| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Aug 2016 23:24:47 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: eric.dumazet@...il.com
Cc: netdev@...r.kernel.org, marco.gra@...il.com, ycheng@...gle.com,
ncardwell@...gle.com, gregkh@...uxfoundation.org,
ilpo.jarvinen@...sinki.fi
Subject: Re: [PATCH net] tcp: fix use after free in
tcp_xmit_retransmit_queue()
From: Eric Dumazet <eric.dumazet@...il.com>
Date: Wed, 17 Aug 2016 05:56:26 -0700
> From: Eric Dumazet <edumazet@...gle.com>
>
> When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
> tail of the write queue using tcp_add_write_queue_tail()
>
> Then it attempts to copy user data into this fresh skb.
>
> If the copy fails, we undo the work and remove the fresh skb.
>
> Unfortunately, this undo lacks the change done to tp->highest_sack and
> we can leave a dangling pointer (to a freed skb)
>
> Later, tcp_xmit_retransmit_queue() can dereference this pointer and
> access freed memory. For regular kernels where memory is not unmapped,
> this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
> returning garbage instead of tp->snd_nxt, but with various debug
> features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
>
> This bug was found by Marco Grassi thanks to syzkaller.
>
> Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
> Reported-by: Marco Grassi <marco.gra@...il.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
Applied and queued up for -stable.
Powered by blists - more mailing lists