lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 26 Apr 2022 11:30:08 +0800
From:   Jeremy Kerr <jk@...econstruct.com.au>
To:     Lin Ma <linma@....edu.cn>, matt@...econstruct.com.au,
        davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v0] mctp: defer the kfree of object mdev->addrs

Hi Lin,

> The function mctp_unregister() reclaims the device's relevant resource
> when a netcard detaches. However, a running routine may be unaware of
> this and cause the use-after-free of the mdev->addrs object.

[...]

> To this end, just like the commit e04480920d1e ("Bluetooth: defer
> cleanup of resources in hci_unregister_dev()")  this patch defers the
> destructive kfree(mdev->addrs) in mctp_unregister to the mctp_dev_put,
> where the refcount of mdev is zero and the entire device is reclaimed.
> This prevents the use-after-free because the sendmsg thread holds the
> reference of mdev in the mctp_route object.

Looks good to me, thanks for checking this out.

We could also check out the semantics of ->addrs over a release (perhaps
we should clear addresses immediately with the write lock held?), but
that would be best done as a separate change.

So:

Acked-by: Jeremy Kerr <jk@...econstruct.com.au>

Cheers,


Jeremy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ