| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <166453801649.4225.16866924781982017977.git-patchwork-notify@kernel.org>
Date: Fri, 30 Sep 2022 11:40:16 +0000
From: patchwork-bot+netdevbpf@...nel.org
To: Xin Long <lucien.xin@...il.com>
Cc: netdev@...r.kernel.org, linux-sctp@...r.kernel.org,
davem@...emloft.net, kuba@...nel.org, marcelo.leitner@...il.com
Subject: Re: [PATCH net] sctp: handle the error returned from
sctp_auth_asoc_init_active_key
Hello:
This patch was applied to netdev/net.git (master)
by David S. Miller <davem@...emloft.net>:
On Wed, 28 Sep 2022 14:10:13 -0400 you wrote:
> When it returns an error from sctp_auth_asoc_init_active_key(), the
> active_key is actually not updated. The old sh_key will be freeed
> while it's still used as active key in asoc. Then an use-after-free
> will be triggered when sending patckets, as found by syzbot:
>
> sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
> sctp_set_owner_w net/sctp/socket.c:132 [inline]
> sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863
> sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025
> inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
> sock_sendmsg_nosec net/socket.c:714 [inline]
> sock_sendmsg+0xcf/0x120 net/socket.c:734
>
> [...]
Here is the summary with links:
- [net] sctp: handle the error returned from sctp_auth_asoc_init_active_key
https://git.kernel.org/netdev/net/c/022152aaebe1
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Powered by blists - more mailing lists