lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CADvbK_euiOKytyFd6KYgNoM5SbDcyz92Li=K7P48H35q1AFxYg@mail.gmail.com>
Date:   Fri, 15 Sep 2023 14:51:56 -0400
From:   Xin Long <lucien.xin@...il.com>
To:     Zhang Changzhong <zhangchangzhong@...wei.com>
Cc:     Steffen Klassert <steffen.klassert@...unet.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        David Ahern <dsahern@...nel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] xfrm6: fix inet6_dev refcount underflow problem

On Fri, Sep 15, 2023 at 6:54 AM Zhang Changzhong
<zhangchangzhong@...wei.com> wrote:
>
> There are race conditions that may lead to inet6_dev refcount underflow
> in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
>
> One of the refcount underflow bugs is shown below:
>         (cpu 1)                 |       (cpu 2)
> xfrm6_dst_destroy()             |
>   ...                           |
>   in6_dev_put()                 |
>                                 |  rt6_uncached_list_flush_dev()
>   ...                           |    ...
>                                 |    in6_dev_put()
>   rt6_uncached_list_del()       |    ...
>   ...                           |
>
> xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
> so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
> again for the same inet6_dev.
>
> Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
> xfrm6_dst_destroy().
>
> Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
> Signed-off-by: Zhang Changzhong <zhangchangzhong@...wei.com>
> ---
>  net/ipv6/xfrm6_policy.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 41a680c..42fb6996 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -117,10 +117,10 @@ static void xfrm6_dst_destroy(struct dst_entry *dst)
>  {
>         struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
>
> -       if (likely(xdst->u.rt6.rt6i_idev))
> -               in6_dev_put(xdst->u.rt6.rt6i_idev);
>         dst_destroy_metrics_generic(dst);
>         rt6_uncached_list_del(&xdst->u.rt6);
> +       if (likely(xdst->u.rt6.rt6i_idev))
> +               in6_dev_put(xdst->u.rt6.rt6i_idev);
>         xfrm_dst_destroy(xdst);
>  }
>
> --
> 2.9.5
>
Reviewed-by: Xin Long <lucien.xin@...il.com>
Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ