| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240905193240.17565-1-kuniyu@amazon.com>
Date: Thu, 5 Sep 2024 12:32:36 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>
CC: Kuniyuki Iwashima <kuniyu@...zon.com>, Kuniyuki Iwashima
<kuni1840@...il.com>, <netdev@...r.kernel.org>
Subject: [PATCH v1 net-next 0/4] af_unix: Correct manage_oob() when OOB follows a consumed OOB.
Recently syzkaller reported UAF of OOB skb.
The bug was introduced by commit 93c99f21db36 ("af_unix: Don't stop
recv(MSG_DONTWAIT) if consumed OOB skb is at the head.") but uncovered
by another recent commit 8594d9b85c07 ("af_unix: Don't call skb_get()
for OOB skb.").
This should be targeted for net.git, but it will introduce conflicts.
Given it's now rc6, I'll target this for net-next and later send
8594d9b85c07 and this series for stable.
[0]: https://lore.kernel.org/netdev/00000000000083b05a06214c9ddc@google.com/
Kuniyuki Iwashima (4):
af_unix: Remove single nest in manage_oob().
af_unix: Rename unlinked_skb in manage_oob().
af_unix: Move spin_lock() in manage_oob().
af_unix: Don't return OOB skb in manage_oob().
net/unix/af_unix.c | 61 ++++++++++---------
tools/testing/selftests/net/af_unix/msg_oob.c | 23 +++++++
2 files changed, 56 insertions(+), 28 deletions(-)
--
2.30.2
Powered by blists - more mailing lists