lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AM4PR07MB1714D980853C0D890645C39D9A3C0@AM4PR07MB1714.eurprd07.prod.outlook.com>
Date:   Mon, 4 Dec 2017 19:44:23 +0000
From:   Jon Maloy <jon.maloy@...csson.com>
To:     David Miller <davem@...emloft.net>,
        "xiyou.wangcong@...il.com" <xiyou.wangcong@...il.com>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "tipc-discussion@...ts.sourceforge.net" 
        <tipc-discussion@...ts.sourceforge.net>,
        Ying Xue <ying.xue@...driver.com>
Subject: RE: [Patch net v2] tipc: fix a null pointer deref on error path



> -----Original Message-----
> From: netdev-owner@...r.kernel.org [mailto:netdev-
> owner@...r.kernel.org] On Behalf Of David Miller
> Sent: Monday, December 04, 2017 13:57
> To: xiyou.wangcong@...il.com
> Cc: netdev@...r.kernel.org; tipc-discussion@...ts.sourceforge.net; Jon
> Maloy <jon.maloy@...csson.com>; Ying Xue <ying.xue@...driver.com>
> Subject: Re: [Patch net v2] tipc: fix a null pointer deref on error path
> 
> From: Cong Wang <xiyou.wangcong@...il.com>
> Date: Mon,  4 Dec 2017 10:31:43 -0800
> 
> > In tipc_topsrv_kern_subscr() when s->tipc_conn_new() fails we call
> > tipc_close_conn() to clean up, but in this case calling conn_put() is
> > just enough.
> >
> > This fixes the folllowing crash:
>  ...
> > Fixes: 14c04493cb77 ("tipc: add ability to order and receive topology
> > events in driver")
> > Reported-by: syzbot <syzkaller@...glegroups.com>
> > Cc: Jon Maloy <jon.maloy@...csson.com>
> > Cc: Ying Xue <ying.xue@...driver.com>
> > Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
>  ...
> > @@ -511,7 +511,7 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32
> port, u32 type,
> >  	s = con->server;
> >  	scbr = s->tipc_conn_new(*conid);
> >  	if (!scbr) {
> > -		tipc_close_conn(con);
> > +		conn_put(con);
> >  		return false;
> >  	}
> >
> > --
> > 2.13.0
> >
> 
> It looks like tipc_accept_from_sock() has a similar problem?  The
> tipc_close_conn() will get invoked indirectly from the sock_release()
> path right?

No, it doesn't. There will be a 'leaked' conn instance which will remain in the reference table until it is flushed during module removal.
We'll fix this in a separate patch. Cong's fix is correct.

///jon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ