| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Aug 2019 20:52:54 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: loyou85@...il.com
Cc: edumazet@...gle.com, dsterba@...e.com, dbanerje@...mai.com,
fw@...len.de, davej@...emonkey.org.uk, tglx@...utronix.de,
matwey@....msu.ru, sakari.ailus@...ux.intel.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
xiaojunzhao141@...il.com
Subject: Re: [PATCH v3] net: fix skb use after free in netpoll
From: Feng Sun <loyou85@...il.com>
Date: Mon, 26 Aug 2019 14:46:04 +0800
> After commit baeababb5b85d5c4e6c917efe2a1504179438d3b
> ("tun: return NET_XMIT_DROP for dropped packets"),
> when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP,
> netpoll_send_skb_on_dev will run into following use after free cases:
> 1. retry netpoll_start_xmit with freed skb;
> 2. queue freed skb in npinfo->txq.
> queue_process will also run into use after free case.
>
> hit netpoll_send_skb_on_dev first case with following kernel log:
...
> Signed-off-by: Feng Sun <loyou85@...il.com>
> Signed-off-by: Xiaojun Zhao <xiaojunzhao141@...il.com>
Applied and queued up for -stable.
Powered by blists - more mailing lists