| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200314.204203.716262950775446891.davem@davemloft.net>
Date: Sat, 14 Mar 2020 20:42:03 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: xiyou.wangcong@...il.com
Cc: netdev@...r.kernel.org,
syzbot+653090db2562495901dc@...kaller.appspotmail.com,
jhs@...atatu.com, jiri@...nulli.us
Subject: Re: [Patch net] net_sched: hold rtnl lock in
tcindex_partial_destroy_work()
From: Cong Wang <xiyou.wangcong@...il.com>
Date: Wed, 11 Mar 2020 22:42:27 -0700
> syzbot reported a use-after-free in tcindex_dump(). This is due to
> the lack of RTNL in the deferred rcu work. We queue this work with
> RTNL in tcindex_change(), later, tcindex_dump() is called:
>
> fh = tp->ops->get(tp, t->tcm_handle);
> ...
> err = tp->ops->change(..., &fh, ...);
> tfilter_notify(..., fh, ...);
>
> but there is nothing to serialize the pending
> tcindex_partial_destroy_work() with tcindex_dump().
>
> Fix this by simply holding RTNL in tcindex_partial_destroy_work(),
> so that it won't be called until RTNL is released after
> tc_new_tfilter() is completed.
>
> Reported-and-tested-by: syzbot+653090db2562495901dc@...kaller.appspotmail.com
> Fixes: 3d210534cc93 ("net_sched: fix a race condition in tcindex_destroy()")
> Cc: Jamal Hadi Salim <jhs@...atatu.com>
> Cc: Jiri Pirko <jiri@...nulli.us>
> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
Applied and queued up for -stable, thanks Cong.
Powered by blists - more mailing lists