On Wed, Dec 30, 2015 at 01:45:15PM +0100, Dmitry Vyukov wrote: > > This seems to be a zero-day. Should we CC [email protected] ? > > Code in 03c8efc1ffeb6b82a22c1af8dd908af349563314 (Oct 19, 2010) contained: > > + sock_init_data(newsock, sk2); > + > + err = type->accept(ask->private, sk2); > + if (err) { > + sk_free(sk2); > + goto unlock; > + } > > There were no sock_graft call, but sock_init_data also sets > newsock->sk = sk2, which seems to be enough for the double-free.
But accept only started failing because the newly added has_key check. Otherwise the only way for it to fail is if we run out of memory. IOW the bug can only be easily triggered in the current crypto tree. Cheers, -- Email: Herbert Xu <[email protected]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
