Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp122671ybg; Sat, 25 Jul 2020 22:36:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxHvKsaQO7FZ/lSnGfTowzZjC3XDUOkdKYbW8pdnPnbORm+ZTITY5vuPrpsoKwqPJT5Bn1t X-Received: by 2002:aa7:c6d3:: with SMTP id b19mr15287663eds.207.1595741769947; Sat, 25 Jul 2020 22:36:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595741769; cv=none; d=google.com; s=arc-20160816; b=uK98pv2DEh2kNENrSjaxZGdtdRb7bmxk2oFqNdg20dx8klJ43LcDp7FJzy6o6jIPxx LLSoAXhNWC7/dm4dqjgmjr3+1JLO21VOBQ9aZRru7Vv53OapE8RaPDfWL47NYBLSrFcj W2P9EQh9bfoE7uiEMB6808Ka+bs7xkk1v0xIRuSVZg4mDccZTrZVh6qRyFx17O3Bdsc5 MMfSrMPEVwbfRsY0kMa5SJPYk3v865RsmMLU9K36XpINbpU8uwjdnd5IZVyPX3KrRky6 LOCM6dxZWr2rbulK/nawjPxzDvLE3QhzconVqiHjd00jXKJyhkr8SKRv9aegANkQ83iO jiHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=x1bARMh5GgpfdkzzJHqPV/cESh0NbR22EC4SzVKdkYw=; b=gw9jfSFMog6q4yWQVDduFmX09oentftH+sD4cAR/Ee+R/GyW/UOOybdlBCJeY/18PW tX51l+3ugJtnY8RmPJrHIzOGQ+6Q0NbOs9qpIo2fRP6YU9WDFyU4lZaRZ/2FPJQTbqBB 4x0zJtYmqW5E3cncPqaAX0BnjI8tjcnUJANa/iTNi/IOuDGBtoO5RWFMLJ1GKdP6Y5QI UFF9+eBT3TEBA9mxf2IaLtb3F0S645BjVylUsidSJGQdJUGk3rb+5ezLABJ47wx0Ae3U 7D6cEz4N4NZHM/B/vSNhCcr87r75Rh3jzrzEN5QLl9SKanawaHDkreys2q0hyt/cMImS wsRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=p6kSFEZY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bj4si3345925ejb.540.2020.07.25.22.35.48; Sat, 25 Jul 2020 22:36:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=p6kSFEZY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726636AbgGZFfY (ORCPT + 99 others); Sun, 26 Jul 2020 01:35:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725298AbgGZFfY (ORCPT ); Sun, 26 Jul 2020 01:35:24 -0400 Received: from mail-il1-x144.google.com (mail-il1-x144.google.com [IPv6:2607:f8b0:4864:20::144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01831C0619D2; Sat, 25 Jul 2020 22:35:24 -0700 (PDT) Received: by mail-il1-x144.google.com with SMTP id t4so10457481iln.1; Sat, 25 Jul 2020 22:35:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x1bARMh5GgpfdkzzJHqPV/cESh0NbR22EC4SzVKdkYw=; b=p6kSFEZYt44mpd6mt6sRfe1gbGQm+sb7NNXOGEEVW10+D6qbBWsQQ6rBnbKYaVsXKP C5r0Rwy0vj1kBkkeWZ9dIiXIgsZg2Ic5Ro7ojiN2qGj3nFkDTmwlEsA3D/II4kPHSYzZ 4TgcpSJgRCVSynfB1+FO6NHRsvJLbqMA2k2QOV1Q2oAhCfFeTVLXbSh3m7tOVZHNFen5 S3VQWtI6A+7N/gUfCmWiBfD4eL72fh9ZB1xDejmbIezHBKGlq//JTJYjSUCtBxpBrLot jbikCZOCwtKPswMwG6QpMb7yDOFmxhuzT2+dswy893jMoLbzhDOsdsI4GFSpdf5uYDIg edcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x1bARMh5GgpfdkzzJHqPV/cESh0NbR22EC4SzVKdkYw=; b=G1xu+UUze0iesx/hoM5pCwVjYalGEIuI1CMf5Ps/HNuT8SBJGieJhe+cH+gZ3b5MRn W+Tcd9p05wCMNGRJwN1p6cxBYI/NNsOA84fvh1oerQHiMRGCq4fmYCc7tkqXnWXZCz5S n0plf4RFQhUCEPkjVqH3sWPZDBlzlTarriZwU67nYPjylTc7nlIvWu9Stf0biNa7cRyJ BYxiZVoSS9VdXWIWVtTxp1wbAPw/svkaDocOwXi5XRc/VYHrpKXVVW7QVgba1ViCg878 J+w2tYgxYEfJtvD7MOpvmQAglBfUD9W9M2Q+mnrUlqX73WrcrWBgUNyt/Lmefoam0xHY 4Jsw== X-Gm-Message-State: AOAM533JE5EMa2yFaAENkSAIDh56T164H8CMgauSJEs7iO3qdM251cIN btQnKEUtW5KbZ5GMWaz/LzkpVrpxbpX0DZwke1c= X-Received: by 2002:a05:6e02:788:: with SMTP id q8mr9248511ils.22.1595741723422; Sat, 25 Jul 2020 22:35:23 -0700 (PDT) MIME-Version: 1.0 References: <20200726030855.q6dfjekazfzl5usw@pesu.pes.edu> In-Reply-To: <20200726030855.q6dfjekazfzl5usw@pesu.pes.edu> From: Cong Wang Date: Sat, 25 Jul 2020 22:35:12 -0700 Message-ID: Subject: Re: [PATCH v2] net: ipv6: fix use-after-free Read in __xfrm6_tunnel_spi_lookup To: B K Karthik Cc: Steffen Klassert , Herbert Xu , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , Jakub Kicinski , Linux Kernel Network Developers , LKML , Greg KH , skhan@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 25, 2020 at 8:09 PM B K Karthik wrote: > @@ -103,10 +103,10 @@ static int __xfrm6_tunnel_spi_check(struct net *net, u32 spi) > { > struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net); > struct xfrm6_tunnel_spi *x6spi; > - int index = xfrm6_tunnel_spi_hash_byspi(spi); > + int index = xfrm6_tunnel_spi_hash_byaddr((const xfrm_address_t *)spi); > > hlist_for_each_entry(x6spi, > - &xfrm6_tn->spi_byspi[index], > + &xfrm6_tn->spi_byaddr[index], > list_byspi) { > if (x6spi->spi == spi) How did you convince yourself this is correct? This lookup is still using spi. :) More importantly, can you explain how UAF happens? Apparently the syzbot stack traces you quote make no sense at all. I also looked at other similar reports, none of them makes sense to me. Thanks.