lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 8 May 2014 20:48:52 +0800
From:	Wang Weidong <wangweidong1@...wei.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	David Miller <davem@...emloft.net>, <kuznet@....inr.ac.ru>,
	<jmorris@...ei.org>, <yoshfuji@...ux-ipv6.org>, <kaber@...sh.net>,
	<netdev@...r.kernel.org>
Subject: Re: [PATCH net-next] ipv4: fix kfree static array pointer in ipv4_sysctl_exit_net

On 2014/5/8 20:34, Eric Dumazet wrote:
> On Thu, 2014-05-08 at 15:40 +0800, Wang Weidong wrote:
>> In ipv4_sysctl_init_net, we don't kmemdup a sysctl_table for init_net,
>> so init_net->ipv4.ipv4_hdr->ctl_table_arg points to ipv4_net_table which
>> is a static array pointer. So when do ipv4_sysctl_exit_net, it will
>> free the ipv4_net_table for init_net.
>>
>> So add a check net_namespace init_net before kfree the sysctl_table.
>>
>> Signed-off-by: Wang Weidong <wangweidong1@...wei.com>
>> ---
>>  net/ipv4/sysctl_net_ipv4.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
>> index 44eba05..2825577 100644
>> --- a/net/ipv4/sysctl_net_ipv4.c
>> +++ b/net/ipv4/sysctl_net_ipv4.c
>> @@ -891,7 +891,8 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
>>  
>>  	table = net->ipv4.ipv4_hdr->ctl_table_arg;
>>  	unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
>> -	kfree(table);
>> +	if (!net_eq(net, &init_net))
>> +		kfree(table);
>>  }
>>  
>>  static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
> 
> Could you explain how you can trigger this case, calling
> ipv4_sysctl_exit_net() with net == &init_net ?
> 
> This would be a bug, your patch would try to hide it maybe ?
> 
No.
I just trigger the similar case on sctp when I do 'rmmod -f sctp'.
Here I add the init_net case for sctp register sysctl.

Is it better to add BUG_ON(net == &init_net) maybe?

Regards
Wang

> 
> 
> 


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ