| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <69a43dc8-c545-1187-7185-4b85215b726d@kernel.org>
Date: Sun, 18 Sep 2022 09:30:21 -0600
From: David Ahern <dsahern@...nel.org>
To: Liang He <windhl@....com>, davem@...emloft.net,
yoshfuji@...ux-ipv6.org, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, netdev@...r.kernel.org
Subject: Re: [PATCH] ipv4: ping: Fix potential use-after-free bug
On 9/16/22 4:07 AM, Liang He wrote:
> In ping_unhash(), we should move sock_put(sk) after any possible
> access point as the put function may free the object.
unhash handlers are called from sk_common_release which still has a
reference on the sock, so not really going to hit a UAF.
I do agree that it does not read correctly to 'put' a reference then
continue using the object. ie., the put should be moved to the end like
you have here. This is more of a tidiness exercise than a need to
backport to stable kernels.
>
> Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
> Signed-off-by: Liang He <windhl@....com>
> ---
>
> I have found other places containing similar code patterns.
>
> net/ipv4/ping.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
> index b83c2bd9d722..f90c86d37ffc 100644
> --- a/net/ipv4/ping.c
> +++ b/net/ipv4/ping.c
> @@ -157,10 +157,10 @@ void ping_unhash(struct sock *sk)
> spin_lock(&ping_table.lock);
> if (sk_hashed(sk)) {
> hlist_nulls_del_init_rcu(&sk->sk_nulls_node);
> - sock_put(sk);
> isk->inet_num = 0;
> isk->inet_sport = 0;
> sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
> + sock_put(sk);
> }
> spin_unlock(&ping_table.lock);
> }
Powered by blists - more mailing lists