lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANn89iLb-0kDwYerdbhHRH_LN1B3_gSKYOgu8KENQsk7akX-WQ@mail.gmail.com>
Date: Wed, 3 Dec 2025 01:32:51 -0800
From: Eric Dumazet <edumazet@...gle.com>
To: Minseong Kim <ii4gsp@...il.com>
Cc: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, 
	Jakub Kicinski <kuba@...nel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org
Subject: Re: [PATCH net] atm: mpoa: Fix UAF on qos_head list in procfs

On Wed, Dec 3, 2025 at 12:57 AM Minseong Kim <ii4gsp@...il.com> wrote:
>
> The global QoS list 'qos_head' in net/atm/mpc.c is accessed from the
> /proc/net/atm/mpc procfs interface without proper synchronization. The
> read-side seq_file show path (mpc_show() -> atm_mpoa_disp_qos()) walks
> qos_head without any lock, while the write-side path
> (proc_mpc_write() -> parse_qos() -> atm_mpoa_delete_qos()) can unlink and
> kfree() entries immediately. Concurrent read/write therefore leads to a
> use-after-free.
>
> This risk is already called out in-tree:
>   /* this is buggered - we need locking for qos_head */
>
> Fix this by adding a mutex to protect all qos_head list operations.
> A mutex is used (instead of a spinlock) because atm_mpoa_disp_qos()
> invokes seq_printf(), which may sleep.
>
> The fix:
>   - Adds qos_mutex protecting qos_head
>   - Introduces __atm_mpoa_search_qos() requiring the mutex
>   - Serializes add/search/delete/show/cleanup on qos_head
>   - Re-checks qos_head under lock in add path to avoid duplicates under
>     concurrent additions
>   - Uses a single-exit pattern in delete for clarity
>
> Note: atm_mpoa_search_qos() still returns an unprotected pointer; callers
> must ensure the entry is not freed while using it, or hold qos_mutex.
>
> Reported-by: Minseong Kim <ii4gsp@...il.com>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@...r.kernel.org
> Signed-off-by: Minseong Kim <ii4gsp@...il.com>
> ---

Thanks for the patch.

Unfortunately it got mangled when you mailed it :
https://patchwork.kernel.org/project/netdevbpf/patch/CAKrymDR1X3XTX_1ZW3XXXnuYH+kzsnv7Av5uivzR1sto+5BFQg@mail.gmail.com/

Documentation/process/submitting-patches.rst might be helpful,
especially the part about git send-email.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ