Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759148AbcKCRLE (ORCPT ); Thu, 3 Nov 2016 13:11:04 -0400 Received: from mail-ua0-f182.google.com ([209.85.217.182]:34414 "EHLO mail-ua0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758684AbcKCRLC (ORCPT ); Thu, 3 Nov 2016 13:11:02 -0400 MIME-Version: 1.0 In-Reply-To: References: <20161019165754.GD2958@localhost.localdomain> From: Andrey Konovalov Date: Thu, 3 Nov 2016 18:11:01 +0100 Message-ID: Subject: Re: net/sctp: use-after-free in __sctp_connect To: Marcelo Ricardo Leitner Cc: Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev , LKML , syzkaller , Kostya Serebryany , Alexander Potapenko , Eric Dumazet , Dmitry Vyukov Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1129 Lines: 26 On Wed, Nov 2, 2016 at 11:42 PM, Andrey Konovalov wrote: > On Wed, Oct 19, 2016 at 6:57 PM, Marcelo Ricardo Leitner > wrote: >> On Wed, Oct 19, 2016 at 02:25:24PM +0200, Andrey Konovalov wrote: >>> Hi, >>> >>> I've got the following error report while running the syzkaller fuzzer: >>> >>> ================================================================== >>> BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr >>> ffff88006b1dc610 >> >> Seems this is the same that Dmitry Vyukov had reported back in Jan 13th. >> So far I couldn't identify the reason. >> "Good" to know it's still there, thanks for reporting it. Hi Marcelo, So I've looked at the code. As far as I understand, the problem is a race condition between setsockopt(SCTP_SOCKOPT_CONNECTX) and shutdown on an sctp socket. setsockopt() calls sctp_wait_for_connect(), which exits the for loop on the sk->sk_shutdown & RCV_SHUTDOWN if clause, and then frees asoc with sctp_association_put() and returns err = 0. Then __sctp_connect() checks that err == 0 and reads asoc->assoc_id from the freed asoc.