From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 410BBC19F2D for ; Sat, 6 Aug 2022 12:33:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 440CE6B0071; Sat, 6 Aug 2022 08:33:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3EF358E0001; Sat, 6 Aug 2022 08:33:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2DE606B0073; Sat, 6 Aug 2022 08:33:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 1E6F56B0071 for ; Sat, 6 Aug 2022 08:33:17 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id E00AB40819 for ; Sat, 6 Aug 2022 12:33:16 +0000 (UTC) X-FDA: 79769107992.25.447B8BD Received: from r3-22.sinamail.sina.com.cn (r3-22.sinamail.sina.com.cn [202.108.3.22]) by imf02.hostedemail.com (Postfix) with SMTP id 641438014F for ; Sat, 6 Aug 2022 12:33:12 +0000 (UTC) Received: from unknown (HELO localhost.localdomain)([114.249.59.48]) by sina.com (172.16.97.32) with ESMTP id 62EE5F5D0002ECCE; Sat, 6 Aug 2022 20:32:31 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com X-SMAIL-MID: 499737628790 From: Hillf Danton To: "Zhenpeng Lin" Cc: Dan Carpenter , "linux-mm" , "linux-kernel" , "netdev" Subject: Re: Fixing a severe kernel bug Date: Sat, 6 Aug 2022 20:32:59 +0800 Message-Id: <20220806123259.1932-1-hdanton@sina.com> In-Reply-To: <20220806064502.888BF5204D1@webmail.sinamail.sina.com.cn> References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659789196; a=rsa-sha256; cv=none; b=jOlCLYCXH2/u+92rzNYsPKWoIyx4teTaLT3KJklW+liH09dErxS592zAtc0mQZl79wLrwf /Vd4/BKba/vWrpB5U8RRX57Fa+kqo4YCWrRPHbVcEh8MK7bJRns6U3CQT5wal8RBEI/qYU R5+S3O8t2ViO7qbd2T+GIJdDh2kF+D0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1659789196; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=u5YVRjBljbUMT8SN3ZB6l9fLF/7qAX7S6pU16emCXgk=; b=JYgee1kzQsj/cClGAzjdqM3IFssvFeY7pGk3SfVfkr1rC2n41kX4i2A1SmuM216/UofDh0 GgDQdQWuJLgBHX7bsUHluO263MhM9Gbn7Dx/49dpxMcW4ZbwtJm39GNZLugMJli25BAd2U z8rCNWFl6V67f6v2sFB08ai6z60ruQU= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf02.hostedemail.com: domain of hdanton@sina.com designates 202.108.3.22 as permitted sender) smtp.mailfrom=hdanton@sina.com X-Stat-Signature: b1tugmzg3qxdycdgp9gw1djr7bynzpkm X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 641438014F Authentication-Results: imf02.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf02.hostedemail.com: domain of hdanton@sina.com designates 202.108.3.22 as permitted sender) smtp.mailfrom=hdanton@sina.com X-HE-Tag: 1659789192-308182 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000180, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, 06 Aug 2022 14:45:02 +0800 Hillf Danton wrote: > Hey Zhenpeng, > > Nice to read your email. > > WRT fixing kernel bug found in `cls route4` subsystem, could you add > netdev@vger.kernel.org, linux-mm@kvack.org and linux-kernel@vger.kernel.org > to the Cc list? > > Because I have no access to google.com, feel free to add lore link to > the bug after taking a look at [1]. > > Your POC triggering the UAF is welcome, and when you post it, feel free > to attach any patch relevant you saw. Two seconds ... If no CVE number assigned to the uaf yet, go to register it to the CVE system with your POC and all the patches you know survived your tests before replying to this mail thread. Dan please help Zhenpeng if he has big difficulty registering a CVE. > > Thanks > Hillf > > [1] Re: [syzbot] INFO: trying to register non-static key in rxe_cleanup_task - syzbot (kernel.org) The link should have been https://lore.kernel.org/lkml/000000000000f0980c05e5565f2d@google.com/ > > ----- Original Message ----- > From: Zhenpeng Lin > To: hdanton@sina.com > Subject: Fixing a severe kernel bug > Date: 2022-08-02 11:41 > > Hi Hillf, > > This is Zhenpeng Lin from Northwestern University, I noticed that there > are some discussions(https://groups.google.com/g/syzkaller-bugs/c/biJRUL5LBM4/m/0v1148e5AwAJ > where you are involved) about a kernel bug found in `cls route4` subsystem. > > I just want to let you know that the bug is very severe and could lead to > privilege escalation very easily. This bug has multiple error behaviors, it > shows an ODEBUG bug here but actually could cause a use-after-free and > double-free error, which could be exploited easily. > > If you would like a POC of triggering UAF, let me know and I will be happy > to show it. > > I saw there already has a patch for that but has not been committed to > upstream since Jun, I wonder if you could go ahead and fix the bug as soon > as possible. > > If you have any questions or concerns, I would be happy to help. > > Best, > Zhenpeng