| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Dec 2017 11:36:39 -0800
From: Santosh Shilimkar <santosh.shilimkar@...cle.com>
To: netdev@...r.kernel.org, davem@...emloft.net
Cc: linux-kernel@...r.kernel.org,
Santosh Shilimkar <santosh.shilimkar@...cle.com>
Subject: [PATCH] rds: fix use-after-free read in rds_find_bound
socket buffer can get freed as part of sock_close
callback so before adding reference check underneath
socket validity.
Reported-by: syzbot+93a5839deb355537440f@...kaller.appspotmail.com
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@...cle.com>
---
net/rds/bind.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rds/bind.c b/net/rds/bind.c
index 75d43dc..8dec06e 100644
--- a/net/rds/bind.c
+++ b/net/rds/bind.c
@@ -61,7 +61,7 @@ struct rds_sock *rds_find_bound(__be32 addr, __be16 port)
struct rds_sock *rs;
rs = rhashtable_lookup_fast(&bind_hash_table, &key, ht_parms);
- if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
+ if (rs && rds_rs_to_sk(rs) && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
rds_sock_addref(rs);
else
rs = NULL;
--
1.9.1
Powered by blists - more mailing lists