RE: use-after-free in sctp_do_sm

From: Vlad Yasevich > Sent: 11 December 2015 18:38 ... > > Found a similar place in abort primitive handling like in this last > > patch update, it's probably the issue you're still triggering. > > > > Also found another place that may lead to this use after free, in case > > we receive a packet

Re: use-after-free in sctp_do_sm

On 12/14/2015 04:50 AM, David Laight wrote: > From: Vlad Yasevich >> Sent: 11 December 2015 18:38 > ... >>> Found a similar place in abort primitive handling like in this last >>> patch update, it's probably the issue you're still triggering. >>> >>> Also found another place that may lead to this

Re: use-after-free in sctp_do_sm

1_INIT)); > - retval = SCTP_DISPOSITION_CONSUME; > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); > > @@ -4983,7 +4981,7 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort( > sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, >

Re: use-after-free in sctp_do_sm

Em 11-12-2015 11:35, Dmitry Vyukov escreveu: On Wed, Dec 9, 2015 at 5:41 PM, Marcelo Ricardo Leitner wrote: On Wed, Dec 09, 2015 at 01:03:56PM -0200, Marcelo Ricardo Leitner wrote: On Wed, Dec 09, 2015 at 03:41:29PM +0100, Dmitry Vyukov wrote: On Tue, Dec 8, 2015

Re: use-after-free in sctp_do_sm

On Fri, Dec 11, 2015 at 11:51:21AM -0200, Marcelo Ricardo Leitner wrote: > Em 11-12-2015 11:35, Dmitry Vyukov escreveu: > >On Wed, Dec 9, 2015 at 5:41 PM, Marcelo Ricardo Leitner > > wrote: > >>On Wed, Dec 09, 2015 at 01:03:56PM -0200, Marcelo Ricardo Leitner wrote: >

Re: use-after-free in sctp_do_sm

On Fri, Dec 11, 2015 at 3:03 PM, Marcelo Ricardo Leitner wrote: > On Fri, Dec 11, 2015 at 11:51:21AM -0200, Marcelo Ricardo Leitner wrote: >> Em 11-12-2015 11:35, Dmitry Vyukov escreveu: >> >On Wed, Dec 9, 2015 at 5:41 PM, Marcelo Ricardo Leitner >>

Re: use-after-free in sctp_do_sm

Em 11-12-2015 12:30, Dmitry Vyukov escreveu: On Fri, Dec 11, 2015 at 3:03 PM, Marcelo Ricardo Leitner wrote: On Fri, Dec 11, 2015 at 11:51:21AM -0200, Marcelo Ricardo Leitner wrote: Em 11-12-2015 11:35, Dmitry Vyukov escreveu: On Wed, Dec 9, 2015 at 5:41 PM,

Re: use-after-free in sctp_do_sm

On 12/11/2015 09:03 AM, Marcelo Ricardo Leitner wrote: > On Fri, Dec 11, 2015 at 11:51:21AM -0200, Marcelo Ricardo Leitner wrote: >> Em 11-12-2015 11:35, Dmitry Vyukov escreveu: >>> On Wed, Dec 9, 2015 at 5:41 PM, Marcelo Ricardo Leitner >>> wrote: On Wed, Dec 09,

Re: use-after-free in sctp_do_sm

\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0

Re: use-after-free in sctp_do_sm

On Wed, Dec 09, 2015 at 03:41:29PM +0100, Dmitry Vyukov wrote: > On Tue, Dec 8, 2015 at 8:22 PM, Dmitry Vyukov wrote: > > On Tue, Dec 8, 2015 at 6:40 PM, Marcelo Ricardo Leitner > > wrote: ... > >> The patches were combined already, but this last

Re: use-after-free in sctp_do_sm

On Wed, Dec 09, 2015 at 01:03:56PM -0200, Marcelo Ricardo Leitner wrote: > On Wed, Dec 09, 2015 at 03:41:29PM +0100, Dmitry Vyukov wrote: > > On Tue, Dec 8, 2015 at 8:22 PM, Dmitry Vyukov wrote: > > > On Tue, Dec 8, 2015 at 6:40 PM, Marcelo Ricardo Leitner > > >

Re: use-after-free in sctp_do_sm

On Mon, Dec 7, 2015 at 9:52 PM, Marcelo Ricardo Leitner wrote: > Em 07-12-2015 18:37, Vlad Yasevich escreveu: >> >> On 12/07/2015 02:50 PM, Marcelo Ricardo Leitner wrote: >>> >>> On Mon, Dec 07, 2015 at 02:33:52PM -0500, Vlad Yasevich wrote: On 12/07/2015

Re: use-after-free in sctp_do_sm

On Tue, Dec 08, 2015 at 06:30:51PM +0100, Dmitry Vyukov wrote: > On Mon, Dec 7, 2015 at 9:52 PM, Marcelo Ricardo Leitner > wrote: > > Em 07-12-2015 18:37, Vlad Yasevich escreveu: > >> > >> On 12/07/2015 02:50 PM, Marcelo Ricardo Leitner wrote: > >>> > >>> On Mon, Dec

Re: use-after-free in sctp_do_sm

On Tue, Dec 8, 2015 at 6:40 PM, Marcelo Ricardo Leitner wrote: > On Tue, Dec 08, 2015 at 06:30:51PM +0100, Dmitry Vyukov wrote: >> On Mon, Dec 7, 2015 at 9:52 PM, Marcelo Ricardo Leitner >> wrote: >> > Em 07-12-2015 18:37, Vlad Yasevich

Re: use-after-free in sctp_do_sm

On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo Leitner wrote: > On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote: >> On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich wrote: >> > On 12/04/2015 04:34 PM, Marcelo Ricardo Leitner wrote: >>

Re: use-after-free in sctp_do_sm

On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich wrote: > On 12/04/2015 04:34 PM, Marcelo Ricardo Leitner wrote: >> On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote: >>> On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner >>> wrote:

Re: use-after-free in sctp_do_sm

On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote: > On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich wrote: > > On 12/04/2015 04:34 PM, Marcelo Ricardo Leitner wrote: > >> On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote: > >>> On Fri, Dec 4, 2015 at

Re: use-after-free in sctp_do_sm

On 12/07/2015 01:52 PM, Marcelo Ricardo Leitner wrote: > On Mon, Dec 07, 2015 at 02:20:47PM +0100, Dmitry Vyukov wrote: >> On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo Leitner >> wrote: >>> On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote: On Sat,

Re: use-after-free in sctp_do_sm

On Mon, Dec 07, 2015 at 02:33:52PM -0500, Vlad Yasevich wrote: > On 12/07/2015 01:52 PM, Marcelo Ricardo Leitner wrote: > > On Mon, Dec 07, 2015 at 02:20:47PM +0100, Dmitry Vyukov wrote: > >> On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo Leitner > >> wrote: > >>> On

Re: use-after-free in sctp_do_sm

On 12/07/2015 02:50 PM, Marcelo Ricardo Leitner wrote: > On Mon, Dec 07, 2015 at 02:33:52PM -0500, Vlad Yasevich wrote: >> On 12/07/2015 01:52 PM, Marcelo Ricardo Leitner wrote: >>> On Mon, Dec 07, 2015 at 02:20:47PM +0100, Dmitry Vyukov wrote: On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo

Re: use-after-free in sctp_do_sm

Em 07-12-2015 18:37, Vlad Yasevich escreveu: On 12/07/2015 02:50 PM, Marcelo Ricardo Leitner wrote: On Mon, Dec 07, 2015 at 02:33:52PM -0500, Vlad Yasevich wrote: On 12/07/2015 01:52 PM, Marcelo Ricardo Leitner wrote: Vlad, I reviewed the places on which it returns SCTP_DISPOSITION_ABORT, and

Re: use-after-free in sctp_do_sm

On Mon, Dec 07, 2015 at 02:20:47PM +0100, Dmitry Vyukov wrote: > On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo Leitner > wrote: > > On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote: > >> On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich

Re: use-after-free in sctp_do_sm

On 12/04/2015 04:34 PM, Marcelo Ricardo Leitner wrote: > On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote: >> On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner >> wrote: >>> Hi Dmitry, >>> >>> Can you please test this patch? >>> I'll re-post with

Re: use-after-free in sctp_do_sm

On Thu, Dec 3, 2015 at 6:02 PM, Eric Dumazet wrote: > On Thu, Dec 3, 2015 at 7:55 AM, Dmitry Vyukov wrote: >> On Thu, Dec 3, 2015 at 3:48 PM, Eric Dumazet wrote: No, I don't. But pr_debug always computes its arguments. See

Re: use-after-free in sctp_do_sm

On Thu, Dec 3, 2015 at 9:51 PM, Joe Perches wrote: > (adding lkml as this is likely better discussed there) > > On Thu, 2015-12-03 at 15:42 -0500, Jason Baron wrote: >> On 12/03/2015 03:24 PM, Joe Perches wrote: >> > On Thu, 2015-12-03 at 15:10 -0500, Jason Baron wrote: >> > >

Re: use-after-free in sctp_do_sm

On 12/04/2015 07:55 AM, Marcelo Ricardo Leitner wrote: > On Fri, Dec 04, 2015 at 11:40:02AM +0100, Dmitry Vyukov wrote: >> On Thu, Dec 3, 2015 at 9:51 PM, Joe Perches wrote: >>> (adding lkml as this is likely better discussed there) >>> >>> On Thu, 2015-12-03 at 15:42 -0500,

Re: use-after-free in sctp_do_sm

Vlad Yasevich writes: > On 12/04/2015 07:55 AM, Marcelo Ricardo Leitner wrote: >> On Fri, Dec 04, 2015 at 11:40:02AM +0100, Dmitry Vyukov wrote: >>> On Thu, Dec 3, 2015 at 9:51 PM, Joe Perches wrote: (adding lkml as this is likely better discussed

Re: use-after-free in sctp_do_sm

On Fri, Dec 04, 2015 at 11:40:02AM +0100, Dmitry Vyukov wrote: > On Thu, Dec 3, 2015 at 9:51 PM, Joe Perches wrote: > > (adding lkml as this is likely better discussed there) > > > > On Thu, 2015-12-03 at 15:42 -0500, Jason Baron wrote: > >> On 12/03/2015 03:24 PM, Joe Perches

Re: use-after-free in sctp_do_sm

Hi Dmitry, Can you please test this patch? I'll re-post with proper subject if it works. Thanks. ---8<--- Dmitry Vyukov reported a use-after-free in the code expanded by the macro debug_post_sfx, which is caused by the use of the asoc pointer after it was freed within sctp_side_effect() scope.

Re: use-after-free in sctp_do_sm

On 12/04/2015 12:03 PM, Joe Perches wrote: > On Fri, 2015-12-04 at 11:47 -0500, Jason Baron wrote: >> When DYNAMIC_DEBUG is enabled we have this wrapper from >> include/linux/dynamic_debug.h: >> >> if (unlikely(descriptor.flags & _DPRINTK_FLAGS_PRINT)) >> >> >> So the compiler is not

Re: use-after-free in sctp_do_sm

On 12/04/2015 11:12 AM, Dmitry Vyukov wrote: > On Thu, Dec 3, 2015 at 9:51 PM, Joe Perches wrote: >> (adding lkml as this is likely better discussed there) >> >> On Thu, 2015-12-03 at 15:42 -0500, Jason Baron wrote: >>> On 12/03/2015 03:24 PM, Joe Perches wrote: On Thu,

Re: use-after-free in sctp_do_sm

On Fri, 2015-12-04 at 11:47 -0500, Jason Baron wrote: > When DYNAMIC_DEBUG is enabled we have this wrapper from > include/linux/dynamic_debug.h: > > if (unlikely(descriptor.flags & _DPRINTK_FLAGS_PRINT)) > > > So the compiler is not emitting the side-effects in this > case. Huh?  Do I

Re: use-after-free in sctp_do_sm

On Thu, Dec 3, 2015 at 9:51 PM, Joe Perches wrote: > (adding lkml as this is likely better discussed there) > > On Thu, 2015-12-03 at 15:42 -0500, Jason Baron wrote: >> On 12/03/2015 03:24 PM, Joe Perches wrote: >> > On Thu, 2015-12-03 at 15:10 -0500, Jason Baron wrote: >> > >

Re: use-after-free in sctp_do_sm

On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner wrote: > Hi Dmitry, > > Can you please test this patch? > I'll re-post with proper subject if it works. Still happening with the same stacks. > ---8<--- > > Dmitry Vyukov reported a use-after-free in the code

Re: use-after-free in sctp_do_sm

On Fri, Dec 4, 2015 at 10:34 PM, Marcelo Ricardo Leitner wrote: > On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote: >> On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner >> wrote: >> > Hi Dmitry, >> > >> > Can you please

Re: use-after-free in sctp_do_sm

On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote: > On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner > wrote: > > Hi Dmitry, > > > > Can you please test this patch? > > I'll re-post with proper subject if it works. > > Still happening with the same

Re: use-after-free in sctp_do_sm

On Thu, Dec 3, 2015 at 2:05 PM, Marcelo Ricardo Leitner wrote: > Hi, > > On Tue, Nov 24, 2015 at 10:15:57AM +0100, Dmitry Vyukov wrote: >> >> Call Trace: >> [] __asan_report_load4_noabort+0x3e/0x40 >> [] sctp_do_sm+0x42f6/0x4f60 >> []

Re: use-after-free in sctp_do_sm

Hi, On Tue, Nov 24, 2015 at 10:15:57AM +0100, Dmitry Vyukov wrote: > > Call Trace: > [] __asan_report_load4_noabort+0x3e/0x40 > [] sctp_do_sm+0x42f6/0x4f60 > [] sctp_primitive_SHUTDOWN+0xa9/0xd0 > [] sctp_close+0x616/0x790 > [] inet_release+0xed/0x1c0 ./net/ipv4/af_inet.c:471 > []

Re: use-after-free in sctp_do_sm

On Sat, Nov 28, 2015 at 04:50:56PM +0100, Dmitry Vyukov wrote: > This also seems to lead the the following WARNINGS: > > [ cut here ] > WARNING: CPU: 3 PID: 21734 at kernel/jump_label.c:77 > __static_key_slow_dec+0xfb/0x120() > jump label: negative count! > Modules linked

Re: use-after-free in sctp_do_sm

On Thu, Dec 3, 2015 at 6:02 PM, Eric Dumazet wrote: > On Thu, Dec 3, 2015 at 7:55 AM, Dmitry Vyukov wrote: >> On Thu, Dec 3, 2015 at 3:48 PM, Eric Dumazet wrote: No, I don't. But pr_debug always computes its arguments. See

Re: use-after-free in sctp_do_sm

On Thu, Dec 3, 2015 at 7:55 AM, Dmitry Vyukov wrote: > On Thu, Dec 3, 2015 at 3:48 PM, Eric Dumazet wrote: >>> >>> No, I don't. But pr_debug always computes its arguments. See no_printk >>> in printk.h. So this use-after-free happens for all users. >> >>

Re: use-after-free in sctp_do_sm

On Thu, Dec 03, 2015 at 02:51:33PM -0200, Marcelo Ricardo Leitner wrote: > On Sat, Nov 28, 2015 at 04:50:56PM +0100, Dmitry Vyukov wrote: > > This also seems to lead the the following WARNINGS: > > > > [ cut here ] > > WARNING: CPU: 3 PID: 21734 at kernel/jump_label.c:77 >

Re: use-after-free in sctp_do_sm

On Thu, Dec 03, 2015 at 04:55:44PM +0100, Dmitry Vyukov wrote: > On Thu, Dec 3, 2015 at 3:48 PM, Eric Dumazet wrote: > >> > >> No, I don't. But pr_debug always computes its arguments. See no_printk > >> in printk.h. So this use-after-free happens for all users. > > > > Hmm. >

Re: use-after-free in sctp_do_sm

> > No, I don't. But pr_debug always computes its arguments. See no_printk > in printk.h. So this use-after-free happens for all users. Hmm. pr_debug() should be a nop unless either DEBUG or CONFIG_DYNAMIC_DEBUG are set On our production kernels, pr_debug() is a nop. Can you double check ?

Re: use-after-free in sctp_do_sm

On Thu, Dec 3, 2015 at 3:48 PM, Eric Dumazet wrote: >> >> No, I don't. But pr_debug always computes its arguments. See no_printk >> in printk.h. So this use-after-free happens for all users. > > Hmm. > > pr_debug() should be a nop unless either DEBUG or CONFIG_DYNAMIC_DEBUG

Re: use-after-free in sctp_do_sm

Dmitry Vyukov writes: > On Thu, Dec 3, 2015 at 6:02 PM, Eric Dumazet wrote: >> On Thu, Dec 3, 2015 at 7:55 AM, Dmitry Vyukov wrote: >>> On Thu, Dec 3, 2015 at 3:48 PM, Eric Dumazet wrote: > > No, I don't.

Re: use-after-free in sctp_do_sm

On 12/03/2015 01:52 PM, Aaron Conole wrote: > Dmitry Vyukov writes: >> On Thu, Dec 3, 2015 at 6:02 PM, Eric Dumazet wrote: >>> On Thu, Dec 3, 2015 at 7:55 AM, Dmitry Vyukov wrote: On Thu, Dec 3, 2015 at 3:48 PM, Eric Dumazet

Re: use-after-free in sctp_do_sm

On Thu, 2015-12-03 at 15:10 -0500, Jason Baron wrote: > On 12/03/2015 03:03 PM, Joe Perches wrote: > > On Thu, 2015-12-03 at 14:32 -0500, Jason Baron wrote: > > > On 12/03/2015 01:52 PM, Aaron Conole wrote: > > > > I think that as a minimum, the following patch should be evaluted, > > > > but am

Re: use-after-free in sctp_do_sm

On Thu, 2015-12-03 at 13:52 -0500, Aaron Conole wrote: > Dmitry Vyukov writes: > > On Thu, Dec 3, 2015 at 6:02 PM, Eric Dumazet wrote: > > > On Thu, Dec 3, 2015 at 7:55 AM, Dmitry Vyukov wrote: > > > > On Thu, Dec 3, 2015 at 3:48 PM,

Re: use-after-free in sctp_do_sm

On Thu, 2015-12-03 at 14:32 -0500, Jason Baron wrote: > On 12/03/2015 01:52 PM, Aaron Conole wrote: > > I think that as a minimum, the following patch should be evaluted, > > but am unsure to whom I should submit it (after I test): [] > Agreed - the intention here is certainly to have no side

Re: use-after-free in sctp_do_sm

(adding lkml as this is likely better discussed there) On Thu, 2015-12-03 at 15:42 -0500, Jason Baron wrote: > On 12/03/2015 03:24 PM, Joe Perches wrote: > > On Thu, 2015-12-03 at 15:10 -0500, Jason Baron wrote: > > > On 12/03/2015 03:03 PM, Joe Perches wrote: > > > > On Thu, 2015-12-03 at 14:32

Re: use-after-free in sctp_do_sm

On 12/03/2015 03:03 PM, Joe Perches wrote: > On Thu, 2015-12-03 at 14:32 -0500, Jason Baron wrote: >> On 12/03/2015 01:52 PM, Aaron Conole wrote: >>> I think that as a minimum, the following patch should be evaluted, >>> but am unsure to whom I should submit it (after I test): > [] >> Agreed -

Re: use-after-free in sctp_do_sm

On 12/03/2015 03:24 PM, Joe Perches wrote: > On Thu, 2015-12-03 at 15:10 -0500, Jason Baron wrote: >> On 12/03/2015 03:03 PM, Joe Perches wrote: >>> On Thu, 2015-12-03 at 14:32 -0500, Jason Baron wrote: On 12/03/2015 01:52 PM, Aaron Conole wrote: > I think that as a minimum, the following

Re: use-after-free in sctp_do_sm

On 12/03/2015 01:06 PM, Marcelo wrote: > > > Em 3 de dezembro de 2015 15:59:10 BRST, Eric Dumazet > escreveu: >> On Thu, 2015-12-03 at 15:43 -0200, Marcelo Ricardo Leitner wrote: >> >>> Vlad, others, >>> >>> It's been a long time but this was introduced by commit

Re: use-after-free in sctp_do_sm

Em 3 de dezembro de 2015 15:59:10 BRST, Eric Dumazet escreveu: >On Thu, 2015-12-03 at 15:43 -0200, Marcelo Ricardo Leitner wrote: > >> Vlad, others, >> >> It's been a long time but this was introduced by commit 914e1c8b6980 >> ("sctp: Inherit all socket options from

Re: use-after-free in sctp_do_sm

On Thu, 2015-12-03 at 15:43 -0200, Marcelo Ricardo Leitner wrote: > Vlad, others, > > It's been a long time but this was introduced by commit 914e1c8b6980 > ("sctp: Inherit all socket options from parent correctly."). This is not > very consistent with how other protocols work and it will be

Re: use-after-free in sctp_do_sm

On Thu, Dec 03, 2015 at 01:35:37PM -0500, Vlad Yasevich wrote: > On 12/03/2015 01:06 PM, Marcelo wrote: > > > > > > Em 3 de dezembro de 2015 15:59:10 BRST, Eric Dumazet > > escreveu: > >> On Thu, 2015-12-03 at 15:43 -0200, Marcelo Ricardo Leitner wrote: > >> > >>> Vlad,

Re: use-after-free in sctp_do_sm

gt;>>> On Tue, Nov 24, 2015 at 10:15 AM, Dmitry Vyukov <dvyu...@google.com> wrote: >>>>> Hello, >>>>> >>>>> The following program triggers use-after-free in sctp_do_sm: >>>>> >>>>> // autogener

Re: use-after-free in sctp_do_sm

ogle.com> wrote: >>>> Hello, >>>> >>>> The following program triggers use-after-free in sctp_do_sm: >>>> >>>> // autogenerated by syzkaller (http://github.com/google/syzkaller) >>>> #include >>>> #include >>>> #include

Re: use-after-free in sctp_do_sm

0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", > >> 128); > >> long r6 = syscall(SYS_sendto, r0, 0x2faaul, 0x5eul, > >> 0x81ul, 0x233aul, 0x80ul); > >> return 0; > >> } > >> > >> > >> ==

Re: use-after-free in sctp_do_sm

..@google.com> > > > wrote: > > >> Hello, > > >> > > >> The following program triggers use-after-free in sctp_do_sm: > > >> > > >> // autogenerated by syzkaller (http://github.com/google/syzkaller) > > >> #include > &g

Re: use-after-free in sctp_do_sm

From: Neil Horman Date: Tue, 24 Nov 2015 15:45:54 -0500 >> The right commit is: >> >> commit 7d267278a9ece963d77eefec61630223fce08c6c >> Author: Rainer Weikusat >> Date: Fri Nov 20 22:07:23 2015 + >> unix: avoid use-after-free in ep_remove_wait_queue > This

use-after-free in sctp_do_sm

Hello, The following program triggers use-after-free in sctp_do_sm: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include int main() { long r0 = syscall(SYS_socket, 0xaul, 0x80805ul, 0x0ul, 0, 0, 0); long r1 = syscall(SYS_mmap

Re: use-after-free in sctp_do_sm

On Tue, Nov 24, 2015 at 10:15 AM, Dmitry Vyukov <dvyu...@google.com> wrote: > Hello, > > The following program triggers use-after-free in sctp_do_sm: > > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #include > #include > #include > &

Re: use-after-free in sctp_do_sm

On Tue, Nov 24, 2015 at 10:31 AM, Dmitry Vyukov <dvyu...@google.com> wrote: > On Tue, Nov 24, 2015 at 10:15 AM, Dmitry Vyukov <dvyu...@google.com> wrote: >> Hello, >> >> The following program triggers use-after-free in sctp_do_sm: >> >> // autogen