lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 18 Apr 2018 08:55:44 -0700
From:   Stephen Hemminger <stephen@...workplumber.org>
To:     Ursula Braun <ubraun@...ux.ibm.com>
Cc:     Ursula Braun <ubraun@...ux.vnet.ibm.com>, netdev@...r.kernel.org
Subject: Re: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF
 causing null pointer vulnerability.

On Wed, 18 Apr 2018 13:46:20 +0200
Ursula Braun <ubraun@...ux.ibm.com> wrote:

> On 04/18/2018 04:56 AM, Stephen Hemminger wrote:
> > This may already be fixed.
> > 
> > Begin forwarded message:
> > 
> > Date: Wed, 18 Apr 2018 01:52:59 +0000
> > From: bugzilla-daemon@...zilla.kernel.org
> > To: stephen@...workplumber.org
> > Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability.
> > 
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=199429
> > 
> >             Bug ID: 199429
> >            Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null
> >                     pointer vulnerability.
> >            Product: Networking
> >            Version: 2.5
> >     Kernel Version: 4.16.0-rc7
> >           Hardware: All
> >                 OS: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: normal
> >           Priority: P1
> >          Component: Other
> >           Assignee: stephen@...workplumber.org
> >           Reporter: 1773876454@...com
> >         Regression: No
> > 
> > Created attachment 275431  
> >   --> https://bugzilla.kernel.org/attachment.cgi?id=275431&action=edit    
> > POC
> > 
> > Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug.
> > 
> > NET: Registered protocol family 43  
> 
> Thanks for reporting. This fix is needed here:
> 
>  net/smc/af_smc.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -1314,7 +1314,7 @@ static int smc_shutdown(struct socket *s
>  	    (sk->sk_state != SMC_APPCLOSEWAIT2) &&
>  	    (sk->sk_state != SMC_APPFINCLOSEWAIT))
>  		goto out;
> -	if (smc->use_fallback) {
> +	if (smc->use_fallback || sk->sk_state == SMC_LISTEN) {
>  		rc = kernel_sock_shutdown(smc->clcsock, how);
>  		sk->sk_shutdown = smc->clcsock->sk->sk_shutdown;
>  		if (sk->sk_shutdown == SHUTDOWN_MASK)
> 
> Kind regards, Ursula
> 

Please submit patch to linux net with proper signed-off-by and Fixes tags.
The maintainer (davem) will take care of getting this into upstream and stable.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ