| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM_iQpWuG7+Og68d+Q8F6oKv1kCMSYa5ZvjL7Fe3J8FW2cp5+A@mail.gmail.com>
Date: Fri, 1 Mar 2019 16:04:28 -0800
From: Cong Wang <xiyou.wangcong@...il.com>
To: Davide Caratti <dcaratti@...hat.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Jamal Hadi Salim <jhs@...atatu.com>,
Jiri Pirko <jiri@...nulli.us>,
Vlad Buslov <vladbu@...lanox.com>,
Paolo Abeni <pabeni@...hat.com>,
Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: Re: [PATCH net 03/16] net/sched: act_csum: validate the control
action inside init()
On Fri, Mar 1, 2019 at 10:02 AM Davide Caratti <dcaratti@...hat.com> wrote:
>
> On Wed, 2019-02-27 at 17:50 -0800, Cong Wang wrote:
> > > + if (oldchain)
> > > + tcf_chain_put_by_act(oldchain);
> >
> > Do we need to respect RCU grace period here?
>
> if I well understand the question, you are worried about
> tcf_action_goto_chain_exec(), that can dereference 'oldchain' while we are
> overwriting the action. A call to tcf_chain_put_by_act(oldchain) would
> decrease refcounts and eventually call kfree(oldchain).
>
> But this would result in a use-after-free only in case the chain has only
> refcount held by 1 action (the one we are overwriting), and 0 filters: is
> this a condition where packets can go through this action's data plane?
Hmm? Isn't goto chain can be arbitrary? Packets can be routed
from this action to any filter chain, so even if the target chain has 0
filter this action still has traffic as long as itself is not on the same
chain?
Powered by blists - more mailing lists