| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Nov 2017 11:14:29 -0500 (EST)
From: David Miller <davem@...emloft.net>
To: maloneykernel@...il.com
Cc: netdev@...r.kernel.org, willemdebruijn.kernel@...il.com,
eric.dumazet@...il.com, maloney@...gle.com
Subject: Re: [PATCH net] packet: fix crash in fanout_demux_rollover()
From: Mike Maloney <maloneykernel@...il.com>
Date: Tue, 28 Nov 2017 10:44:29 -0500
> From: Mike Maloney <maloney@...gle.com>
>
> syzkaller found a race condition fanout_demux_rollover() while removing
> a packet socket from a fanout group.
>
> po->rollover is read and operated on during packet_rcv_fanout(), via
> fanout_demux_rollover(), but the pointer is currently cleared before the
> synchronization in packet_release(). It is safer to delay the cleanup
> until after synchronize_net() has been called, ensuring all calls to
> packet_rcv_fanout() for this socket have finished.
>
> To further simplify synchronization around the rollover structure, set
> po->rollover in fanout_add() only if there are no errors. This removes
> the need for rcu in the struct and in the call to
> packet_getsockopt(..., PACKET_ROLLOVER_STATS, ...).
>
> Crashing stack trace:
...
> Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
> Fixes: 509c7a1ecc860 ("packet: avoid panic in packet_getsockopt()")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Mike Maloney <maloney@...gle.com>
Applied and queued up for -stable.
Powered by blists - more mailing lists