On Sat, Mar 4, 2017 at 9:15 PM, Eric Dumazet <eric.duma...@gmail.com> wrote: >> > On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >> >> I am getting heap out-of-bounds reports in >> >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running >> >> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all >> >> follow the same pattern: an object of size 216 is allocated from >> >> ip_dst_cache slab, and then accessed at offset 272/276 withing >> >> fib6_walk. Looks like type confusion. Unfortunately this is not >> >> reproducible. >> > >> > I'll take a look this weekend or Monday at the latest. >> >> >> I've got some additional useful info on this. I think this is >> use-after-free rather than out-of-bounds. I've collected stack where >> the route was disposed with call_rcu, see the last "Disposed" stack. >> The crash happens when cmpxchg in rt_cache_route replaces an existing >> route. And that route seems to have some existing pointers to it >> (rt->dst.rt6_next) which fib6_walk uses to get to it after its >> deletion. > > rt_cache_route() deals with IPv4 routes. > > We somehow mix IPv4 and IPv6 dsts in IPv6 tree. > > We need to add type safety at IPV6 route insertions to catch the > offender.
If you suggest additional checks, I will collect stacks.
