Re: scsi: use-after-free in bio_copy_from_iter

On Tue, Dec 6, 2016 at 4:38 PM, Johannes Thumshirn wrote: > On Tue, Dec 06, 2016 at 10:43:57AM +0100, Dmitry Vyukov wrote: >> On Tue, Dec 6, 2016 at 10:32 AM, Johannes Thumshirn >> wrote: >> > On Mon, Dec 05, 2016 at 07:03:39PM +, Al Viro wrote: >> >> On Mon, Dec 05, 2016 at 04:17:53PM +0100

Re: scsi: use-after-free in bio_copy_from_iter

On Tue, Dec 06, 2016 at 10:43:57AM +0100, Dmitry Vyukov wrote: > On Tue, Dec 6, 2016 at 10:32 AM, Johannes Thumshirn > wrote: > > On Mon, Dec 05, 2016 at 07:03:39PM +, Al Viro wrote: > >> On Mon, Dec 05, 2016 at 04:17:53PM +0100, Johannes Thumshirn wrote: > >> > 633 hp = &srp->header;

Re: scsi: use-after-free in bio_copy_from_iter

On Tue, Dec 6, 2016 at 10:32 AM, Johannes Thumshirn wrote: > On Mon, Dec 05, 2016 at 07:03:39PM +, Al Viro wrote: >> On Mon, Dec 05, 2016 at 04:17:53PM +0100, Johannes Thumshirn wrote: >> > 633 hp = &srp->header; >> > [...] >> > 646 hp->dxferp = (char __user *)buf + cmd

Re: scsi: use-after-free in bio_copy_from_iter

On Mon, Dec 05, 2016 at 07:03:39PM +, Al Viro wrote: > On Mon, Dec 05, 2016 at 04:17:53PM +0100, Johannes Thumshirn wrote: > > 633 hp = &srp->header; > > [...] > > 646 hp->dxferp = (char __user *)buf + cmd_size; > > > So the memory for hp->dxferp comes from: > > 633

Re: scsi: use-after-free in bio_copy_from_iter

On Mon, Dec 05, 2016 at 04:17:53PM +0100, Johannes Thumshirn wrote: > 633 hp = &srp->header; > [...] > 646 hp->dxferp = (char __user *)buf + cmd_size; > So the memory for hp->dxferp comes from: > 633 hp = &srp->header; > >From my debug instrumentation I see t

Re: scsi: use-after-free in bio_copy_from_iter

On Mon, Dec 05, 2016 at 03:31:43PM +0100, Dmitry Vyukov wrote: > On Sat, Dec 3, 2016 at 7:19 PM, Johannes Thumshirn wrote: > > On Sat, Dec 03, 2016 at 04:22:39PM +0100, Dmitry Vyukov wrote: > >> On Sat, Dec 3, 2016 at 11:38 AM, Johannes Thumshirn > >> wrote: > >> > On Fri, Dec 02, 2016 at 05:50:

Re: scsi: use-after-free in bio_copy_from_iter

On Sat, Dec 3, 2016 at 7:19 PM, Johannes Thumshirn wrote: > On Sat, Dec 03, 2016 at 04:22:39PM +0100, Dmitry Vyukov wrote: >> On Sat, Dec 3, 2016 at 11:38 AM, Johannes Thumshirn >> wrote: >> > On Fri, Dec 02, 2016 at 05:50:39PM +0100, Dmitry Vyukov wrote: >> >> On Fri, Nov 25, 2016 at 8:08 PM, D

Re: scsi: use-after-free in bio_copy_from_iter

On Sat, Dec 03, 2016 at 04:22:39PM +0100, Dmitry Vyukov wrote: > On Sat, Dec 3, 2016 at 11:38 AM, Johannes Thumshirn > wrote: > > On Fri, Dec 02, 2016 at 05:50:39PM +0100, Dmitry Vyukov wrote: > >> On Fri, Nov 25, 2016 at 8:08 PM, Dmitry Vyukov wrote: [...] Hi Dmitry, > > Thanks for looking

Re: scsi: use-after-free in bio_copy_from_iter

On Sat, Dec 3, 2016 at 11:38 AM, Johannes Thumshirn wrote: > On Fri, Dec 02, 2016 at 05:50:39PM +0100, Dmitry Vyukov wrote: >> On Fri, Nov 25, 2016 at 8:08 PM, Dmitry Vyukov wrote: > > [...] > >> >> +David did some debugging of a similar case. His 0x400 at location >> 0x2000efdc refers to 0x

Re: scsi: use-after-free in bio_copy_from_iter

On Fri, Dec 02, 2016 at 05:50:39PM +0100, Dmitry Vyukov wrote: > On Fri, Nov 25, 2016 at 8:08 PM, Dmitry Vyukov wrote: [...] > > +David did some debugging of a similar case. His 0x400 at location > 0x2000efdc refers to 0x at 0x20012fdc in the provided reproducer: > NONFAILING(*(uint32_t

Re: scsi: use-after-free in bio_copy_from_iter

On Fri, Nov 25, 2016 at 8:08 PM, Dmitry Vyukov wrote: > Hello, > > The following program triggers use-after-free in bio_copy_from_iter: > https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt > > > ===

scsi: use-after-free in bio_copy_from_iter

Hello, The following program triggers use-after-free in bio_copy_from_iter: https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt == BUG: KASAN: use-af