| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220324023904.7173-1-linma@zju.edu.cn>
Date: Thu, 24 Mar 2022 10:39:04 +0800
From: Lin Ma <linma@....edu.cn>
To: jk@...econstruct.com.au, matt@...econstruct.com.au,
davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: Lin Ma <linma@....edu.cn>
Subject: [PATCH v0] mctp: fix netdev reference bug
In extended addressing mode, function mctp_local_output() fetch netdev
through dev_get_by_index_rcu, which won't increase netdev's reference
counter. Hence, the reference may underflow when mctp_local_output calls
dev_put(), results in possible use after free.
This patch adds dev_hold() to fix the reference bug.
Fixes: 99ce45d5e7db ("mctp: Implement extended addressing")
Signed-off-by: Lin Ma <linma@....edu.cn>
---
net/mctp/route.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mctp/route.c b/net/mctp/route.c
index e52cef750500..a9e5d6c40c65 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -817,6 +817,7 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt,
return rc;
}
+ dev_hold(dev);
rt->dev = __mctp_dev_get(dev);
rcu_read_unlock();
--
2.35.1
Powered by blists - more mailing lists