On 10/16/2015 8:11 AM, Quentin Casasnovas wrote:
Sasha's found a NULL pointer dereference in the RDS connection code when sending a message to an apparently unbound socket. The problem is caused by the code checking if the socket is bound in rds_sendmsg(), which checks the rs_bound_addr field without taking a lock on the socket. This opens a race where rs_bound_addr is temporarily set but where the transport is not in rds_bind(), leading to a NULL pointer dereference when trying to dereference 'trans' in __rds_conn_create().Vegard wrote a reproducer for this issue, so kindly ask him to share if you're interested. I cannot reproduce the NULL pointer dereference using Vegard's reproducer with this patch, whereas I could without. Complete earlier incomplete fix to CVE-2015-6937: 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection") Signed-off-by: Quentin Casasnovas <[email protected]> Reviewed-by: Vegard Nossum <[email protected]> Reviewed-by: Sasha Levin <[email protected]> Cc: Vegard Nossum <[email protected]> Cc: Sasha Levin <[email protected]> Cc: Chien Yen <[email protected]> Cc: Santosh Shilimkar <[email protected]> Cc: David S. Miller <[email protected]> Cc: [email protected] ---
Looks right. Am glad that we got deference issue as well as the bind race fixed with it. Mail sent to Vegard for his test case which I would like to add to my tests. Thanks for the fix. FWIW, Acked-by: Santosh Shilimkar <[email protected]> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
