| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Jun 2023 08:47:01 +0100
From: Lee Jones <lee@...nel.org>
To: Eric Dumazet <edumazet@...gle.com>
Cc: jhs@...atatu.com, xiyou.wangcong@...il.com, jiri@...nulli.us,
davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
stable@...nel.org
Subject: Re: [PATCH v2 1/1] net/sched: cls_u32: Fix reference counter leak
leading to overflow
On Thu, 08 Jun 2023, Eric Dumazet wrote:
> On Thu, Jun 8, 2023 at 9:29 AM Lee Jones <lee@...nel.org> wrote:
> >
> > In the event of a failure in tcf_change_indev(), u32_set_parms() will
> > immediately return without decrementing the recently incremented
> > reference counter. If this happens enough times, the counter will
> > rollover and the reference freed, leading to a double free which can be
> > used to do 'bad things'.
> >
> > In order to prevent this, move the point of possible failure above the
> > point where the reference counter is incremented. Also save any
> > meaningful return values to be applied to the return data at the
> > appropriate point in time.
> >
> > This issue was caught with KASAN.
> >
> > Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct")
> > Suggested-by: Eric Dumazet <edumazet@...gle.com>
> > Signed-off-by: Lee Jones <lee@...nel.org>
> > ---
>
> Thanks Lee !
No problem. Thanks for your help.
> Reviewed-by: Eric Dumazet <edumazet@...gle.com>
--
Lee Jones [李琼斯]
Powered by blists - more mailing lists