| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3bffa44a-b98c-85d9-9d5f-1b52943a7f2f@ispras.ru>
Date: Mon, 29 May 2023 17:13:05 +0300
From: Vlad Efanov <vefanov@...ras.ru>
To: Paolo Abeni <pabeni@...hat.com>,
Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>,
David Ahern <dsahern@...nel.org>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect
Thank you for detail information.
The patch is reworked and being tested now.
Vlad.
On 26.05.2023 21:13, Paolo Abeni wrote:
> On Fri, 2023-05-26 at 18:58 +0300, Ефанов Владислав Александрович
> wrote:
>> I don't think that we can just move sk_dst_set() call.
>>
>> I think we can destroy dst of sendmsg task in this case.
> AFAICS ip6_sk_dst_lookup_flow tries to acquire a reference to the
> cached dst. If the connect() clears the cache, decreasing the refcnt,
> the counter of the dst in use by sendmsg() must still be non zero.
>
> IMHO the problem you see is that sk_setup_caps() keeps using the dst
> after transferring the ownership to the dst cache, which is illegal.
> The suggested patch addressed that.
>
> If I'm wrong your syzkaller repro will keep splatting. Please have just
> have a spin, thanks.
>
> Paolo
>
Powered by blists - more mailing lists