lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Oct 2021 12:09:16 +0800 From: "Ziyang Xuan (William)" <william.xuanziyang@...wei.com> To: Jason Gunthorpe <jgg@...dia.com>, Jakub Kicinski <kuba@...nel.org> CC: <davem@...emloft.net>, <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <linux-rdma@...r.kernel.org> Subject: Re: [PATCH net] net: vlan: fix a UAF in vlan_dev_real_dev() > On Fri, Oct 29, 2021 at 06:46:10AM -0700, Jakub Kicinski wrote: >> On Fri, 29 Oct 2021 09:13:24 -0300 Jason Gunthorpe wrote: >>> Jakub's path would be to test vlan_dev->reg_state != NETREG_REGISTERED >>> in the work queue, but that feels pretty hacky to me as the main point >>> of the UNREGISTERING state is to keep the object alive enough that >>> those with outstanding gets can compelte their work and release the >>> get. Leaving a wrecked object in UNREGISTERING is a bad design. >> >> That or we should investigate if we could hold the ref for real_dev all >> the way until vlan_dev_free(). > Synchronize test results with the following modification: @@ -123,9 +123,6 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head) } vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id); - - /* Get rid of the vlan's reference to real_dev */ - dev_put(real_dev); } @@ -843,6 +843,9 @@ static void vlan_dev_free(struct net_device *dev) free_percpu(vlan->vlan_pcpu_stats); vlan->vlan_pcpu_stats = NULL; + + /* Get rid of the vlan's reference to real_dev */ + dev_put(vlan->real_dev); } It works on the UAF problem. And I have taken kmemleak tests for vlan_dev and real_dev, no kmemleak problem and new UAF problem. So take this modification for this problem? > The latter is certainly better if it works out, no circular deps, etc. > > Thanks, > Jason > . >
Powered by blists - more mailing lists