| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 Nov 2022 16:55:15 -0800
From: Cong Wang <xiyou.wangcong@...il.com>
To: Wang Hai <wanghai38@...wei.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, cong.wang@...edance.com, f.fainelli@...il.com,
tom@...bertland.com, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: [PATCH net] kcm: Fix kernel NULL pointer dereference in
requeue_rx_msgs
On Sat, Nov 12, 2022 at 08:04:23PM +0800, Wang Hai wrote:
> In kcm_rcv_strparser(), the skb is queued to the kcm that is currently
> being reserved, and if the queue is full, unreserve_rx_kcm() will be
> called. At this point, if KCM_RECV_DISABLE is set, then unreserve_rx_kcm()
> will requeue received messages for the current kcm socket to other kcm
> sockets. The kcm sock lock is not held during this time, and as long as
> someone calls kcm_recvmsg, it will concurrently unlink the same skb, which
> ill result in a null pointer reference.
>
> cpu0 cpu1 cpu2
> kcm_rcv_strparser
> reserve_rx_kcm
> kcm_setsockopt
> kcm_recv_disable
> kcm->rx_disabled = 1;
> kcm_queue_rcv_skb
> unreserve_rx_kcm
> requeue_rx_msgs kcm_recvmsg
> __skb_dequeue
> __skb_unlink(skb) skb_unlink(skb)
> //double unlink skb
>
We will hold skb queue lock after my patch, so this will not happen after
applying my patch below?
https://lore.kernel.org/netdev/20221114005119.597905-1-xiyou.wangcong@gmail.com/
Thanks.
Powered by blists - more mailing lists