lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 25 Apr 2020 20:54:37 +0800 From: Xiyu Yang <xiyuyang19@...an.edu.cn> To: Boris Pismenny <borisp@...lanox.com>, Aviad Yehezkel <aviadye@...lanox.com>, John Fastabend <john.fastabend@...il.com>, Daniel Borkmann <daniel@...earbox.net>, Jakub Kicinski <kuba@...nel.org>, "David S. Miller" <davem@...emloft.net>, Alexei Starovoitov <ast@...nel.org>, Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>, Andrii Nakryiko <andriin@...com>, KP Singh <kpsingh@...omium.org>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, bpf@...r.kernel.org Cc: yuanxzhang@...an.edu.cn, kjlu@....edu, Xiyu Yang <xiyuyang19@...an.edu.cn>, Xin Tan <tanxin.ctf@...il.com> Subject: [PATCH] net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict() bpf_exec_tx_verdict() invokes sk_psock_get(), which returns a reference of the specified sk_psock object to "psock" with increased refcnt. When bpf_exec_tx_verdict() returns, local variable "psock" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling path of bpf_exec_tx_verdict(). When "policy" equals to NULL but "psock" is not NULL, the function forgets to decrease the refcnt increased by sk_psock_get(), causing a refcnt leak. Fix this issue by calling sk_psock_put() on this error path before bpf_exec_tx_verdict() returns. Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn> Signed-off-by: Xin Tan <tanxin.ctf@...il.com> --- net/tls/tls_sw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 7d3bf86e6cbf..5fad144edaa3 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -800,6 +800,8 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, *copied -= sk_msg_free(sk, msg); tls_free_open_rec(sk); } + if (psock) + sk_psock_put(sk, psock); return err; } more_data: -- 2.7.4
Powered by blists - more mailing lists