| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Jul 2020 16:51:06 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: dhowells@...hat.com
Cc: netdev@...r.kernel.org,
syzbot+b54969381df354936d96@...kaller.appspotmail.com,
marc.dionne@...istor.com, linux-afs@...ts.infradead.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] rxrpc: Fix race between recvmsg and sendmsg on
immediate call failure
From: David Howells <dhowells@...hat.com>
Date: Wed, 29 Jul 2020 00:03:56 +0100
> There's a race between rxrpc_sendmsg setting up a call, but then failing to
> send anything on it due to an error, and recvmsg() seeing the call
> completion occur and trying to return the state to the user.
>
> An assertion fails in rxrpc_recvmsg() because the call has already been
> released from the socket and is about to be released again as recvmsg deals
> with it. (The recvmsg_q queue on the socket holds a ref, so there's no
> problem with use-after-free.)
>
> We also have to be careful not to end up reporting an error twice, in such
> a way that both returns indicate to userspace that the user ID supplied
> with the call is no longer in use - which could cause the client to
> malfunction if it recycles the user ID fast enough.
>
> Fix this by the following means:
...
> An oops like the following is produced:
...
> Fixes: 357f5ef64628 ("rxrpc: Call rxrpc_release_call() on error in rxrpc_new_client_call()")
> Reported-by: syzbot+b54969381df354936d96@...kaller.appspotmail.com
> Signed-off-by: David Howells <dhowells@...hat.com>
> Reviewed-by: Marc Dionne <marc.dionne@...istor.com>
Applied and queued up for -stable, thanks David.
Powered by blists - more mailing lists