| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <81d683a7b6ea12e69cb9954b9bad84a9d2a2520f.camel@redhat.com>
Date: Fri, 01 Mar 2019 19:02:19 +0100
From: Davide Caratti <dcaratti@...hat.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Jamal Hadi Salim <jhs@...atatu.com>,
Jiri Pirko <jiri@...nulli.us>,
Vlad Buslov <vladbu@...lanox.com>,
Paolo Abeni <pabeni@...hat.com>,
Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: Re: [PATCH net 03/16] net/sched: act_csum: validate the control
action inside init()
On Wed, 2019-02-27 at 17:50 -0800, Cong Wang wrote:
> > + if (oldchain)
> > + tcf_chain_put_by_act(oldchain);
>
> Do we need to respect RCU grace period here?
if I well understand the question, you are worried about
tcf_action_goto_chain_exec(), that can dereference 'oldchain' while we are
overwriting the action. A call to tcf_chain_put_by_act(oldchain) would
decrease refcounts and eventually call kfree(oldchain).
But this would result in a use-after-free only in case the chain has only
refcount held by 1 action (the one we are overwriting), and 0 filters: is
this a condition where packets can go through this action's data plane?
In every other case, the chain is refcounted at least by 1 filter.
So, normally the worst case would be a packet routed on the wrong chain,
which is not much different than what already happens now when a valid
'goto chain' rule is overwritten with another valid 'goto chain' rule.
Am I missing something?
thank you in advance,
--
davide
Powered by blists - more mailing lists