lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 22 Oct 2017 02:04:26 +0100 (WEST)
From:   David Miller <davem@...emloft.net>
To:     kraigatgoog@...il.com
Cc:     netdev@...r.kernel.org
Subject: Re: [PATCH net] soreuseport: fix initialization race

From: Craig Gallek <kraigatgoog@...il.com>
Date: Thu, 19 Oct 2017 15:00:29 -0400

> From: Craig Gallek <kraig@...gle.com>
> 
> Syzkaller stumbled upon a way to trigger
> WARNING: CPU: 1 PID: 13881 at net/core/sock_reuseport.c:41
> reuseport_alloc+0x306/0x3b0 net/core/sock_reuseport.c:39
> 
> There are two initialization paths for the sock_reuseport structure in a
> socket: Through the udp/tcp bind paths of SO_REUSEPORT sockets or through
> SO_ATTACH_REUSEPORT_[CE]BPF before bind.  The existing implementation
> assumedthat the socket lock protected both of these paths when it actually
> only protects the SO_ATTACH_REUSEPORT path.  Syzkaller triggered this
> double allocation by running these paths concurrently.
> 
> This patch moves the check for double allocation into the reuseport_alloc
> function which is protected by a global spin lock.
> 
> Fixes: e32ea7e74727 ("soreuseport: fast reuseport UDP socket selection")
> Fixes: c125e80b8868 ("soreuseport: fast reuseport TCP socket selection")
> Signed-off-by: Craig Gallek <kraig@...gle.com>

Applied and queued up for -stable.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ