From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Alexander Ofitserov <oficerovas@altlinux.org>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
edumazet@google.com, laforge@gnumonks.org, davem@davemloft.net,
kuba@kernel.org, pabeni@redhat.com, kovalev@altlinux.org,
nickel@altlinux.org, dutyrok@altlinux.org,
stable@vger.kernel.org
Subject: Re: [PATCH net] gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
Date: Thu, 29 Feb 2024 00:51:28 +0100 [thread overview]
Message-ID: <Zd_HAGqXSE6Nwcag@calendula> (raw)
In-Reply-To: <20240228114703.465107-1-oficerovas@altlinux.org>
On Wed, Feb 28, 2024 at 02:47:03PM +0300, Alexander Ofitserov wrote:
> The gtp_link_ops operations structure for the subsystem must be
> registered after registering the gtp_net_ops pernet operations structure.
A fix for this was already applied, see:
commit 136cfaca22567a03bbb3bf53a43d8cb5748b80ec
Author: Vasiliy Kovalev <kovalev@altlinux.org>
Date: Wed Feb 14 19:27:33 2024 +0300
gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()
> diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
> index 2129ae42c7030..0ddec4cc84093 100644
> --- a/drivers/net/gtp.c
> +++ b/drivers/net/gtp.c
> @@ -1903,26 +1903,26 @@ static int __init gtp_init(void)
>
> get_random_bytes(>p_h_initval, sizeof(gtp_h_initval));
>
> - err = rtnl_link_register(>p_link_ops);
> + err = register_pernet_subsys(>p_net_ops);
> if (err < 0)
> goto error_out;
BTW, I like that this calls register_pernet_subsys() before
rtnl_link_register(), where a rtnetlink request could come before
pernet is set up.
> - err = register_pernet_subsys(>p_net_ops);
> + err = rtnl_link_register(>p_link_ops);
> if (err < 0)
> - goto unreg_rtnl_link;
> + goto unreg_pernet_subsys;
>
> err = genl_register_family(>p_genl_family);
> if (err < 0)
> - goto unreg_pernet_subsys;
> + goto unreg_rtnl_link;
>
> pr_info("GTP module loaded (pdp ctx size %zd bytes)\n",
> sizeof(struct pdp_ctx));
> return 0;
>
> -unreg_pernet_subsys:
> - unregister_pernet_subsys(>p_net_ops);
> unreg_rtnl_link:
> rtnl_link_unregister(>p_link_ops);
> +unreg_pernet_subsys:
> + unregister_pernet_subsys(>p_net_ops);
> error_out:
> pr_err("error loading GTP module loaded\n");
> return err;
> --
> 2.42.1
>
>
next prev parent reply other threads:[~2024-02-28 23:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-28 11:47 [PATCH net] gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Alexander Ofitserov
2024-02-28 13:07 ` Jiri Pirko
2024-02-28 23:51 ` Pablo Neira Ayuso [this message]
2024-02-29 9:20 ` Vasiliy Kovalev
[not found] ` <3d8314ae-03d9-6e43-86ad-f830ea01c737@basealt.ru>
2024-02-29 16:10 ` Pablo Neira Ayuso
2024-02-29 13:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zd_HAGqXSE6Nwcag@calendula \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=dutyrok@altlinux.org \
--cc=edumazet@google.com \
--cc=kovalev@altlinux.org \
--cc=kuba@kernel.org \
--cc=laforge@gnumonks.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nickel@altlinux.org \
--cc=oficerovas@altlinux.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.