lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Sep 2020 09:36:04 +0200 From: Magnus Karlsson <magnus.karlsson@...el.com> To: magnus.karlsson@...el.com, bjorn.topel@...el.com, ast@...nel.org, daniel@...earbox.net, netdev@...r.kernel.org, jonathan.lemon@...il.com Cc: bpf@...r.kernel.org Subject: [PATCH bpf-next] xsk: fix use-after-free in failed shared_umem bind Fix use-after-free when a shared umem bind fails. The code incorrectly tried to free the allocated buffer pool both in the bind code and then later also when the socket was released. Fix this by setting the buffer pool pointer to NULL after the bind code has freed the pool, so that the socket release code will not try to free the pool. This is the same solution as the regular, non-shared umem code path has. This was missing from the shared umem path. Signed-off-by: Magnus Karlsson <magnus.karlsson@...el.com> Reported-by: syzbot+5334f62e4d22804e646a@...kaller.appspotmail.com Fixes: b5aea28dca13 ("xsk: Add shared umem support between queue ids") --- net/xdp/xsk.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c index 5eb6662..afd1ca0 100644 --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -717,6 +717,7 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) dev, qid); if (err) { xp_destroy(xs->pool); + xs->pool = NULL; sockfd_put(sock); goto out_unlock; } -- 2.7.4
Powered by blists - more mailing lists