lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20130903194620.GE8262@mail.gmail.com>
Date:	Tue, 3 Sep 2013 13:46:20 -0600
From:	Jean Sacren <sakiwit@...il.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	Daniel Borkmann <dborkman@...hat.com>, davem@...emloft.net,
	netdev@...r.kernel.org, yoshfuji@...ux-ipv6.org
Subject: Re: [PATCH net] net: ipv6: tcp: fix potential use after free in
 tcp_v6_do_rcv

From: Eric Dumazet <eric.dumazet@...il.com>
Date: Tue, 03 Sep 2013 10:48:33 -0700
>
> On Tue, 2013-09-03 at 19:29 +0200, Daniel Borkmann wrote:
> > In tcp_v6_do_rcv() code, when processing pkt options, we soley work
> > on our skb clone opt_skb that we've created earlier before entering
> > tcp_rcv_established() on our way. However, only in condition ...
> > 
> >   if (np->rxopt.bits.rxtclass)
> >     np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> > 
> > ... we work on skb itself. As we extract every other information out
> > of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
> > already be released by tcp_rcv_established() earlier on. When we try
> > to access it in ipv6_hdr(), we will dereference freed skb.
> > 
> > Signed-off-by: Daniel Borkmann <dborkman@...hat.com>
> > Cc: Eric Dumazet <eric.dumazet@...il.com>
> > ---
> >  net/ipv6/tcp_ipv6.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > index 6e1649d..eeb4cb0 100644
> > --- a/net/ipv6/tcp_ipv6.c
> > +++ b/net/ipv6/tcp_ipv6.c
> > @@ -1427,7 +1427,7 @@ ipv6_pktoptions:
> >  		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
> >  			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
> >  		if (np->rxopt.bits.rxtclass)
> > -			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> > +			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(opt_skb));
> >  		if (ipv6_opt_accepted(sk, opt_skb)) {
> >  			skb_set_owner_r(opt_skb, sk);
> >  			opt_skb = xchg(&np->pktoptions, opt_skb);
> 
> Bug added in commit 4c507d2897bd9b
> ("net: implement IP_RECVTOS for IP_PKTOPTIONS")
> 
> CC Jiri
> 
> Acked-by: Eric Dumazet <edumazet@...gle.com>

You made a mistake.

It was introduced in commit e7219858a ("ipv6: Use ipv6_get_dsfield()
instead of ipv6_tclass()").

Cc the right party.

-- 
Jean Sacren
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ