| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <04d904dc-b64a-a6b7-9f0e-40c3d9a2e6a3@gmail.com>
Date: Wed, 1 May 2019 17:01:05 -0400
From: Eric Dumazet <eric.dumazet@...il.com>
To: Martin KaFai Lau <kafai@...com>, netdev@...r.kernel.org
Cc: David Ahern <dsahern@...il.com>,
David Miller <davem@...emloft.net>,
Jonathan Lemon <bsd@...com>, kernel-team@...com,
Wei Wang <weiwan@...gle.com>
Subject: Re: [PATCH net] ipv6: A few fixes on dereferencing rt->from
On 4/30/19 10:45 AM, Martin KaFai Lau wrote:
> It is a followup after the fix in
> commit 9c69a1320515 ("route: Avoid crash from dereferencing NULL rt->from")
>
> rt6_do_redirect():
> 1. NULL checking is needed on rt->from because a parallel
> fib6_info delete could happen that sets rt->from to NULL.
> (e.g. rt6_remove_exception() and fib6_drop_pcpu_from()).
>
> 2. fib6_info_hold() is not enough. Same reason as (1).
> Meaning, holding dst->__refcnt cannot ensure
> rt->from is not NULL or rt->from->fib6_ref is not 0.
>
> Instead of using fib6_info_hold_safe() which ip6_rt_cache_alloc()
> is already doing, this patch chooses to extend the rcu section
> to keep "from" dereference-able after checking for NULL.
>
> inet6_rtm_getroute():
> 1. NULL checking is also needed on rt->from for a similar reason.
> Note that inet6_rtm_getroute() is using RTNL_FLAG_DOIT_UNLOCKED.
>
> Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
> Signed-off-by: Martin KaFai Lau <kafai@...com>
> ---
>
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists