| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120417102220.GC20905@redhat.com> Date: Tue, 17 Apr 2012 13:22:20 +0300 From: "Michael S. Tsirkin" <mst@...hat.com> To: Jason Wang <jasowang@...hat.com> Cc: netdev@...r.kernel.org, xma@...ibm.com, davem@...emloft.net, linux-kernel@...r.kernel.org, ebiederm@...ssion.com Subject: Re: [PATCH 5/6] vhost_net: fix use after free of vq->ubufs On Tue, Apr 17, 2012 at 11:19:42AM +0800, Jason Wang wrote: > On 04/16/2012 09:28 PM, Michael S. Tsirkin wrote: > >On Mon, Apr 16, 2012 at 02:08:25PM +0800, Jason Wang wrote: > >>When zerocopy socket is used, ubufs pointer were used in handle_tx() > >>without any validation. This would cause NULL pointer deference after > >>it has been freed in vhost_net_set_backend(). Fix this by check the > >>pointer before using it. > >> > >>Signed-off-by: Jason Wang<jasowang@...hat.com> > > > >OK so it's NULL dereference and not user after free :) > >Also could you clarify how does this happen pls? > >Don't we always initialize ubufs when vhost_sock_zcopy is set? > > The problem happens when we want to disable backend. At this time > ubufs were assigned to NULL and it may be dereferenced by > handle_tx(): Heh, I see. How about - zcopy = vhost_sock_zcopy(sock); + zcopy = vq->ubufs; -- MST -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists