| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <10752519-01db-e6f8-f10d-870f5cad983f@gmail.com>
Date: Wed, 1 May 2019 09:44:59 -0600
From: David Ahern <dsahern@...il.com>
To: Martin KaFai Lau <kafai@...com>, netdev@...r.kernel.org
Cc: David Miller <davem@...emloft.net>, Jonathan Lemon <bsd@...com>,
kernel-team@...com, Wei Wang <weiwan@...gle.com>
Subject: Re: [PATCH net] ipv6: A few fixes on dereferencing rt->from
On 4/30/19 11:45 AM, Martin KaFai Lau wrote:
> It is a followup after the fix in
> commit 9c69a1320515 ("route: Avoid crash from dereferencing NULL rt->from")
>
> rt6_do_redirect():
> 1. NULL checking is needed on rt->from because a parallel
> fib6_info delete could happen that sets rt->from to NULL.
> (e.g. rt6_remove_exception() and fib6_drop_pcpu_from()).
>
> 2. fib6_info_hold() is not enough. Same reason as (1).
> Meaning, holding dst->__refcnt cannot ensure
> rt->from is not NULL or rt->from->fib6_ref is not 0.
>
> Instead of using fib6_info_hold_safe() which ip6_rt_cache_alloc()
> is already doing, this patch chooses to extend the rcu section
> to keep "from" dereference-able after checking for NULL.
>
> inet6_rtm_getroute():
> 1. NULL checking is also needed on rt->from for a similar reason.
> Note that inet6_rtm_getroute() is using RTNL_FLAG_DOIT_UNLOCKED.
>
> Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
> Signed-off-by: Martin KaFai Lau <kafai@...com>
> ---
> net/ipv6/route.c | 38 ++++++++++++++++++--------------------
> 1 file changed, 18 insertions(+), 20 deletions(-)
>
Reviewed-by: David Ahern <dsahern@...il.com>
Thanks, Martin.
Powered by blists - more mailing lists