| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Jul 2021 13:21:44 -0700
From: Xiaochen Zou <xzou017@....edu>
To: greg@...ah.com
Cc: stable@...r.kernel.org, netdev@...r.kernel.org,
linux-can@...r.kernel.org
Subject: [PATCH 0/1] can: fix a potential UAF access in
j1939_session_deactivate()
Xiaochen Zou (1):
can: fix a potential UAF access in j1939_session_deactivate(). Both
session and session->priv may be freed in
j1939_session_deactivate_locked(). It leads to potential UAF read
and write in j1939_session_list_unlock(). The free chain is
j1939_session_deactivate_locked()->j1939_session_put()->__j1939_session_release()->j1939_session_destroy().
To fix this bug, I moved j1939_session_put() behind
j1939_session_deactivate_locked(), and guarded it with a check of
active since the session would be freed only if active is true.
net/can/j1939/transport.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--
2.17.1
>From 9c4733d093e05db22eb89825579c83e020c3c1a6 Mon Sep 17 00:00:00 2001
From: Xiaochen Zou <xzou017@....edu>
Date: Tue, 13 Jul 2021 13:15:59 -0700
Subject: [PATCH 1/1] can: fix a potential UAF access in
j1939_session_deactivate().
To: greg@...ah.com
Cc: stable@...r.kernel.org,netdev@...r.kernel.org,linux-can@...r.kernel.org
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------2.17.1"
This is a multi-part message in MIME format.
View attachment "Attached Message Part" of type "text/plain" (620 bytes)
View attachment "0001-can-fix-a-potential-UAF-access-in-j1939_session_deac.patch" of type "text/x-patch" (1388 bytes)
Powered by blists - more mailing lists