| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Dec 2015 17:45:42 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org
Cc: stable@...r.kernel.org,
Nikolay Aleksandrov <nikolay@...ulusnetworks.com>,
David Ahern <dsa@...ulusnetworks.com>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH 4.3 34/71] vrf: fix double free and memory corruption on
register_netdevice failure
On Sat, 2015-12-12 at 12:05 -0800, Greg Kroah-Hartman wrote:
> 4.3-stable review patch. If anyone has any objections, please let me
> know.
>
> ------------------
>
> From: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
>
> [ Upstream commit 7f109f7cc37108cba7243bc832988525b0d85909 ]
[...]
> --- a/drivers/net/vrf.c
> +++ b/drivers/net/vrf.c
> @@ -581,7 +581,6 @@ static int vrf_newlink(struct net *src_n
> {
> struct net_vrf *vrf = netdev_priv(dev);
> struct net_vrf_dev *vrf_ptr;
> - int err;
>
> if (!data || !data[IFLA_VRF_TABLE])
> return -EINVAL;
> @@ -590,26 +589,16 @@ static int vrf_newlink(struct net *src_n
>
> dev->priv_flags |= IFF_VRF_MASTER;
>
> - err = -ENOMEM;
> vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
> if (!vrf_ptr)
> - goto out_fail;
> + return -ENOMEM;
>
> vrf_ptr->ifindex = dev->ifindex;
> vrf_ptr->tb_id = vrf->tb_id;
>
> - err = register_netdevice(dev);
> - if (err < 0)
> - goto out_fail;
> -
> rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
>
> - return 0;
> -
> -out_fail:
> - kfree(vrf_ptr);
> - free_netdev(dev);
> - return err;
> + return register_netdev(dev);
> }
>
> static size_t vrf_nl_getsize(const struct net_device *dev)
This leaks *dev->vrf_ptr if register_netdevice() fails. (This bug does
not exist in the mainline version, as net_device::vrf_ptr no longer
exists there.)
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)
Powered by blists - more mailing lists