lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Sun, 04 May 2014 20:32:53 +0300
From:	Denys Fedoryshchenko <nuclearcat@...learcat.com>
To:	Pablo Neira Ayuso <pablo@...filter.org>
Cc:	netdev@...r.kernel.org, kaber@...sh.net, kadlec@...ckhole.kfki.hu
Subject: Re: nft 2.0, NULL pointer dereference in 3.14.1

Hi

Thanks, understood about RFC and Signed-off-by. Next time will do that.
I was not sure i have correct idea what is happening in code, so maybe 
patch was totally incorrect.

On 2014-05-04 14:33, Pablo Neira Ayuso wrote:
> On Sun, May 04, 2014 at 10:25:58AM +0300, Denys Fedoryshchenko wrote:
>> Hi
>> 
>> I bit more debugging and found that problem is happening at:
>> 
>> >sock = netlink_lookup(sock_net(ssk), ssk->sk_protocol, portid);
>> 
>> ssk is NULL
>> 
>> After checking, i noticed in nfnetlink.c
>> nfnetlink_rcv_batch() function
>> 
>> We have
>> nskb->sk = oskb->sk;
>> skb = nskb;
>> 
>> I am matching condition
>> ss = rcu_dereference_protected(table[subsys_id].subsys,
>>        lockdep_is_held(&table[subsys_id].mutex));
>> if (!ss) {
>> 
>> And then
>> nfnl_unlock(subsys_id);
>> kfree_skb(nskb);
>> return netlink_ack(skb, nlh, -EOPNOTSUPP);
>> 
>> If i am not wrong, nskb same pointer as skb, so we are giving
>> netlink_ack freed pointer?
>> Is it "use after free()" ?
> 
> Right, this is an embarrasing use after free when no nf_tables support
> has been selected / modules are not available.
> 
>> If yes, then it seems attached patch fixing my issue. Please let me
>> know, if it is ok and i should submit it.
> 
> I'm going to take this, but please next time use git format-patch and
> include your Signed-off-by tag. If you feel the patch is not complete
> in some aspect or that you may be missing anything, just include the
> RFC tag in the subject.
> 
> Thanks Denys!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists