.125.82.43]:34747 "EHLO
	mail-wm0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752434AbbKVOsO (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 22 Nov 2015 09:48:14 -0500
MIME-Version: 1.0
In-Reply-To: <8737vym7f3.fsf@doppelsaurus.mobileactivedefense.com>
References: <CACT4Y+YRbhn+vUZqb9zY0X3fw_VSc_Ab5JKiEa5L-0g4U9zoSA@mail.gmail.com>
 <8737vym7f3.fsf@doppelsaurus.mobileactivedefense.com>
From: Dmitry Vyukov <dvyukov@google.com>
Date: Sun, 22 Nov 2015 15:47:52 +0100
Message-ID: <CACT4Y+YuBQH2tYt3hqCd6f5yR7iQcU6prf0VGPUoBxv6yCpJ7w@mail.gmail.com>
Subject: Re: Use-after-free in ppoll
To: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Cc: Jason Baron <jbaron@akamai.com>, Al Viro <viro@zeniv.linux.org.uk>,
        David Miller <davem@davemloft.net>,
        LKML <linux-kernel@vger.kernel.org>,
        David Howells <dhowells@redhat.com>, netdev <netdev@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Sasha Levin <sasha.levin@oracle.com>,
        Eric Dumazet <edumazet@google.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2006
Lines: 59

On Sun, Nov 22, 2015 at 3:32 PM, Rainer Weikusat
<rweikusat@mobileactivedefense.com> wrote:
> Dmitry Vyukov <dvyukov@google.com> writes:
>> Hello,
>>
>> On commit f2d10565b9bdbb722bd43e6e1a759eeddb9645c8 (Nov 20).
>>
>> The following program triggers use-after-free:
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <syscall.h>
>> #include <string.h>
>> #include <stdint.h>
>> #include <pthread.h>
>>
>> void *thread(void *p)
>> {
>>         syscall(SYS_write, (long)p, 0x2000278ful, 0x1ul, 0, 0, 0);
>>         return 0;
>> }
>
> [...]
>
>
>>         long r1 = syscall(SYS_socketpair, 0x1ul, 0x3ul, 0x0ul,
>
> [...]
>
>>         long r5 = syscall(SYS_close, r2, 0, 0, 0, 0, 0);
>>         pthread_t th;
>>         pthread_create(&th, 0, thread, (void*)(long)r3);
>
> [...]
>
>>         long r21 = syscall(SYS_ppoll, 0x20000ffful, 0x3ul, 0x20000ffcul, 0x20000ffdul, 0x8ul, 0);
>>         return 0;
>> }
>
> That's one of the already known sequences for triggering this issue: The
> close will clear the peer pointer of the closed socket, hence, the 2nd
> sock_poll_wait will be called by unix_dgram_poll. The write will
> execute unix_dgram_sendmsg which detects that the peer is dead and
> disconnects from it, causing the corresponding structures to be freed
> despite they're still used.
>
> NB: I didn't execute this but I spend a fair amount of time with the
> af_unix.c code during the last couple of weeks and consider myself
> "reasonably familiar" with it and that's IMO what should happen here.


I have not read the code. But I just want to point out that all 3
reports are different. For example, in the first one, ppoll both frees
the object and then accesses it. That is, it is not write that frees
the object.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/