| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 08 Mar 2017 23:10:52 -0800 (PST)
From: David Miller <davem@...emloft.net>
To: dsa@...ulusnetworks.com
Cc: netdev@...r.kernel.org
Subject: Re: [PATCH] vrf: Fix use-after-free in vrf_xmit
From: David Ahern <dsa@...ulusnetworks.com>
Date: Mon, 6 Mar 2017 08:53:04 -0800
> KASAN detected a use-after-free:
>
> [ 269.467067] BUG: KASAN: use-after-free in vrf_xmit+0x7f1/0x827 [vrf] at addr ffff8800350a21c0
> [ 269.467067] Read of size 4 by task ssh/1879
> [ 269.467067] CPU: 1 PID: 1879 Comm: ssh Not tainted 4.10.0+ #249
> [ 269.467067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
> [ 269.467067] Call Trace:
> [ 269.467067] dump_stack+0x81/0xb6
> [ 269.467067] kasan_object_err+0x21/0x78
> [ 269.467067] kasan_report+0x2f7/0x450
> [ 269.467067] ? vrf_xmit+0x7f1/0x827 [vrf]
> [ 269.467067] ? ip_output+0xa4/0xdb
> [ 269.467067] __asan_load4+0x6b/0x6d
> [ 269.467067] vrf_xmit+0x7f1/0x827 [vrf]
> ...
>
> Which corresponds to the skb access after xmit handling. Fix by saving
> skb->len and using the saved value to update stats.
>
> Fixes: 193125dbd8eb2 ("net: Introduce VRF device driver")
> Signed-off-by: David Ahern <dsa@...ulusnetworks.com>
Applied and queued up for -stable, thanks David.
Powered by blists - more mailing lists