[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Jul 2009 08:59:59 +0200
From: Lothar Waßmann <LW@...O-electronics.de>
To: David Miller <davem@...emloft.net>
Cc: netdev@...r.kernel.org, urs.thuermann@...kswagen.de,
oliver.hartkopp@...kswagen.de
Subject: Re: use after free bug in socket code
Hi,
David Miller writes:
> From: Lothar Waßmann <LW@...O-electronics.de>
> Date: Thu, 2 Jul 2009 13:26:30 +0200
>
> > Hi,
> >
> > while developing a canbus driver (with kernel 2.6.30-rc4) I
> > encountered a use-after-free bug that led to the following crash (due
> > to CONFIG_DEBUG_SLAB being enabled):
> ...
> > With the following patch I could alleviate the problem and did not
> > find any negative side effects, but I'm not sure, whether this is the
> > Right Thing(TM), since I'm not too familiar with the networking code:
> ...
> > Any comments on this?
>
> A patch like this shouldn't be needed.
>
Could you explain why it shouldn't be needed?
To me it seems much more logical to invalidate any references from
some object 'B' (struct sock) to some object 'A' (struct socket) when
object 'A' is being released rather than invalidating them when object
'B' is being released.
As far as I understand the code the 'struct socket' can vanish any
time after sock_release() has been called. Thus the pointers in the
'struct sock' that point to the 'struct socket' should be invalidated
at that point and not when the 'struct sock' itself is being released.
Also, the messages I had added showed that sock_release() is being
called before sk_common_release() (from standard networking code that
has nothing to do with my can driver) leaving the 'struct sock' object
with dangling 'sk_sleep' and 'sk_socket' pointers for the time between
those two function calls. And I don't see anything preventing those
pointers being dereferenced during this time.
Lothar Waßmann
--
___________________________________________________________
Ka-Ro electronics GmbH | Pascalstraße 22 | D - 52076 Aachen
Phone: +49 2408 1402-0 | Fax: +49 2408 1402-10
Geschäftsführer: Matthias Kaussen
Handelsregistereintrag: Amtsgericht Aachen, HRB 4996
www.karo-electronics.de | info@...o-electronics.de
___________________________________________________________
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists