| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230710094053.3302181-1-shaozhengchao@huawei.com> Date: Mon, 10 Jul 2023 17:40:50 +0800 From: Zhengchao Shao <shaozhengchao@...wei.com> To: <netdev@...r.kernel.org>, <steffen.klassert@...unet.com>, <herbert@...dor.apana.org.au>, <davem@...emloft.net>, <dsahern@...nel.org>, <edumazet@...gle.com>, <kuba@...nel.org>, <pabeni@...hat.com> CC: <weiyongjun1@...wei.com>, <yuehaibing@...wei.com>, <shaozhengchao@...wei.com> Subject: [PATCH net 0/3] fix slab-use-after-free in decode_session6 When net device is configured with the qdisc of the sfb type, the cb field of the SKB is used in both enqueue and decode session of packets, and the fields overlap. When enqueuing packets, the cb field of skb is used as a hash array. Also it is used as the header offset when decoding session of skb. Therefore, it will cause slab-use-after-free in decode_session6. The cb field in the skb should not be used when sending packets. Set the cb field of skb to 0 before decoding skb. Zhengchao Shao (3): xfrm: fix slab-use-after-free in decode_session6 ip6_vti: fix slab-use-after-free in decode_session6 ip_vti: fix potential slab-use-after-free in decode_session6 net/ipv4/ip_vti.c | 4 ++-- net/ipv6/ip6_vti.c | 4 ++-- net/xfrm/xfrm_interface_core.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) -- 2.34.1
Powered by blists - more mailing lists