| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190325224959.GQ2217@ZenIV.linux.org.uk>
Date: Mon, 25 Mar 2019 22:49:59 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
syzbot <syzbot+7a8ba368b47fdefca61e@...kaller.appspotmail.com>,
Alexei Starovoitov <ast@...nel.org>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: use-after-free Read in path_lookupat
On Mon, Mar 25, 2019 at 11:04:53PM +0100, Daniel Borkmann wrote:
> +static void bpf_destroy_inode_deferred(struct rcu_head *head)
> +{
> + struct inode *inode = container_of(head, struct inode, i_rcu);
> + enum bpf_type type;
> +
> + if (S_ISLNK(inode->i_mode))
> + kfree(inode->i_link);
> + if (!bpf_inode_type(inode, &type))
> + bpf_any_put(inode->i_private, type);
> + free_inode_nonrcu(inode);
> +}
Umm... Can bpf_any_put() can be called in that context? It's going
to run in softirq; if that's OK (I'm not familiar enough with BPF guts
to tell), sure, that's probably the best approach.
Note, BTW, that it's obviously -stable fodder, so any splitting
of ->destroy_inode() would live on top of that fix.
Powered by blists - more mailing lists