lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jul 2020 09:57:33 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Cong Wang <xiyou.wangcong@...il.com>, netdev@...r.kernel.org Cc: syzbot+6720d64f31c081c2f708@...kaller.appspotmail.com, Bjorn Andersson <bjorn.andersson@...aro.org>, Eric Dumazet <eric.dumazet@...il.com> Subject: Re: [Patch net v2] qrtr: orphan socket in qrtr_release() On 7/24/20 9:45 AM, Cong Wang wrote: > We have to detach sock from socket in qrtr_release(), > otherwise skb->sk may still reference to this socket > when the skb is released in tun->queue, particularly > sk->sk_wq still points to &sock->wq, which leads to > a UAF. > > Reported-and-tested-by: syzbot+6720d64f31c081c2f708@...kaller.appspotmail.com > Fixes: 28fb4e59a47d ("net: qrtr: Expose tunneling endpoint to user space") > Cc: Bjorn Andersson <bjorn.andersson@...aro.org> > Cc: Eric Dumazet <eric.dumazet@...il.com> > Signed-off-by: Cong Wang <xiyou.wangcong@...il.com> > --- > net/qrtr/qrtr.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c > index 24a8c3c6da0d..300a104b9a0f 100644 > --- a/net/qrtr/qrtr.c > +++ b/net/qrtr/qrtr.c > @@ -1180,6 +1180,7 @@ static int qrtr_release(struct socket *sock) > sk->sk_state_change(sk); > > sock_set_flag(sk, SOCK_DEAD); > + sock_orphan(sk); > sock->sk = NULL; > > if (!sock_flag(sk, SOCK_ZAPPED)) > Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists