lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1414655671.2918.2.camel@jrissane-mobl.ger.corp.intel.com>
Date:	Thu, 30 Oct 2014 09:54:31 +0200
From:	Jukka Rissanen <jukka.rissanen@...ux.intel.com>
To:	Dan Carpenter <dan.carpenter@...cle.com>
Cc:	Marcel Holtmann <marcel@...tmann.org>,
	Gustavo Padovan <gustavo@...ovan.org>,
	Johan Hedberg <johan.hedberg@...il.com>,
	"David S. Miller" <davem@...emloft.net>,
	linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [patch] Bluetooth: 6lowpan: use after free in
 disconnect_devices()

Hi Dan,

On ke, 2014-10-29 at 19:10 +0300, Dan Carpenter wrote:
> This was accidentally changed from list_for_each_entry_safe() to
> list_for_each_entry() so now it has a use after free bug.  I've changed
> it back.

Good catch! Thanks for the patch.

Acked-by: Jukka Rissanen <jukka.rissanen@...ux.intel.com>

> 
> Fixes: 90305829635d ('Bluetooth: 6lowpan: Converting rwlocks to use RCU')
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> 
> diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
> index 7254bdd..eef298d 100644
> --- a/net/bluetooth/6lowpan.c
> +++ b/net/bluetooth/6lowpan.c
> @@ -1383,7 +1383,7 @@ static const struct file_operations lowpan_control_fops = {
>  
>  static void disconnect_devices(void)
>  {
> -	struct lowpan_dev *entry, *new_dev;
> +	struct lowpan_dev *entry, *tmp, *new_dev;
>  	struct list_head devices;
>  
>  	INIT_LIST_HEAD(&devices);
> @@ -1408,7 +1408,7 @@ static void disconnect_devices(void)
>  
>  	rcu_read_unlock();
>  
> -	list_for_each_entry(entry, &devices, list) {
> +	list_for_each_entry_safe(entry, tmp, &devices, list) {
>  		ifdown(entry->netdev);
>  		BT_DBG("Unregistering netdev %s %p",
>  		       entry->netdev->name, entry->netdev);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


Cheers,
Jukka


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ