mirror of
https://github.com/torvalds/linux.git
synced 2024-12-05 10:32:35 +00:00
Merge branch 'catch-all-devices'
Hristo Venev says: ==================== net: Fix two use-after-free bugs The two patches fix two use-after-free bugs related to cleaning up network namespaces, one in sit and one in ip6_tunnel. They are easy to trigger if the user has the ability to create network namespaces. The bugs can be used to trigger null pointer dereferences. I am not sure if they can be exploited further, but I would guess that they can. I am not sending them to the mailing list without confirmation that doing so would be OK. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
commit
61aaa1aa9a
@ -2244,6 +2244,16 @@ static void __net_exit ip6_tnl_destroy_tunnels(struct net *net, struct list_head
|
||||
t = rtnl_dereference(t->next);
|
||||
}
|
||||
}
|
||||
|
||||
t = rtnl_dereference(ip6n->tnls_wc[0]);
|
||||
while (t) {
|
||||
/* If dev is in the same netns, it has already
|
||||
* been added to the list by the previous loop.
|
||||
*/
|
||||
if (!net_eq(dev_net(t->dev), net))
|
||||
unregister_netdevice_queue(t->dev, list);
|
||||
t = rtnl_dereference(t->next);
|
||||
}
|
||||
}
|
||||
|
||||
static int __net_init ip6_tnl_init_net(struct net *net)
|
||||
|
@ -1867,9 +1867,9 @@ static void __net_exit sit_destroy_tunnels(struct net *net,
|
||||
if (dev->rtnl_link_ops == &sit_link_ops)
|
||||
unregister_netdevice_queue(dev, head);
|
||||
|
||||
for (prio = 1; prio < 4; prio++) {
|
||||
for (prio = 0; prio < 4; prio++) {
|
||||
int h;
|
||||
for (h = 0; h < IP6_SIT_HASH_SIZE; h++) {
|
||||
for (h = 0; h < (prio ? IP6_SIT_HASH_SIZE : 1); h++) {
|
||||
struct ip_tunnel *t;
|
||||
|
||||
t = rtnl_dereference(sitn->tunnels[prio][h]);
|
||||
|
Loading…
Reference in New Issue
Block a user