| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <113f8915-57bf-0a7a-1213-66ad04f80a59@gmail.com>
Date: Wed, 5 Feb 2020 07:16:27 -0800
From: Eric Dumazet <eric.dumazet@...il.com>
To: David Miller <davem@...emloft.net>, edumazet@...gle.com
Cc: netdev@...r.kernel.org, eric.dumazet@...il.com,
syzkaller@...glegroups.com, j.vosburgh@...il.com,
vfalico@...il.com, andy@...yhouse.net
Subject: Re: [PATCH net] bonding/alb: properly access headers in
bond_alb_xmit()
On 2/5/20 5:30 AM, David Miller wrote:
> From: Eric Dumazet <edumazet@...gle.com>
> Date: Tue, 4 Feb 2020 19:26:05 -0800
>
>> syzbot managed to send an IPX packet through bond_alb_xmit()
>> and af_packet and triggered a use-after-free.
>>
>> First, bond_alb_xmit() was using ipx_hdr() helper to reach
>> the IPX header, but ipx_hdr() was using the transport offset
>> instead of the network offset. In the particular syzbot
>> report transport offset was 0xFFFF
>>
>> This patch removes ipx_hdr() since it was only (mis)used from bonding.
>>
>> Then we need to make sure IPv4/IPv6/IPX headers are pulled
>> in skb->head before dereferencing anything.
>>
>> BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
>> Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
>> (if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...)
> ...
>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
>> Reported-by: syzbot <syzkaller@...glegroups.com>
>
> I had to read this one over a few times, but looks good.
>
> Applied and queued up for -stable, thanks.
>
Thanks for the scrutiny David !
Powered by blists - more mailing lists