lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240905193240.17565-1-kuniyu@amazon.com> Date: Thu, 5 Sep 2024 12:32:36 -0700 From: Kuniyuki Iwashima <kuniyu@...zon.com> To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com> CC: Kuniyuki Iwashima <kuniyu@...zon.com>, Kuniyuki Iwashima <kuni1840@...il.com>, <netdev@...r.kernel.org> Subject: [PATCH v1 net-next 0/4] af_unix: Correct manage_oob() when OOB follows a consumed OOB. Recently syzkaller reported UAF of OOB skb. The bug was introduced by commit 93c99f21db36 ("af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head.") but uncovered by another recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB skb."). This should be targeted for net.git, but it will introduce conflicts. Given it's now rc6, I'll target this for net-next and later send 8594d9b85c07 and this series for stable. [0]: https://lore.kernel.org/netdev/00000000000083b05a06214c9ddc@google.com/ Kuniyuki Iwashima (4): af_unix: Remove single nest in manage_oob(). af_unix: Rename unlinked_skb in manage_oob(). af_unix: Move spin_lock() in manage_oob(). af_unix: Don't return OOB skb in manage_oob(). net/unix/af_unix.c | 61 ++++++++++--------- tools/testing/selftests/net/af_unix/msg_oob.c | 23 +++++++ 2 files changed, 56 insertions(+), 28 deletions(-) -- 2.30.2
Powered by blists - more mailing lists