| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210312101258.GA4951@katalix.com>
Date: Fri, 12 Mar 2021 10:12:58 +0000
From: Tom Parkin <tparkin@...alix.com>
To: lyl2019@...l.ustc.edu.cn
Cc: paulus@...ba.org, davem@...emloft.net, linux-ppp@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [BUG] net/ppp: A use after free in ppp_unregister_channe
Thanks for the report!
On Thu, Mar 11, 2021 at 20:34:44 +0800, lyl2019@...l.ustc.edu.cn wrote:
> File: drivers/net/ppp/ppp_generic.c
>
> In ppp_unregister_channel, pch could be freed in ppp_unbridge_channels()
> but after that pch is still in use. Inside the function ppp_unbridge_channels,
> if "pchbb == pch" is true and then pch will be freed.
Do you have a way to reproduce a use-after-free scenario?
From static analysis I'm not sure how pch would be freed in
ppp_unbridge_channels when called via. ppp_unregister_channel.
In theory (at least!) the caller of ppp_register_net_channel holds
a reference on struct channel which ppp_unregister_channel drops.
Each channel in a bridged pair holds a reference on the other.
Hence on return from ppp_unbridge_channels, the channel should not have
been freed (in this code path) because the ppp_register_net_channel
reference has not yet been dropped.
Maybe there is an issue with the reference counting or a race of some
sort?
> I checked the commit history and found that this problem is introduced from
> 4cf476ced45d7 ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls").
>
> I have no idea about how to generate a suitable patch, sorry.
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists