lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20180829.180516.859582570374575869.davem@davemloft.net>
Date:   Wed, 29 Aug 2018 18:05:16 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     xiyou.wangcong@...il.com
Cc:     netdev@...r.kernel.org, tipc-discussion@...ts.sourceforge.net,
        jon.maloy@...csson.com, ying.xue@...driver.com
Subject: Re: [Patch net] tipc: switch to rhashtable iterator

From: Cong Wang <xiyou.wangcong@...il.com>
Date: Fri, 24 Aug 2018 12:28:06 -0700

> syzbot reported a use-after-free in tipc_group_fill_sock_diag(),
> where tipc_group_fill_sock_diag() still reads tsk->group meanwhile
> tipc_group_delete() just deletes it in tipc_release().
> 
> tipc_nl_sk_walk() aims to lock this sock when walking each sock
> in the hash table to close race conditions with sock changes like
> this one, by acquiring tsk->sk.sk_lock.slock spinlock, unfortunately
> this doesn't work at all. All non-BH call path should take
> lock_sock() instead to make it work.
> 
> tipc_nl_sk_walk() brutally iterates with raw rht_for_each_entry_rcu()
> where RCU read lock is required, this is the reason why lock_sock()
> can't be taken on this path. This could be resolved by switching to
> rhashtable iterator API's, where taking a sleepable lock is possible.
> Also, the iterator API's are friendly for restartable calls like
> diag dump, the last position is remembered behind the scence,
> all we need to do here is saving the iterator into cb->args[].
> 
> I tested this with parallel tipc diag dump and thousands of tipc
> socket creation and release, no crash or memory leak.
> 
> Reported-by: syzbot+b9c8f3ab2994b7cd1625@...kaller.appspotmail.com
> Cc: Jon Maloy <jon.maloy@...csson.com>
> Cc: Ying Xue <ying.xue@...driver.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>

Applied and queued up for -stable, thanks Cong.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ