lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: 
 <175270801524.1359575.3541894487912368981.git-patchwork-notify@kernel.org>
Date: Wed, 16 Jul 2025 23:20:15 +0000
From: patchwork-bot+netdevbpf@...nel.org
To: Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, edumazet@...gle.com, ncardwell@...gle.com,
 kuniyu@...gle.com, davem@...emloft.net, dsahern@...nel.org, kuba@...nel.org,
 horms@...nel.org
Subject: Re: [PATCH net-next] tcp: fix UaF in tcp_prune_ofo_queue()

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@...nel.org>:

On Tue, 15 Jul 2025 10:13:58 +0200 you wrote:
> The CI reported a UaF in tcp_prune_ofo_queue():
> 
> BUG: KASAN: slab-use-after-free in tcp_prune_ofo_queue+0x55d/0x660
> Read of size 4 at addr ffff8880134729d8 by task socat/20348
> 
> CPU: 0 UID: 0 PID: 20348 Comm: socat Not tainted 6.16.0-rc5-virtme #1 PREEMPT(full)
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x82/0xd0
>  print_address_description.constprop.0+0x2c/0x400
>  print_report+0xb4/0x270
>  kasan_report+0xca/0x100
>  tcp_prune_ofo_queue+0x55d/0x660
>  tcp_try_rmem_schedule+0x855/0x12e0
>  tcp_data_queue+0x4dd/0x2260
>  tcp_rcv_established+0x5e8/0x2370
>  tcp_v4_do_rcv+0x4ba/0x8c0
>  __release_sock+0x27a/0x390
>  release_sock+0x53/0x1d0
>  tcp_sendmsg+0x37/0x50
>  sock_write_iter+0x3c1/0x520
>  vfs_write+0xc09/0x1210
>  ksys_write+0x183/0x1d0
>  do_syscall_64+0xc1/0x380
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fcf73ef2337
> Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
> RSP: 002b:00007ffd4f924708 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcf73ef2337
> RDX: 0000000000002000 RSI: 0000555f11d1a000 RDI: 0000000000000008
> RBP: 0000555f11d1a000 R08: 0000000000002000 R09: 0000000000000000
> R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000008
> R13: 0000000000002000 R14: 0000555ee1a44570 R15: 0000000000002000
>  </TASK>
> 
> [...]

Here is the summary with links:
  - [net-next] tcp: fix UaF in tcp_prune_ofo_queue()
    https://git.kernel.org/netdev/net-next/c/7eeabfb23738

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ