lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 03 Sep 2013 13:35:17 -0700
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Jean Sacren <sakiwit@...il.com>
Cc:	Daniel Borkmann <dborkman@...hat.com>, davem@...emloft.net,
	netdev@...r.kernel.org, yoshfuji@...ux-ipv6.org,
	Jiri Benc <jbenc@...hat.com>
Subject: Re: [PATCH net] net: ipv6: tcp: fix potential use after free in
 tcp_v6_do_rcv

On Tue, 2013-09-03 at 13:46 -0600, Jean Sacren wrote:
> From: Eric Dumazet <eric.dumazet@...il.com>
> Date: Tue, 03 Sep 2013 10:48:33 -0700
> >
> > On Tue, 2013-09-03 at 19:29 +0200, Daniel Borkmann wrote:
> > > In tcp_v6_do_rcv() code, when processing pkt options, we soley work
> > > on our skb clone opt_skb that we've created earlier before entering
> > > tcp_rcv_established() on our way. However, only in condition ...
> > > 
> > >   if (np->rxopt.bits.rxtclass)
> > >     np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> > > 
> > > ... we work on skb itself. As we extract every other information out
> > > of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
> > > already be released by tcp_rcv_established() earlier on. When we try
> > > to access it in ipv6_hdr(), we will dereference freed skb.
> > > 
> > > Signed-off-by: Daniel Borkmann <dborkman@...hat.com>
> > > Cc: Eric Dumazet <eric.dumazet@...il.com>
> > > ---
> > >  net/ipv6/tcp_ipv6.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > > index 6e1649d..eeb4cb0 100644
> > > --- a/net/ipv6/tcp_ipv6.c
> > > +++ b/net/ipv6/tcp_ipv6.c
> > > @@ -1427,7 +1427,7 @@ ipv6_pktoptions:
> > >  		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
> > >  			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
> > >  		if (np->rxopt.bits.rxtclass)
> > > -			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> > > +			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(opt_skb));
> > >  		if (ipv6_opt_accepted(sk, opt_skb)) {
> > >  			skb_set_owner_r(opt_skb, sk);
> > >  			opt_skb = xchg(&np->pktoptions, opt_skb);
> > 
> > Bug added in commit 4c507d2897bd9b
> > ("net: implement IP_RECVTOS for IP_PKTOPTIONS")
> > 
> > CC Jiri
> > 
> > Acked-by: Eric Dumazet <edumazet@...gle.com>
> 
> You made a mistake.

Really ?

> 
> It was introduced in commit e7219858a ("ipv6: Use ipv6_get_dsfield()
> instead of ipv6_tclass()").
> 
> Cc the right party.
> 


Nope, I did no mistake.

The bug was really added in commit 4c507d2897bd9b as I said.

Then commit e7219858a just did no change : skb was used before and after
the patch

-                       np->rcv_tclass = ipv6_tclass(ipv6_hdr(skb));
+                       np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));

How did you get your conclusion ?



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ