| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 May 2024 17:04:05 +0800 (GMT+08:00) From: duoming@....edu.cn To: "Dan Carpenter" <dan.carpenter@...aro.org> Cc: "Lars Kellogg-Stedman" <lars@...bit.com>, linux-hams@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, pabeni@...hat.com, kuba@...nel.org, edumazet@...gle.com, davem@...emloft.net, jreuter@...na.de Subject: Re: [PATCH net] ax25: Fix refcount leak issues of ax25_dev On Tue, 7 May 2024 11:08:14 +0300 Dan Carpenter wrote: > I have reviewed this code some more. My theory is: > > ax25_dev_device_up() <- sets refcount to 1 > ax25_dev_device_down() <- set refcount to 0 and frees it > > If the refcount is not 1 at ax25_dev_device_down() then something is > screwed up. So why do we even need more refcounting than that? But > apparently we do. I don't really understand networking that well so > maybe we can have lingering connections after the device is down. We do need more reference count. Because there is a race condition between ax25_bind() and the cleanup routine. The cleanup routine is consisted of three parts: ax25_kill_by_device(), ax25_rt_device_down() and ax25_dev_device_down(). The ax25_kill_by_device() is used to cleanup the connections and the ax25_dev_device_down() is used to cleanup the device. If we call ax25_bind() and ax25_connect() between the window of ax25_kill_by_device() and ax25_dev_device_down(), the ax25_dev is freed in ax25_dev_device_down(). When we call ax25_release() to release the connections, the UAF bugs will happen. Best regards, Duoming Zhou
Powered by blists - more mailing lists