| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20110321.182232.200375244.davem@davemloft.net> Date: Mon, 21 Mar 2011 18:22:32 -0700 (PDT) From: David Miller <davem@...emloft.net> To: ebiederm@...ssion.com Cc: netdev@...r.kernel.org, kaber@...sh.net, greearb@...delatech.com, eric.dumazet@...il.com Subject: Re: [PATCH] macvlan: Fix use after free of struct macvlan_port. From: ebiederm@...ssion.com (Eric W. Biederman) Date: Mon, 21 Mar 2011 14:15:31 -0700 > > When the macvlan driver was extended to call unregisgter_netdevice_queue > in 23289a37e2b127dfc4de1313fba15bb4c9f0cd5b, a use after free of struct > macvlan_port was introduced. The code in dellink relied on unregister_netdevice > actually unregistering the net device so it would be safe to free macvlan_port. > > Since unregister_netdevice_queue can just queue up the unregister instead of > performing the unregiser immediately we free the macvlan_port too soon and > then the code in macvlan_stop removes the macaddress for the set of macaddress > to listen for and uses memory that has already been freed. > > To fix this add a reference count to track when it is safe to free the macvlan_port > and move the call of macvlan_port_destroy into macvlan_uninit which is guaranteed > to be called after the final macvlan_port_close. > > Signed-off-by: Eric W. Biederman <ebiederm@...stanetworks.com> Applied, thanks Eric. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists