All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH bpf-next] xsk: fix use-after-free in failed shared_umem bind
@ 2020-09-02  7:36 Magnus Karlsson
  2020-09-02 21:43 ` Daniel Borkmann
  0 siblings, 1 reply; 2+ messages in thread
From: Magnus Karlsson @ 2020-09-02  7:36 UTC (permalink / raw)
  To: magnus.karlsson, bjorn.topel, ast, daniel, netdev, jonathan.lemon; +Cc: bpf

Fix use-after-free when a shared umem bind fails. The code incorrectly
tried to free the allocated buffer pool both in the bind code and then
later also when the socket was released. Fix this by setting the
buffer pool pointer to NULL after the bind code has freed the pool, so
that the socket release code will not try to free the pool. This is
the same solution as the regular, non-shared umem code path has. This
was missing from the shared umem path.

Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Reported-by: syzbot+5334f62e4d22804e646a@syzkaller.appspotmail.com
Fixes: b5aea28dca13 ("xsk: Add shared umem support between queue ids")
---
 net/xdp/xsk.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 5eb6662..afd1ca0 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -717,6 +717,7 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
 						   dev, qid);
 			if (err) {
 				xp_destroy(xs->pool);
+				xs->pool = NULL;
 				sockfd_put(sock);
 				goto out_unlock;
 			}
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH bpf-next] xsk: fix use-after-free in failed shared_umem bind
  2020-09-02  7:36 [PATCH bpf-next] xsk: fix use-after-free in failed shared_umem bind Magnus Karlsson
@ 2020-09-02 21:43 ` Daniel Borkmann
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2020-09-02 21:43 UTC (permalink / raw)
  To: Magnus Karlsson, bjorn.topel, ast, netdev, jonathan.lemon; +Cc: bpf

On 9/2/20 9:36 AM, Magnus Karlsson wrote:
> Fix use-after-free when a shared umem bind fails. The code incorrectly
> tried to free the allocated buffer pool both in the bind code and then
> later also when the socket was released. Fix this by setting the
> buffer pool pointer to NULL after the bind code has freed the pool, so
> that the socket release code will not try to free the pool. This is
> the same solution as the regular, non-shared umem code path has. This
> was missing from the shared umem path.
> 
> Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
> Reported-by: syzbot+5334f62e4d22804e646a@syzkaller.appspotmail.com
> Fixes: b5aea28dca13 ("xsk: Add shared umem support between queue ids")

Lgtm, applied, thanks!

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-02 21:43 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-02  7:36 [PATCH bpf-next] xsk: fix use-after-free in failed shared_umem bind Magnus Karlsson
2020-09-02 21:43 ` Daniel Borkmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.