| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iKgw+z6RhXr6eJF0aGOzgC69NJCbZvaf3=EkxmPnL4MEw@mail.gmail.com>
Date: Mon, 9 Oct 2023 10:13:03 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Jeremy Kerr <jk@...econstruct.com.au>
Cc: netdev@...r.kernel.org, rootlab@...wei.com,
Matt Johnston <matt@...econstruct.com.au>, "David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH net] mctp: perform route lookups under a RCU read-side lock
On Mon, Oct 9, 2023 at 9:57 AM Jeremy Kerr <jk@...econstruct.com.au> wrote:
>
> Our current route lookups (mctp_route_lookup and mctp_route_lookup_null)
> traverse the net's route list without the RCU read lock held. This means
> the route lookup is subject to preemption, resulting in an potential
> grace period expiry, and so an eventual kfree() while we still have the
> route pointer.
>
> Add the proper read-side critical section locks around the route
> lookups, preventing premption and a possible parallel kfree.
>
> The remaining net->mctp.routes accesses are already under a
> rcu_read_lock, or protected by the RTNL for updates.
>
> Based on an analysis from Sili Luo <rootlab@...wei.com>, where
> introducing a delay in the route lookup could cause a UAF on
> simultaneous sendmsg() and route deletion.
>
> Reported-by: Sili Luo <rootlab@...wei.com>
> Fixes: 889b7da23abf ("mctp: Add initial routing framework")
> Cc: stable@...r.kernel.org
> Signed-off-by: Jeremy Kerr <jk@...econstruct.com.au>
> ---
>
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists