lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20161102.152711.1206261970590164814.davem@davemloft.net>
Date:   Wed, 02 Nov 2016 15:27:11 -0400 (EDT)
From:   David Miller <davem@...emloft.net>
To:     tom@...bertland.com
Cc:     netdev@...r.kernel.org, kernel-team@...com
Subject: Re: [PATCH net-next] ila: Fix crash caused by rhashtable changes

From: Tom Herbert <tom@...bertland.com>
Date: Tue, 1 Nov 2016 14:55:25 -0700

> commit ca26893f05e86 ("rhashtable: Add rhlist interface")
> added a field to rhashtable_iter so that length became 56 bytes
> and would exceed the size of args in netlink_callback (which is
> 48 bytes). The netlink diag dump function already has been
> allocating a iter structure and storing the pointed to that
> in the args of netlink_callback. ila_xlat also uses
> rhahstable_iter but is still putting that directly in
> the arg block. Now since rhashtable_iter size is increased
> we are overwriting beyond the structure. The next field
> happens to be cb_mutex pointer in netlink_sock and hence the crash.
> 
> Fix is to alloc the rhashtable_iter and save it as pointer
> in arg.
> 
> Tested:
> 
>   modprobe ila
>   ./ip ila add loc 3333:0:0:0 loc_match 2222:0:0:1,
>   ./ip ila list  # NO crash now
> 
> Signed-off-by: Tom Herbert <tom@...bertland.com>

Applied.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ