lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AM4PR07MB171496B1708D7CA836C8C7519A3C0@AM4PR07MB1714.eurprd07.prod.outlook.com>
Date:   Mon, 4 Dec 2017 19:49:53 +0000
From:   Jon Maloy <jon.maloy@...csson.com>
To:     Cong Wang <xiyou.wangcong@...il.com>,
        David Miller <davem@...emloft.net>
CC:     Linux Kernel Network Developers <netdev@...r.kernel.org>,
        "tipc-discussion@...ts.sourceforge.net" 
        <tipc-discussion@...ts.sourceforge.net>,
        Ying Xue <ying.xue@...driver.com>
Subject: RE: [Patch net v2] tipc: fix a null pointer deref on error path



> -----Original Message-----
> From: Cong Wang [mailto:xiyou.wangcong@...il.com]
> Sent: Monday, December 04, 2017 14:41
> To: David Miller <davem@...emloft.net>
> Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>; tipc-
> discussion@...ts.sourceforge.net; Jon Maloy <jon.maloy@...csson.com>;
> Ying Xue <ying.xue@...driver.com>
> Subject: Re: [Patch net v2] tipc: fix a null pointer deref on error path
> 
> On Mon, Dec 4, 2017 at 11:23 AM, Cong Wang <xiyou.wangcong@...il.com>
> wrote:
> > On Mon, Dec 4, 2017 at 10:57 AM, David Miller <davem@...emloft.net>
> wrote:
> >>
> >> It looks like tipc_accept_from_sock() has a similar problem?  The
> >> tipc_close_conn() will get invoked indirectly from the sock_release()
> >> path right?
> >
> > Not sure, the sock_release() in tipc_accept_from_sock() is for
> > kernel_accept(), not for tipc_alloc_conn(). Or maybe it is hiding deep
> > in the call chain that I miss?
> 
> I see:
> 
> tipc_release() ->  tipc_sk_leave() -> tipc_group_delete()
> -> tipc_topsrv_kern_unsubscr() -> tipc_close_conn()
> 
> Seems on this path we do need to skip NULL too.

You are right. The right solution is to just call conn_put() twice here.
I already have a patch ready for this, but it is part of a series that needs more review.
I should probably post it separately...

///jon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ