| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Jul 2021 09:10:08 +0200
From: Oleksij Rempel <o.rempel@...gutronix.de>
To: Xiaochen Zou <xzou017@....edu>
Cc: kernel@...gutronix.de, linux-can@...r.kernel.org,
netdev@...r.kernel.org, stable@...r.kernel.org
Subject: Re: Use-after-free access in j1939_session_deactivate
Hi,
On Mon, Jul 12, 2021 at 03:40:46PM -0700, Xiaochen Zou wrote:
> Hi,
> It looks like there are multiple use-after-free accesses in
> j1939_session_deactivate()
>
> static bool j1939_session_deactivate(struct j1939_session *session)
> {
> bool active;
>
> j1939_session_list_lock(session->priv);
> active = j1939_session_deactivate_locked(session); //session can be freed inside
> j1939_session_list_unlock(session->priv); // It causes UAF read and write
>
> return active;
> }
>
> session can be freed by
> j1939_session_deactivate_locked->j1939_session_put->__j1939_session_release->j1939_session_destroy->kfree.
> Therefore it makes the unlock function perform UAF access.
Potentially I would agree, but this function takes "session" as
property. Any function which provided session pointer should
care about own ref counting. If described scenarios really happens, then
there is problem on other place. Was you able to reproduce it?
Regards,
Oleksij
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Powered by blists - more mailing lists