| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151218220204.6faf8e93@lxorguk.ukuu.org.uk> Date: Fri, 18 Dec 2015 22:02:04 +0000 From: One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk> To: David Miller <davem@...emloft.net> Cc: dvyukov@...gle.com, ajk@...nets.uni-bremen.de, linux-hams@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, gregkh@...uxfoundation.org, jslaby@...e.com, syzkaller@...glegroups.com, kcc@...gle.com, glider@...gle.com, sasha.levin@...cle.com, edumazet@...gle.com Subject: Re: use-after-free in sixpack_close > > Also you are at the point the tty is closing so the net device may be > > active. Don't you need to netif_stop_queue() or defer the buffer > > kfrees until after the network device is unregistered so you don't pee > > into free memory if you have a transmit occurring ? > > I'm pretty sure that's what the semaphore down above this sequence is > accomplishing. But if we do need the netif_stop_queue() let's do that > as a separate patch. Follow the code path for sp_xmit(). If sp_xmit is called it digs out sp from the ndetdev, locks sp->lock and stops the queue then calls sp_encaps which touches sp->xbuff. So if one thread of execution hits sp_xmit and another closes the ldisc at just the wrong moment then we have no protection. Alan -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists