Received: by 10.223.185.111 with SMTP id b44csp1186338wrg;
        Fri, 9 Mar 2018 23:59:58 -0800 (PST)
X-Google-Smtp-Source: AG47ELss9/OtnTZSznQuKo1K1lJGJNxCEHD8/ntLf1XbEjBEEDBlL1dOQ0Zn+VeAZpqjqr8nxvBL
X-Received: by 10.98.166.85 with SMTP id t82mr1259948pfe.237.1520668798762;
        Fri, 09 Mar 2018 23:59:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520668798; cv=none;
        d=google.com; s=arc-20160816;
        b=zDg9UO/LCGE5rl7yv81eUMGBQas08AFVlWtNY9K6lb1MnDPBCiv3BnGs5VcqiqWOb+
         I7qIceMlKWt+Il5pDaiD8P6JdZ8gshGS7rmTGLQ+xveiZ2qBDQD352dfZrjikwDs+sxW
         Iko0645XeEkIt/iyZGdrF0GWzaYoMJOUUhmTQBDfkpMPwFL6fO7nMVEw/6XaGAtte9be
         g5eNA2uqN8mwoVHabAFA19OXBs9ClQU9pZvete+QrANOSMIRSQlZvyH6EDVN4CRpiXJO
         dBOGfuvqQkaRi48mHAAGBMSBvFJSKbf9k/0bd3JSoLAqbWfHjwA0TQi9raE98XwskFDJ
         aTFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=EY3iqqxekQ23fpIA8rQI9MTjMuTXQl4Xx2lwQra2XtE=;
        b=MsVuB/zM7JyB2QOOqQVf1+dtTDCrIJN3rlMf2dkaHd9isJBgi2+Q9h1qed3Jrs2Wzp
         Kw7Oxu2hPA+NKoBjkKn5vn0jKa3z3EN1UwqX9q0MXeNq6sYP82HK5klNLWlWmXvgUdxH
         Zpy7DEB11ApxFLu+7xhwOHkuBZvGQAcX6FKa9WK6/MRWJ2Oz+GDh7GRW5h9UdDdSBD4j
         VNgKrGUgsxPskrjXzEuNNbT4DQHjaOLwR8deK5+MdSL+wZ+okoMTCw2o+y/a6AOUdpIQ
         je5NHH8wE7NYWGCusfKnYrU3hK4WK7peQXF8ggxo1x+VHSGW9fpoPaeT5hZ9MQIMxivo
         2ftw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=X0Dak3Oo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u64si2034447pgc.295.2018.03.09.23.59.32;
        Fri, 09 Mar 2018 23:59:58 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=X0Dak3Oo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751791AbeCJH6H (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Sat, 10 Mar 2018 02:58:07 -0500
Received: from mail-qt0-f196.google.com ([209.85.216.196]:36420 "EHLO
        mail-qt0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750884AbeCJH6F (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 10 Mar 2018 02:58:05 -0500
Received: by mail-qt0-f196.google.com with SMTP id c7so13684385qtn.3;
        Fri, 09 Mar 2018 23:58:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=EY3iqqxekQ23fpIA8rQI9MTjMuTXQl4Xx2lwQra2XtE=;
        b=X0Dak3Oowlj28fLTEx23kzSrT3EWHE+GPnekah7nKdne8NGpmXOzcsWaaUtv8vdaDE
         Zsop6Z91Pp7FJLycIaHLr5V0GJqw+DDwTEApnbEW6KHvc+swgT2OQwOu2vCoRd7+b5PB
         +ANhmuQcnjRC5e/WkBvBk3gY509HSrggmNy1tx708qzY3Z6GJIs70IdmseI1UjXbC1gW
         Q9WKBQ6M11R46LgscZkFJvBnZxC0CG4q2j4LiIdxG1Zy4BxLwWkWkO+cPyBElovJRhxk
         wBMxGIwlkycHXCG55osQSG474QOc9/EKM8l38Zvwp3weQzkNG86szTbeYbjCUtCrKvXU
         ed1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=EY3iqqxekQ23fpIA8rQI9MTjMuTXQl4Xx2lwQra2XtE=;
        b=tEax9T2UZ0bEx+ThcB0qc8TdMpt2wTMHbkVK1eoAjBNJQUQLBfjweBA5QWgkhg837r
         CXSwUZx1EDfhN32rCJQKdNxr2Kp1mQ4ufl4X9Z9gmxw/iRQoROyc4Do1FkO9o9BO+/vi
         Hs1yYtxR8gonBgnnRPsJ10Pq8F+qXQ8Ae1tfR85iv78ak7gdSA2cJmC0HpcOYscYmePl
         /gwH7ZOsk8hZmCg0/GJ7ZIcDOknbH4Zht3xBuMq1c35lVEMoDHpKfD+LytFuV5VTHPG2
         g2xnG1FI2RuoRpM5Rji3rfOmferHl+SUK0VhhBxh1WtioxfQLd7oNpExqkRs5g+4bmxI
         OiuQ==
X-Gm-Message-State: AElRT7HT+jfG2a1WYN1p5HQ4GjTv5v9MenPOBhnKdrnQy6aim0YfiQtu
        PgtpxluFWphX+5uBOjyETtBmld0UmtsokwXTl2I=
X-Received: by 10.237.50.227 with SMTP id z90mr1840004qtd.126.1520668684875;
 Fri, 09 Mar 2018 23:58:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.20.137 with HTTP; Fri, 9 Mar 2018 23:58:04 -0800 (PST)
In-Reply-To: <20180309220823.GA24848@neilslaptop.think-freely.org>
References: <00000000000017dfe905670110cf@google.com> <20180309220823.GA24848@neilslaptop.think-freely.org>
From:   Xin Long <lucien.xin@gmail.com>
Date:   Sat, 10 Mar 2018 15:58:04 +0800
Message-ID: <CADvbK_fGkhJeirYwiu9ORmmPPBpqamgO2+vi9Osyd92cUWJBVA@mail.gmail.com>
Subject: Re: KASAN: use-after-free Read in sctp_association_free (2)
To:     Neil Horman <nhorman@tuxdriver.com>
Cc:     syzbot <syzbot+a4e4112c3aff00c8cfd8@syzkaller.appspotmail.com>,
        davem <davem@davemloft.net>, LKML <linux-kernel@vger.kernel.org>,
        linux-sctp@vger.kernel.org, network dev <netdev@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com,
        Vlad Yasevich <vyasevich@gmail.com>,
        Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Mar 10, 2018 at 6:08 AM, Neil Horman <nhorman@tuxdriver.com> wrote:
> On Fri, Mar 09, 2018 at 12:59:06PM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot hit the following crash on net-next commit
>> fd372a7a9e5e9d8011a0222d10edd3523abcd3b1 (Thu Mar 8 19:43:48 2018 +0000)
>> Merge tag 'mlx5-updates-2018-02-28-2' of
>> git://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux
>>
>> So far this crash happened 2 times on net-next.
>> C reproducer is attached.
>> syzkaller reproducer is attached.
>> Raw console output is attached.
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+a4e4112c3aff00c8cfd8@syzkaller.appspotmail.com
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>>
>> IPVS: ftp: loaded support on port[0] = 21
>> IPVS: ftp: loaded support on port[0] = 21
>> IPVS: ftp: loaded support on port[0] = 21
>> IPVS: ftp: loaded support on port[0] = 21
>> ==================================================================
>> BUG: KASAN: use-after-free in sctp_association_free+0x7b7/0x930
>> net/sctp/associola.c:332
>> Read of size 8 at addr ffff8801d8006ae0 by task syzkaller914861/4202
>>
>> CPU: 1 PID: 4202 Comm: syzkaller914861 Not tainted 4.16.0-rc4+ #258
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:17 [inline]
>>  dump_stack+0x194/0x24d lib/dump_stack.c:53
>>  print_address_description+0x73/0x250 mm/kasan/report.c:256
>>  kasan_report_error mm/kasan/report.c:354 [inline]
>>  kasan_report+0x23c/0x360 mm/kasan/report.c:412
>>  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
>>  sctp_association_free+0x7b7/0x930 net/sctp/associola.c:332
>>  sctp_sendmsg+0xc67/0x1a80 net/sctp/socket.c:2075
>>  inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
>>  sock_sendmsg_nosec net/socket.c:629 [inline]
>>  sock_sendmsg+0xca/0x110 net/socket.c:639
>>  SYSC_sendto+0x361/0x5c0 net/socket.c:1748
>>  SyS_sendto+0x40/0x50 net/socket.c:1716
>>  do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
>>  entry_SYSCALL_64_after_hwframe+0x42/0xb7
>> RIP: 0033:0x446d09
>> RSP: 002b:00007f5dbac21da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
>> RAX: ffffffffffffffda RBX: 00000000006e29fc RCX: 0000000000446d09
>> RDX: 0000000000000001 RSI: 0000000020000340 RDI: 0000000000000003
>> RBP: 00000000006e29f8 R08: 00000000204d9000 R09: 000000000000001c
>> R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
>> R13: 00007fff7b26fb1f R14: 00007f5dbac229c0 R15: 00000000006e2b60
>>
> I think we have a corner case with a0ff660058b88d12625a783ce9e5c1371c87951f
> here.  If a peeloff event happens during a wait for sendbuf space, EPIPE will be
> returned, and the code path appears to call sctp_association_put twice, leading
> to the use after free situation.  I'll write a patch this weekend
Hi, Neil, you're right.

I didn't expect peeloff can be done on a NEW asoc, as peeloff needs
assoc_id, which can only be set when connecting has started.

But I realized that:
f84af33 sctp: factor out sctp_sendmsg_to_asoc from sctp_sendmsg

moved sctp_primitive_ASSOCIATE(connecting) before sctp_wait_for_sndbuf
(snd buffer waiting). It means peeloff can be done on a NEW asoc.
So you may want to move it back.

One good thing is the fix shouldn't touch the conflict on
https://lkml.org/lkml/2018/3/7/1175
We can fix it right now, I think. But pls double check it before
submitting the patch. We just can't grow up that fixup for linus
tree's merge.

Thanks.