| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260108191930.145655-1-boudewijn@delta-utec.com> Date: Thu, 8 Jan 2026 20:19:30 +0100 From: Boudewijn van der Heide <boudewijn@...ta-utec.com> To: edumazet@...gle.com Cc: netdev@...r.kernel.org, andrew+netdev@...n.ch, davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, linux-kernel@...r.kernel.org, syzbot+7182fbe91e58602ec1fe@...kaller.appspotmail.com Subject: Re: [PATCH net] macvlan: Fix use-after-free in macvlan_common_newlink Hi Eric, Thanks for the patch, I agree it improves safety for source-entry deletion. However, I believe it does not fix the specific KASAN report from syzbot, which indicates a UAF on the struct macvlan_port itself, not a source entry. The report shows the freed object is in kmalloc-cg-4k (size 4096): The buggy address belongs to the object at ffff888030eda000 which belongs to the cache kmalloc-cg-4k of size 4096 struct macvlan_port fits this size (due to the large hash tables), whereas struct macvlan_source_entry is much smaller. The crash happens at offset 3580, which corresponds to the vlan_source_hash array inside the port: The race occurs in the register_netdevice() error path in macvlan_common_newlink(): 1. netdev_rx_handler_register() succeeds 2. register_netdevice() fails. 3. macvlan_port_destroy() is called, performing a synchronous kfree(port). If a packet arrives during step 3, macvlan_handle_frame() accesses port->vlan_source_hash (via macvlan_forward_source), after it is freed. My patch restores the kfree_rcu behavior for the port (removed in 2016). I believe both fixes are needed: yours for the source entries, and mine for the port itself. Thanks, Boudewijn
Powered by blists - more mailing lists