| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6ad79bb59b3535c9666ed5873dee4975f0745676.camel@oracle.com>
Date: Tue, 18 Feb 2025 13:04:05 +0000
From: Siddh Raman Pant <siddh.raman.pant@...cle.com>
To: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: CVE-2024-56642: tipc: Fix use-after-free of kernel socket in
cleanup_bearer().
The commit message has:
> tipc: Fix use-after-free of kernel socket in cleanup_bearer().
>
> syzkaller reported a use-after-free of UDP kernel socket
> in cleanup_bearer() without repro. [0][1]
>
> When bearer_disable() calls tipc_udp_disable(), cleanup
> of the UDP kernel socket is deferred by work calling
> cleanup_bearer().
>
> tipc_net_stop() waits for such works to finish by checking
> tipc_net(net)->wq_count. However, the work decrements the
> count too early before releasing the kernel socket,
> unblocking cleanup_net() and resulting in use-after-free.
This is incorrect, the function which waits is tipc_exit_net, which has
the spinning while loop.
That function is an exit function so this can't be triggered without
privileges.
Could it be grounds for rejection? Probably not but I thought I should
ask.
> Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
The fixes tag is incorrect. It should be the commit which adds the
counter, which is:
04c26faa51d1 ("tipc: wait and exit until all work queues are done")
Maybe this needs to be corrected in the JSONs (as the commits are set
in stone).
Thanks,
Siddh
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists