lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 11 Nov 2020 04:09:03 -0800
From:   Xie He <xie.he.0141@...il.com>
To:     Martin Schiller <ms@....tdt.de>
Cc:     Jakub Kicinski <kuba@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net] net: x25: Fix kernel crashes due to x25_disconnect
 releasing x25_neigh

On Wed, Nov 11, 2020 at 3:41 AM Martin Schiller <ms@....tdt.de> wrote:
>
> > 1) When we receive a connection, the x25_rx_call_request function in
> > af_x25.c does not increase the refcount when it assigns the pointer.
> > When we disconnect, x25_disconnect is called and the struct's refcount
> > is decreased without being increased in the first place.
>
> Yes, this is a problem and should be fixed. As an alternative to your
> approach, you could also go the way to prevent the call of
> x25_neigh_put(nb) in x25_lapb_receive_frame() in case of a Call Request.
> However, this would require more effort.

Yes, right. I think my approach is easier.

> > This causes frequent kernel crashes when using AF_X25 sockets.
> >
> > 2) When we initiate a connection but the connection is refused by the
> > remote side, x25_disconnect is called which decreases the refcount and
> > resets the pointer to NULL. But the x25_connect function in af_x25.c,
> > which is waiting for the connection to be established, notices the
> > failure and then tries to decrease the refcount again, resulting in a
> > NULL-pointer-dereference error.
> >
> > This crashes the kernel every time a connection is refused by the
> > remote
> > side.
>
> For this bug I already sent a fix some time ago (last time I sent a
> RESEND yesterday), but unfortunately it was not merged yet:
> https://lore.kernel.org/patchwork/patch/1334917/

I see. Thanks! Hope it will be merged soon!

I'll re-submit my patch without your part after your patch is merged.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ