| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 06 Feb 2018 11:32:18 -0500 (EST)
From: David Miller <davem@...emloft.net>
To: pabeni@...hat.com
Cc: netdev@...r.kernel.org, jhs@...atatu.com, xiyou.wangcong@...il.com,
jiri@...nulli.us, shuali@...hat.com, ivecera@...hat.com
Subject: Re: [PATCH net v4] cls_u32: fix use after free in u32_destroy_key()
From: Paolo Abeni <pabeni@...hat.com>
Date: Mon, 5 Feb 2018 22:23:01 +0100
> Li Shuang reported an Oops with cls_u32 due to an use-after-free
> in u32_destroy_key(). The use-after-free can be triggered with:
>
> dev=lo
> tc qdisc add dev $dev root handle 1: htb default 10
> tc filter add dev $dev parent 1: prio 5 handle 1: protocol ip u32 divisor 256
> tc filter add dev $dev protocol ip parent 1: prio 5 u32 ht 800:: match ip dst\
> 10.0.0.0/8 hashkey mask 0x0000ff00 at 16 link 1:
> tc qdisc del dev $dev root
>
> Which causes the following kasan splat:
...
> The problem is that the htnode is freed before the linked knodes and the
> latter will try to access the first at u32_destroy_key() time.
> This change addresses the issue using the htnode refcnt to guarantee
> the correct free order. While at it also add a RCU annotation,
> to keep sparse happy.
>
> v1 -> v2: use rtnl_derefence() instead of RCU read locks
> v2 -> v3:
> - don't check refcnt in u32_destroy_hnode()
> - cleaned-up u32_destroy() implementation
> - cleaned-up code comment
> v3 -> v4:
> - dropped unneeded comment
>
> Reported-by: Li Shuang <shuali@...hat.com>
> Fixes: c0d378ef1266 ("net_sched: use tcf_queue_work() in u32 filter")
> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
Applied and queued up for -stable, thanks!
Powered by blists - more mailing lists