lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 23 Feb 2018 10:48:47 -0500 (EST)
From:   David Miller <davem@...emloft.net>
To:     alexey.kodanev@...cle.com
Cc:     netdev@...r.kernel.org, gfree.wind@....163.com
Subject: Re: [PATCH net] macvlan: fix use-after-free in
 macvlan_common_newlink()

From: Alexey Kodanev <alexey.kodanev@...cle.com>
Date: Thu, 22 Feb 2018 18:20:30 +0300

> The following use-after-free was reported by KASan when running
> LTP macvtap01 test on 4.16-rc2:
 ...
> Commit d02fd6e7d293 ("macvlan: Fix one possible double free") handles
> the case when register_netdevice() invokes ndo_uninit() on error and
> as a result free the port. But 'macvlan_port_get_rtnl(dev))' check
> (returns dev->rx_handler_data), which was added by this commit in order
> to prevent double free, is not quite correct:
> 
> * for macvlan it always returns NULL because 'lowerdev' is the one that
>   was used to register rx handler (port) in macvlan_port_create() as
>   well as to unregister it in macvlan_port_destroy().
> * for macvtap it always returns a valid pointer because macvtap registers
>   its own rx handler before macvlan_common_newlink().
> 
> Fixes: d02fd6e7d293 ("macvlan: Fix one possible double free")
> Signed-off-by: Alexey Kodanev <alexey.kodanev@...cle.com>

Applied and queued up for -stable, thanks Alexey.

Powered by blists - more mailing lists