| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Feb 2016 17:03:44 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: Rainer Weikusat <rweikusat@...ileactivedefense.com>,
Philipp Hahn <pmhahn@...ahn.de>
Cc: Hannes Frederic Sowa <hannes@...essinduktion.org>,
Sasha Levin <sasha.levin@...cle.com>,
"David S. Miller" <davem@...emloft.net>,
linux-kernel@...r.kernel.org, Karolin Seeger <kseeger@...ba.org>,
Jason Baron <jbaron@...mai.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Arvid Requate <requate@...vention.de>,
Stefan Gohmann <gohmann@...vention.de>
Subject: Re: Bug 4.1.16: self-detected stall in net/unix/?
On Thu, 2016-02-11 at 15:55 +0000, Rainer Weikusat wrote:
> Philipp Hahn <pmhahn@...ahn.de> writes:
>
> [...]
>
> > Probably the same bug was also reported to samba-technical by Karolin
> > Seeger; she filed the bug for 3.19-ckt with Ubuntu:
> >
> >
> >
> > Running the Samba test suite reproduces the problem; see bug for
> > details.
>
>
> JFTR: The oops in this bug report is for 3.13.0-77 and the patch you
> reverted for 4.1 is not part of that (at least not of the upstream 3.13).
[...]
It is in 3.13-ckt and basically all the stable branches.
Does the patch below fix this bug?
Ben.
---
unix: Fix potential double-unlock in unix_dgram_sendmsg()
A datagram socket may be peered with itself, so that sk == other. We
use unix_state_double_lock() to lock sk and other in the right order,
which also guards against this and only locks the socket once, but we
then end up trying to unlock it twice. Add the check for sk != other.
Reported-by: Philipp Hahn <pmhahn@...ahn.de>
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Cc: stable <stable@...r.kernel.org>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
net/unix/af_unix.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index c5bf5ef2bf89..b4320d3e3a25 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1810,7 +1810,7 @@ restart_locked:
}
}
- if (unlikely(sk_locked))
+ if (unlikely(sk_locked) && sk != other)
unix_state_unlock(sk);
if (sock_flag(other, SOCK_RCVTSTAMP))
@@ -1826,7 +1826,7 @@ restart_locked:
return len;
out_unlock:
- if (sk_locked)
+ if (sk_locked && sk != other)
unix_state_unlock(sk);
unix_state_unlock(other);
out_free:
--
Ben Hutchings
Who are all these weirdos? - David Bowie, reading IRC for the first time
Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)
Powered by blists - more mailing lists