| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9cae9278-fd9f-f90a-ca35-e2d4b3e63fe8@iogearbox.net>
Date: Mon, 28 May 2018 00:36:07 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: John Fastabend <john.fastabend@...il.com>, ast@...nel.org
Cc: netdev@...r.kernel.org
Subject: Re: [bpf-next PATCH] bpf: sockhash fix race with bpf_tcp_close and
map delete
On 05/25/2018 07:37 PM, John Fastabend wrote:
> syzbot reported two related splats, a use after free and null
> pointer dereference, when a TCP socket is closed while the map is
> also being removed.
>
> The psock keeps a reference to all map slots that have a reference
> to the sock so that when the sock is closed we can clean up any
> outstanding sock{map|hash} entries. This avoids pinning a sock
> forever if the map owner fails to do proper cleanup. However, the
> result is we have two paths that can free an entry in the map. Even
> the comment in the sock{map|hash} tear down function, sock_hash_free()
> notes this:
>
> At this point no update, lookup or delete operations can happen.
> However, be aware we can still get a socket state event updates,
> and data ready callbacks that reference the psock from sk_user_data.
>
> Both removal paths omitted taking the hash bucket lock resulting
> in the case where we have two references that are in the process
> of being free'd.
>
> Reported-by: syzbot+a761b81c211794fa1072@...kaller.appspotmail.com
> Signed-off-by: John Fastabend <john.fastabend@...il.com>
Applied to bpf-next, thanks John!
Powered by blists - more mailing lists