lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 9 Oct 2022 18:22:43 -0400 From: Sasha Levin <sashal@...nel.org> To: linux-kernel@...r.kernel.org, stable@...r.kernel.org Cc: Khalid Masum <khalid.masum.92@...il.com>, Herbert Xu <herbert@...dor.apana.org.au>, syzbot+5ec9bb042ddfe9644773@...kaller.appspotmail.com, Steffen Klassert <steffen.klassert@...unet.com>, Sasha Levin <sashal@...nel.org>, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org Subject: [PATCH AUTOSEL 5.4 08/29] xfrm: Update ipcomp_scratches with NULL when freed From: Khalid Masum <khalid.masum.92@...il.com> [ Upstream commit 8a04d2fc700f717104bfb95b0f6694e448a4537f ] Currently if ipcomp_alloc_scratches() fails to allocate memory ipcomp_scratches holds obsolete address. So when we try to free the percpu scratches using ipcomp_free_scratches() it tries to vfree non existent vm area. Described below: static void * __percpu *ipcomp_alloc_scratches(void) { ... scratches = alloc_percpu(void *); if (!scratches) return NULL; ipcomp_scratches does not know about this allocation failure. Therefore holding the old obsolete address. ... } So when we free, static void ipcomp_free_scratches(void) { ... scratches = ipcomp_scratches; Assigning obsolete address from ipcomp_scratches if (!scratches) return; for_each_possible_cpu(i) vfree(*per_cpu_ptr(scratches, i)); Trying to free non existent page, causing warning: trying to vfree existent vm area. ... } Fix this breakage by updating ipcomp_scrtches with NULL when scratches is freed Suggested-by: Herbert Xu <herbert@...dor.apana.org.au> Reported-by: syzbot+5ec9bb042ddfe9644773@...kaller.appspotmail.com Tested-by: syzbot+5ec9bb042ddfe9644773@...kaller.appspotmail.com Signed-off-by: Khalid Masum <khalid.masum.92@...il.com> Acked-by: Herbert Xu <herbert@...dor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@...unet.com> Signed-off-by: Sasha Levin <sashal@...nel.org> --- net/xfrm/xfrm_ipcomp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c index 4d422447aadc..4fca4b6cec8b 100644 --- a/net/xfrm/xfrm_ipcomp.c +++ b/net/xfrm/xfrm_ipcomp.c @@ -212,6 +212,7 @@ static void ipcomp_free_scratches(void) vfree(*per_cpu_ptr(scratches, i)); free_percpu(scratches); + ipcomp_scratches = NULL; } static void * __percpu *ipcomp_alloc_scratches(void) -- 2.35.1
Powered by blists - more mailing lists