| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Jul 2009 08:59:59 +0200 From: Lothar Waßmann <LW@...O-electronics.de> To: David Miller <davem@...emloft.net> Cc: netdev@...r.kernel.org, urs.thuermann@...kswagen.de, oliver.hartkopp@...kswagen.de Subject: Re: use after free bug in socket code Hi, David Miller writes: > From: Lothar Waßmann <LW@...O-electronics.de> > Date: Thu, 2 Jul 2009 13:26:30 +0200 > > > Hi, > > > > while developing a canbus driver (with kernel 2.6.30-rc4) I > > encountered a use-after-free bug that led to the following crash (due > > to CONFIG_DEBUG_SLAB being enabled): > ... > > With the following patch I could alleviate the problem and did not > > find any negative side effects, but I'm not sure, whether this is the > > Right Thing(TM), since I'm not too familiar with the networking code: > ... > > Any comments on this? > > A patch like this shouldn't be needed. > Could you explain why it shouldn't be needed? To me it seems much more logical to invalidate any references from some object 'B' (struct sock) to some object 'A' (struct socket) when object 'A' is being released rather than invalidating them when object 'B' is being released. As far as I understand the code the 'struct socket' can vanish any time after sock_release() has been called. Thus the pointers in the 'struct sock' that point to the 'struct socket' should be invalidated at that point and not when the 'struct sock' itself is being released. Also, the messages I had added showed that sock_release() is being called before sk_common_release() (from standard networking code that has nothing to do with my can driver) leaving the 'struct sock' object with dangling 'sk_sleep' and 'sk_socket' pointers for the time between those two function calls. And I don't see anything preventing those pointers being dereferenced during this time. Lothar Waßmann -- ___________________________________________________________ Ka-Ro electronics GmbH | Pascalstraße 22 | D - 52076 Aachen Phone: +49 2408 1402-0 | Fax: +49 2408 1402-10 Geschäftsführer: Matthias Kaussen Handelsregistereintrag: Amtsgericht Aachen, HRB 4996 www.karo-electronics.de | info@...o-electronics.de ___________________________________________________________ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists