ucount: use-after-free read in inc_ucount & dec_ucount

Eric W. Biederman ebiederm at xmission.com
Sun Mar 5 21:00:25 UTC 2017

쪼르 <zzoru007 at gmail.com> writes:

> Hi, This is my new one report about dec_ucount:
> ps.Sorry for my uncomfortable report. This is my first usage of lkml. 
> Syzkaller hit 'KASAN: use-after-free Read in dec_ucount' bug on commit
> .

You are doing well.  Thank you very much for the report.

Thank you for the reproducer.  Unfortunately I am not able to reproduce
the bug with what the code you have posted here.

>From the initial mailing the code said:

> Syzkaller reproducer:
> # {Threaded:false Collide:false Repeat:true Procs:4 Sandbox:setuid
> Repro:false}
> inotify_init()

The code you posted says:

> Syzkaller reproducer:
> # {Threaded:false Collide:false Repeat:true Procs:1 Sandbox:setuid Repro:false}
> semget$private(0x0, 0x400001003, 0x181)

So I expect syzkaller did not create the same code when you ran it
again.  Something easy to miss if you haven't run used a tool like that

If someone knows how to get the code that syzkaller would generate that
matches the original reproducer I would very much appreciate it so that
we can confirm the bug we have spotted in the code is the bug syzkaller

Until that point I am going to fix the obvious bug in the code and hope
that fixes the problem.


More information about the Containers mailing list