| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20160111.171345.1807630667848434364.davem@davemloft.net> Date: Mon, 11 Jan 2016 17:13:45 -0500 (EST) From: David Miller <davem@...emloft.net> To: marcelo.leitner@...il.com Cc: netdev@...r.kernel.org, linux-sctp@...r.kernel.org, dvyukov@...gle.com, vyasevich@...il.com, eric.dumazet@...il.com, syzkaller@...glegroups.com, kcc@...gle.com, glider@...gle.com, sasha.levin@...cle.com Subject: Re: [PATCH] sctp: fix use-after-free in pr_debug statement From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com> Date: Fri, 8 Jan 2016 11:00:54 -0200 > Dmitry Vyukov reported a use-after-free in the code expanded by the > macro debug_post_sfx, which is caused by the use of the asoc pointer > after it was freed within sctp_side_effect() scope. > > This patch fixes it by allowing sctp_side_effect to clear that asoc > pointer when the TCB is freed. > > As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case > because it will trigger DELETE_TCB too on that same loop. > > Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED > but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme > above. Fix it by returning SCTP_DISPOSITION_ABORT instead. > > The macro is already prepared to handle such NULL pointer. > > Reported-by: Dmitry Vyukov <dvyukov@...gle.com> > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com> Applied, thank you.
Powered by blists - more mailing lists