lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Jul 2017 09:34:56 +0300 From: Elena Reshetova <elena.reshetova@...el.com> To: netdev@...r.kernel.org Cc: linux-kernel@...r.kernel.org, davem@...emloft.net, jmorris@...ei.org, kaber@...sh.net, yoshfuji@...ux-ipv6.org, steffen.klassert@...unet.com, kuznet@....inr.ac.ru, peterz@...radead.org, keescook@...omium.org, Elena Reshetova <elena.reshetova@...el.com>, Hans Liljestrand <ishkamiel@...il.com>, David Windsor <dwindsor@...il.com> Subject: [PATCH 3/9] net, ipv6: convert inet6_ifaddr.refcnt from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@...el.com> Signed-off-by: Hans Liljestrand <ishkamiel@...il.com> Signed-off-by: Kees Cook <keescook@...omium.org> Signed-off-by: David Windsor <dwindsor@...il.com> --- include/net/addrconf.h | 6 +++--- include/net/if_inet6.h | 2 +- net/ipv6/addrconf.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/include/net/addrconf.h b/include/net/addrconf.h index 620bd9a..6df79e9 100644 --- a/include/net/addrconf.h +++ b/include/net/addrconf.h @@ -350,18 +350,18 @@ void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp); static inline void in6_ifa_put(struct inet6_ifaddr *ifp) { - if (atomic_dec_and_test(&ifp->refcnt)) + if (refcount_dec_and_test(&ifp->refcnt)) inet6_ifa_finish_destroy(ifp); } static inline void __in6_ifa_put(struct inet6_ifaddr *ifp) { - atomic_dec(&ifp->refcnt); + refcount_dec(&ifp->refcnt); } static inline void in6_ifa_hold(struct inet6_ifaddr *ifp) { - atomic_inc(&ifp->refcnt); + refcount_inc(&ifp->refcnt); } diff --git a/include/net/if_inet6.h b/include/net/if_inet6.h index e7a17b2..2b41cb8 100644 --- a/include/net/if_inet6.h +++ b/include/net/if_inet6.h @@ -46,7 +46,7 @@ struct inet6_ifaddr { /* In seconds, relative to tstamp. Expiry is at tstamp + HZ * lft. */ __u32 valid_lft; __u32 prefered_lft; - atomic_t refcnt; + refcount_t refcnt; spinlock_t lock; int state; diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 2365f12..3c46e95 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -1050,7 +1050,7 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, ifa->idev = idev; /* For caller */ - in6_ifa_hold(ifa); + refcount_set(&ifa->refcnt, 1); /* Add to big hash table */ hash = inet6_addr_hash(addr); -- 2.7.4
Powered by blists - more mailing lists