lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220127181930.355c8c82@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date:   Thu, 27 Jan 2022 18:19:30 -0800
From:   Jakub Kicinski <kuba@...nel.org>
To:     Jann Horn <jannh@...gle.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Network Development <netdev@...r.kernel.org>,
        Oliver Neukum <oneukum@...e.com>,
        kernel list <linux-kernel@...r.kernel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Jacky Chou <jackychou@...x.com.tw>, Willy Tarreau <w@....eu>
Subject: Re: [BUG] net_device UAF: linkwatch_fire_event() calls dev_hold()
 after netdev_wait_allrefs() is done

Interesting..

I don't know what link_reset does, but since it turns the carrier on it
seems like something that should be flushed/canceled when the device
goes down. unregister brings the device down under rtnl_lock.

On Fri, 28 Jan 2022 02:51:24 +0100 Jann Horn wrote:
> Is the bug that usbnet_disconnect() should be stopping &dev->kevent
> before calling unregister_netdev()?

I'd say not this one, I think the generally agreed on semantics are that
the netdev is under users control between register and unregister, we
should not cripple it before unregister.

> Or is the bug that ax88179_link_reset() doesn't take some kind of lock
> and re-check that the netdev is still alive?

That'd not be an uncommon way to fix this.. taking rtnl_lock, not even 
a driver lock in similar.

> Or should netif_carrier_on() be doing that?
> Or is it the responsibility of the linkwatch code to check whether the
> netdev is already going away?

Possibly, although we don't do much in the way of defensive programming
in networking.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ