lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 May 2018 00:36:07 +0200 From: Daniel Borkmann <daniel@...earbox.net> To: John Fastabend <john.fastabend@...il.com>, ast@...nel.org Cc: netdev@...r.kernel.org Subject: Re: [bpf-next PATCH] bpf: sockhash fix race with bpf_tcp_close and map delete On 05/25/2018 07:37 PM, John Fastabend wrote: > syzbot reported two related splats, a use after free and null > pointer dereference, when a TCP socket is closed while the map is > also being removed. > > The psock keeps a reference to all map slots that have a reference > to the sock so that when the sock is closed we can clean up any > outstanding sock{map|hash} entries. This avoids pinning a sock > forever if the map owner fails to do proper cleanup. However, the > result is we have two paths that can free an entry in the map. Even > the comment in the sock{map|hash} tear down function, sock_hash_free() > notes this: > > At this point no update, lookup or delete operations can happen. > However, be aware we can still get a socket state event updates, > and data ready callbacks that reference the psock from sk_user_data. > > Both removal paths omitted taking the hash bucket lock resulting > in the case where we have two references that are in the process > of being free'd. > > Reported-by: syzbot+a761b81c211794fa1072@...kaller.appspotmail.com > Signed-off-by: John Fastabend <john.fastabend@...il.com> Applied to bpf-next, thanks John!
Powered by blists - more mailing lists