| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20171020.125438.333321434362467027.davem@davemloft.net>
Date: Fri, 20 Oct 2017 12:54:38 +0100 (WEST)
From: David Miller <davem@...emloft.net>
To: lucien.xin@...il.com
Cc: netdev@...r.kernel.org, linux-sctp@...r.kernel.org,
edumazet@...gle.com, marcelo.leitner@...il.com,
nhorman@...driver.com
Subject: Re: [PATCH net] sctp: add the missing sock_owned_by_user check in
sctp_icmp_redirect
From: Xin Long <lucien.xin@...il.com>
Date: Wed, 18 Oct 2017 21:37:49 +0800
> Now sctp processes icmp redirect packet in sctp_icmp_redirect where
> it calls sctp_transport_dst_check in which tp->dst can be released.
>
> The problem is before calling sctp_transport_dst_check, it doesn't
> check sock_owned_by_user, which means tp->dst could be freed while
> a process is accessing it with owning the socket.
>
> An use-after-free issue could be triggered by this.
>
> This patch is to fix it by checking sock_owned_by_user before calling
> sctp_transport_dst_check in sctp_icmp_redirect, so that it would not
> release tp->dst if users still hold sock lock.
>
> Besides, the same issue fixed in commit 45caeaa5ac0b ("dccp/tcp: fix
> routing redirect race") on sctp also needs this check.
>
> Fixes: 55be7a9c6074 ("ipv4: Add redirect support to all protocol icmp error handlers")
> Reported-by: Eric Dumazet <edumazet@...gle.com>
> Signed-off-by: Xin Long <lucien.xin@...il.com>
Applied and queued up for -stable.
Powered by blists - more mailing lists