On Wed, May 31, 2017 at 9:55 AM, Eric Dumazet <eduma...@google.com> wrote:
> On Wed, May 31, 2017 at 9:45 AM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
>> On Wed, May 31, 2017 at 2:42 AM, Andrey Konovalov <andreyk...@google.com>
>> wrote:
>>> Hi,
>>>
>>> I've got the following error report while fuzzing the kernel with syzkaller.
>>>
>>> On commit 5ed02dbb497422bf225783f46e6eadd237d23d6b (4.12-rc3).
>>>
>>> Unfortunately it's not reproducible.
>>>
>>> ==================================================================
>>> BUG: KASAN: use-after-free in ip6_dst_ifdown+0x3cc/0x400
>>> net/ipv6/route.c:422
>>> Read of size 8 at addr ffff88006afa4ad8 by task syz-executor6/23554
>>
>>
>> This one is very interesting.
>>
>> Here we are at:
>>
>> if (dev != loopback_dev) {
>> if (idev && idev->dev == dev) {
>> struct inet6_dev *loopback_idev =
>> in6_dev_get(loopback_dev);
>> if (loopback_idev) {
>> rt->rt6i_idev = loopback_idev;
>> in6_dev_put(idev);
>> }
>> }
>> }
>>
>> clearly no skb involved, it looks like idev is the one used-after-free.
>>
>> But below it is actually skb which is allocated and freed...
>>
>
> skb->head was a kmalloc(X) with X = 1024 in this case.
>
> So it is very possible the two different objects (skb->head and idev )
> were accidentally using the same slab (1024 bytes).
>
> KASAN only remember the last pair of alloc/free for a particular memory zone.
I see. So that memory area was freed for idev and then allocated
and freed again for skb->head, this happened so quick that the
use-after-free happened after it... Therefore we lost the track on where
we free the idev.
