lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Jun 2019 11:20:00 +0800 From: Su Yanjun <suyj.fnst@...fujitsu.com> To: <vyasevich@...il.com>, <nhorman@...driver.com>, <marcelo.leitner@...il.com>, <davem@...emloft.net> CC: <linux-sctp@...r.kernel.org>, <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>, Su Yanjun <suyj.fnst@...fujitsu.com> Subject: [PATCH] sctp: Add rcu lock to protect dst entry in sctp_transport_route syzbot found a crash in rt_cache_valid. Problem is that when more threads release dst in sctp_transport_route, the route cache can be freed. As follows, p1: sctp_transport_route dst_release get_dst p2: sctp_transport_route dst_release get_dst ... If enough threads calling dst_release will cause dst->refcnt==0 then rcu softirq will reclaim the dst entry,get_dst then use the freed memory. This patch adds rcu lock to protect the dst_entry here. Fixes: 6e91b578bf3f("sctp: re-use sctp_transport_pmtu in sctp_transport_route") Signed-off-by: Su Yanjun <suyj.fnst@...fujitsu.com> Reported-by: syzbot+a9e23ea2aa21044c2798@...kaller.appspotmail.com --- net/sctp/transport.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/sctp/transport.c b/net/sctp/transport.c index ad158d3..5ad7e20 100644 --- a/net/sctp/transport.c +++ b/net/sctp/transport.c @@ -308,8 +308,13 @@ void sctp_transport_route(struct sctp_transport *transport, struct sctp_association *asoc = transport->asoc; struct sctp_af *af = transport->af_specific; + /* When dst entry is being released, route cache may be referred + * again. Add rcu lock here to protect dst entry. + */ + rcu_read_lock(); sctp_transport_dst_release(transport); af->get_dst(transport, saddr, &transport->fl, sctp_opt2sk(opt)); + rcu_read_unlock(); if (saddr) memcpy(&transport->saddr, saddr, sizeof(union sctp_addr)); -- 2.7.4
Powered by blists - more mailing lists