lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 1 Jun 2023 17:10:50 +0200
From:   Eric Dumazet <edumazet@...gle.com>
To:     Lee Jones <lee@...nel.org>
Cc:     Jamal Hadi Salim <jhs@...atatu.com>, xiyou.wangcong@...il.com,
        jiri@...nulli.us, davem@...emloft.net, kuba@...nel.org,
        pabeni@...hat.com, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, stable@...nel.org
Subject: Re: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak
 leading to overflow

On Thu, Jun 1, 2023 at 4:06 PM Lee Jones <lee@...nel.org> wrote:
>
> On Wed, 31 May 2023, Jamal Hadi Salim wrote:
>
> > On Wed, May 31, 2023 at 11:03 AM Eric Dumazet <edumazet@...gle.com> wrote:
> > >
> > > On Wed, May 31, 2023 at 4:16 PM Lee Jones <lee@...nel.org> wrote:
> > > >
> > > > In the event of a failure in tcf_change_indev(), u32_set_parms() will
> > > > immediately return without decrementing the recently incremented
> > > > reference counter.  If this happens enough times, the counter will
> > > > rollover and the reference freed, leading to a double free which can be
> > > > used to do 'bad things'.
> > > >
> > > > Cc: stable@...nel.org # v4.14+
> > >
> > > Please add a Fixes: tag.
>
> Why?

How have you identified v4.14+ ?

Probably you did some research/"git archeology".

By adding the Fixes: tag, you allow us to double check immediately,
and see if other bugs need to be fixed at the same time.

You can also CC blamed patch authors, to get some feedback.

Otherwise, we (people reviewing this patch) have to also do this
research from scratch.

In this case, it seems bug was added in

commit 705c7091262d02b09eb686c24491de61bf42fdb2
Author: Jiri Pirko <jiri@...nulli.us>
Date:   Fri Aug 4 14:29:14 2017 +0200

    net: sched: cls_u32: no need to call tcf_exts_change for newly
allocated struct


A nice Fixes: tag would then be

Fixes: 705c7091262d ("net: sched: cls_u32: no need to call
tcf_exts_change for newly allocated struct")

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ