Re: [PATCH net] ipv6: fix possible use-after-free in ip6_xmit()

2018-09-17 Thread David Miller
From: Eric Dumazet Date: Fri, 14 Sep 2018 12:02:31 -0700 > In the unlikely case ip6_xmit() has to call skb_realloc_headroom(), > we need to call skb_set_owner_w() before consuming original skb, > otherwise we risk a use-after-free. > > Bring IPv6 in line with what we do in IPv4 to fix this. >

[PATCH net] ipv6: fix possible use-after-free in ip6_xmit()

2018-09-14 Thread Eric Dumazet
In the unlikely case ip6_xmit() has to call skb_realloc_headroom(), we need to call skb_set_owner_w() before consuming original skb, otherwise we risk a use-after-free. Bring IPv6 in line with what we do in IPv4 to fix this. Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet

Re: use-after-free in ip6_xmit

2015-12-07 Thread Dmitry Vyukov
Yes, seems to be fixed on master of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git. Just can't pull in all fixes from all trees. Sorry. When will it be merged into Linus tree? On Mon, Dec 7, 2015 at 3:39 PM, Eric Dumazet wrote: > On Mon, 2015-12-07 at 06:36

Re: use-after-free in ip6_xmit

2015-12-07 Thread Eric Dumazet
On Mon, 2015-12-07 at 06:36 -0800, Eric Dumazet wrote: > Thanks > Also note that Dave Jones reported a SCTP problem fixed by : https://patchwork.ozlabs.org/patch/553068/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to

Re: use-after-free in ip6_xmit

2015-12-07 Thread Eric Dumazet
On Mon, Dec 7, 2015 at 6:44 AM, Dmitry Vyukov wrote: > Yes, seems to be fixed on master of > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git. Just > can't pull in all fixes from all trees. Sorry. > When will it be merged into Linus tree? > As I said, they are

Re: use-after-free in ip6_xmit

2015-12-07 Thread Eric Dumazet
On Mon, 2015-12-07 at 11:22 +0100, Dmitry Vyukov wrote: > Hello, > > The following program triggers use-after-free in ip6_xmit: > > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #include > #include > #include > #include > #include >

use-after-free in ip6_xmit

2015-12-07 Thread Dmitry Vyukov
Hello, The following program triggers use-after-free in ip6_xmit: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include #include #include #include #include #include #include #include void *thr0(void *arg) { *(uint32_t