lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5204F55B.2040704@gmail.com>
Date:	Fri, 09 Aug 2013 09:57:47 -0400
From:	Vlad Yasevich <vyasevich@...il.com>
To:	Daniel Borkmann <dborkman@...hat.com>
CC:	davem@...emloft.net, netdev@...r.kernel.org,
	linux-sctp@...r.kernel.org
Subject: Re: [PATCH net v2] net: sctp: sctp_transport_destroy{,_rcu}: fix
 potential pointer corruption

On 08/09/2013 09:27 AM, Daniel Borkmann wrote:
> Probably this one is quite unlikely to be triggered, but it's more safe
> to hold a pointer to asoc (instead of dereferencing), free the packet
> chunks first, and access asoc though the pointer after we have called
> sctp_transport_destroy_rcu() where the transport is being kfree()'d.
> Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
> for deferred call_rcu's"). I also did the 8c98653f regression test and
> it's fine that way.
>
> Signed-off-by: Daniel Borkmann <dborkman@...hat.com>
> ---
>   v1->v2: do sctp_packet_free before call_rcu
>
>   net/sctp/transport.c | 10 ++++++----
>   1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/net/sctp/transport.c b/net/sctp/transport.c
> index bdbbc3f..c691455 100644
> --- a/net/sctp/transport.c
> +++ b/net/sctp/transport.c
> @@ -176,17 +176,19 @@ static void sctp_transport_destroy_rcu(struct rcu_head *head)
>    */
>   static void sctp_transport_destroy(struct sctp_transport *transport)
>   {
> +	struct sctp_association *asoc = transport->asoc;
> +
>   	if (unlikely(!transport->dead)) {
>   		WARN(1, "Attempt to destroy undead transport %p!\n", transport);
>   		return;
>   	}
>
> -	call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
> -
>   	sctp_packet_free(&transport->packet);
>
> -	if (transport->asoc)
> -		sctp_association_put(transport->asoc);
> +	call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
> +
> +	if (asoc != NULL)
> +		sctp_association_put(asoc);

I think it is safe to move call_rcu to be the last call in this 
function. This should never be a last ref on the association.  If
by some chance it is, we'll get the same warning.

And if you move call_rcu(), this becomes an ever smaller patch :)
-vlad
>   }
>
>   /* Start T3_rtx timer if it is not already running and update the heartbeat
>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ