From: Stephen Hemminger <stephen@networkplumber.org>
To: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Cc: <liuhangbin@gmail.com>, <kuznet@ms2.inr.ac.ru>,
<nicolas.dichtel@6wind.com>, <phil@nwl.cc>,
"wangxiaogang (F)" <wangxiaogang3@huawei.com>,
Mingfangsen <mingfangsen@huawei.com>,
"Zhoukang (A)" <zhoukang7@huawei.com>, <kouhuiying@huawei.com>,
<netdev@vger.kernel.org>
Subject: Re: [PATCH iproute2 v3] ipnetns: use-after-free problem in get_netnsid_from_name func
Date: Mon, 6 May 2019 08:42:30 -0700 [thread overview]
Message-ID: <20190506084230.196fee67@hermes.lan> (raw)
In-Reply-To: <1fca256d-fbce-4da9-471f-14573be4ea21@huawei.com>
On Sat, 4 May 2019 15:26:25 +0800
Zhiqiang Liu <liuzhiqiang26@huawei.com> wrote:
> From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
>
> Follow the following steps:
> # ip netns add net1
> # export MALLOC_MMAP_THRESHOLD_=0
> # ip netns list
> then Segmentation fault (core dumped) will occur.
>
> In get_netnsid_from_name func, answer is freed before rta_getattr_u32(tb[NETNSA_NSID]),
> where tb[] refers to answer`s content. If we set MALLOC_MMAP_THRESHOLD_=0, mmap will
> be adoped to malloc memory, which will be freed immediately after calling free func.
> So reading tb[NETNSA_NSID] will access the released memory after free(answer).
>
> Here, we will call get_netnsid_from_name(tb[NETNSA_NSID]) before free(answer).
>
> Fixes: 86bf43c7c2f ("lib/libnetlink: update rtnl_talk to support malloc buff at run time")
> Reported-by: Huiying Kou <kouhuiying@huawei.com>
> Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
> Acked-by: Phil Sutter <phil@nwl.cc>
Applied. You can get better and more detailed checks by running with
valgrind. Which is what I did after applying your patch.
next prev parent reply other threads:[~2019-05-06 15:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <f6c76a60-d5c4-700f-2fbf-912fc1545a31@huawei.com>
[not found] ` <815afacc-4cd2-61b4-2181-aabce6582309@huawei.com>
[not found] ` <20190429092808.GZ31599@orbyte.nwl.cc>
2019-05-04 7:08 ` [PATCH v2] ipnetns: use-after-free problem in get_netnsid_from_name func Zhiqiang Liu
2019-05-04 7:26 ` [PATCH iproute2 v3] " Zhiqiang Liu
2019-05-04 15:08 ` David Ahern
2019-05-05 1:15 ` Zhiqiang Liu
2019-05-05 1:59 ` [PATCH iproute2 v4] " Zhiqiang Liu
2019-05-06 15:42 ` Stephen Hemminger [this message]
2019-05-06 15:50 ` [PATCH iproute2 v3] " Zhiqiang Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190506084230.196fee67@hermes.lan \
--to=stephen@networkplumber.org \
--cc=kouhuiying@huawei.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=liuhangbin@gmail.com \
--cc=liuzhiqiang26@huawei.com \
--cc=mingfangsen@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=phil@nwl.cc \
--cc=wangxiaogang3@huawei.com \
--cc=zhoukang7@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.