| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <166608481592.2815.17700735863807978261.git-patchwork-notify@kernel.org>
Date: Tue, 18 Oct 2022 09:20:15 +0000
From: patchwork-bot+netdevbpf@...nel.org
To: Zhengchao Shao <shaozhengchao@...wei.com>
Cc: netdev@...r.kernel.org, davem@...emloft.net,
yoshfuji@...ux-ipv6.org, dsahern@...nel.org, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, weiyongjun1@...wei.com,
yuehaibing@...wei.com
Subject: Re: [PATCH net] ip6mr: fix UAF issue in ip6mr_sk_done() when
addrconf_init_net() failed
Hello:
This patch was applied to netdev/net.git (master)
by Paolo Abeni <pabeni@...hat.com>:
On Mon, 17 Oct 2022 16:03:31 +0800 you wrote:
> If the initialization fails in calling addrconf_init_net(), devconf_all is
> the pointer that has been released. Then ip6mr_sk_done() is called to
> release the net, accessing devconf->mc_forwarding directly causes invalid
> pointer access.
>
> The process is as follows:
> setup_net()
> ops_init()
> addrconf_init_net()
> all = kmemdup(...) ---> alloc "all"
> ...
> net->ipv6.devconf_all = all;
> __addrconf_sysctl_register() ---> failed
> ...
> kfree(all); ---> ipv6.devconf_all invalid
> ...
> ops_exit_list()
> ...
> ip6mr_sk_done()
> devconf = net->ipv6.devconf_all;
> //devconf is invalid pointer
> if (!devconf || !atomic_read(&devconf->mc_forwarding))
>
> [...]
Here is the summary with links:
- [net] ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed
https://git.kernel.org/netdev/net/c/1ca695207ed2
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Powered by blists - more mailing lists