| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aK3lUhooKnI3gMmW@strlen.de>
Date: Tue, 26 Aug 2025 18:49:06 +0200
From: Florian Westphal <fw@...len.de>
To: qianjiaru77@...il.com
Cc: steffen.klassert@...unet.com, herbert@...dor.apana.org.au,
davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, horms@...nel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] Reference Counting Vulnerability in Linux XFRM
PolicyManagement
qianjiaru77@...il.com <qianjiaru77@...il.com> wrote:
> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> index c5035a9bc..50943fa4e 100644
> --- a/net/xfrm/xfrm_policy.c
> +++ b/net/xfrm/xfrm_policy.c
> @@ -3786,6 +3786,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
> if (IS_ERR(pols[1])) {
> XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
> xfrm_pol_put(pols[0]);
> + pols[0] = NULL; // Clear pointer to prevent reuse
> return 0;
> }
This change makes no sense to me. pols[] has automatic storage duration;
its existence isn't visible to the callers of __xfrm_policy_check().
Is this report generated by some tool?
If that tool is syzkaller, please share the full backtrace.
Powered by blists - more mailing lists