lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1450115142.3944.10.camel@decadent.org.uk>
Date:	Mon, 14 Dec 2015 17:45:42 +0000
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	linux-kernel@...r.kernel.org
Cc:	stable@...r.kernel.org,
	Nikolay Aleksandrov <nikolay@...ulusnetworks.com>,
	David Ahern <dsa@...ulusnetworks.com>,
	"David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH 4.3 34/71] vrf: fix double free and memory corruption on
 register_netdevice failure

On Sat, 2015-12-12 at 12:05 -0800, Greg Kroah-Hartman wrote:
> 4.3-stable review patch.  If anyone has any objections, please let me
> know.
> 
> ------------------
> 
> From: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
> 
> [ Upstream commit 7f109f7cc37108cba7243bc832988525b0d85909 ]
[...]
> --- a/drivers/net/vrf.c
> +++ b/drivers/net/vrf.c
> @@ -581,7 +581,6 @@ static int vrf_newlink(struct net *src_n
>  {
>  	struct net_vrf *vrf = netdev_priv(dev);
>  	struct net_vrf_dev *vrf_ptr;
> -	int err;
>  
>  	if (!data || !data[IFLA_VRF_TABLE])
>  		return -EINVAL;
> @@ -590,26 +589,16 @@ static int vrf_newlink(struct net *src_n
>  
>  	dev->priv_flags |= IFF_VRF_MASTER;
>  
> -	err = -ENOMEM;
>  	vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
>  	if (!vrf_ptr)
> -		goto out_fail;
> +		return -ENOMEM;
>  
>  	vrf_ptr->ifindex = dev->ifindex;
>  	vrf_ptr->tb_id = vrf->tb_id;
>  
> -	err = register_netdevice(dev);
> -	if (err < 0)
> -		goto out_fail;
> -
>  	rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
>  
> -	return 0;
> -
> -out_fail:
> -	kfree(vrf_ptr);
> -	free_netdev(dev);
> -	return err;
> +	return register_netdev(dev);
>  }
>  
>  static size_t vrf_nl_getsize(const struct net_device *dev)

This leaks *dev->vrf_ptr if register_netdevice() fails.  (This bug does
not exist in the mainline version, as net_device::vrf_ptr no longer
exists there.)

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ