lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <81d683a7b6ea12e69cb9954b9bad84a9d2a2520f.camel@redhat.com> Date: Fri, 01 Mar 2019 19:02:19 +0100 From: Davide Caratti <dcaratti@...hat.com> To: Cong Wang <xiyou.wangcong@...il.com> Cc: "David S. Miller" <davem@...emloft.net>, Jamal Hadi Salim <jhs@...atatu.com>, Jiri Pirko <jiri@...nulli.us>, Vlad Buslov <vladbu@...lanox.com>, Paolo Abeni <pabeni@...hat.com>, Linux Kernel Network Developers <netdev@...r.kernel.org> Subject: Re: [PATCH net 03/16] net/sched: act_csum: validate the control action inside init() On Wed, 2019-02-27 at 17:50 -0800, Cong Wang wrote: > > + if (oldchain) > > + tcf_chain_put_by_act(oldchain); > > Do we need to respect RCU grace period here? if I well understand the question, you are worried about tcf_action_goto_chain_exec(), that can dereference 'oldchain' while we are overwriting the action. A call to tcf_chain_put_by_act(oldchain) would decrease refcounts and eventually call kfree(oldchain). But this would result in a use-after-free only in case the chain has only refcount held by 1 action (the one we are overwriting), and 0 filters: is this a condition where packets can go through this action's data plane? In every other case, the chain is refcounted at least by 1 filter. So, normally the worst case would be a packet routed on the wrong chain, which is not much different than what already happens now when a valid 'goto chain' rule is overwritten with another valid 'goto chain' rule. Am I missing something? thank you in advance, -- davide
Powered by blists - more mailing lists