Patchwork [maverick,maverick/ti-omap4,CVE,1/1] bridge: Fix mglist corruption that leads to memory corruption

login
register
mail settings
Submitter Andy Whitcroft
Date Feb. 1, 2012, 10:28 a.m.
Message ID <1328092124-28336-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/138931/
State New
Headers show

Comments

Andy Whitcroft - Feb. 1, 2012, 10:28 a.m.
From: Herbert Xu <herbert@gondor.apana.org.au>

The list mp->mglist is used to indicate whether a multicast group
is active on the bridge interface itself as opposed to one of the
constituent interfaces in the bridge.

Unfortunately the operation that adds the mp->mglist node to the
list neglected to check whether it has already been added.  This
leads to list corruption in the form of nodes pointing to itself.

Normally this would be quite obvious as it would cause an infinite
loop when walking the list.  However, as this list is never actually
walked (which means that we don't really need it, I'll get rid of
it in a subsequent patch), this instead is hidden until we perform
a delete operation on the affected nodes.

As the same node may now be pointed to by more than one node, the
delete operations can then cause modification of freed memory.

This was observed in practice to cause corruption in 512-byte slabs,
most commonly leading to crashes in jbd2.

Thanks to Josef Bacik for pointing me in the right direction.

Reported-by: Ian Page Hands <ihands@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit 6b0d6a9b4296fa16a28d10d416db7a770fc03287)
CVE-2011-0716
BugLink: http://bugs.launchpad.net/bugs/917813
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/bridge/br_multicast.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
Herton Ronaldo Krzesinski - Feb. 1, 2012, 11:46 a.m.
On Wed, Feb 01, 2012 at 10:28:44AM +0000, Andy Whitcroft wrote:
> From: Herbert Xu <herbert@gondor.apana.org.au>
> 
> The list mp->mglist is used to indicate whether a multicast group
> is active on the bridge interface itself as opposed to one of the
> constituent interfaces in the bridge.
> 
> Unfortunately the operation that adds the mp->mglist node to the
> list neglected to check whether it has already been added.  This
> leads to list corruption in the form of nodes pointing to itself.
> 
> Normally this would be quite obvious as it would cause an infinite
> loop when walking the list.  However, as this list is never actually
> walked (which means that we don't really need it, I'll get rid of
> it in a subsequent patch), this instead is hidden until we perform
> a delete operation on the affected nodes.
> 
> As the same node may now be pointed to by more than one node, the
> delete operations can then cause modification of freed memory.
> 
> This was observed in practice to cause corruption in 512-byte slabs,
> most commonly leading to crashes in jbd2.
> 
> Thanks to Josef Bacik for pointing me in the right direction.
> 
> Reported-by: Ian Page Hands <ihands@redhat.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> (cherry picked from commit 6b0d6a9b4296fa16a28d10d416db7a770fc03287)
> CVE-2011-0716
> BugLink: http://bugs.launchpad.net/bugs/917813
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  net/bridge/br_multicast.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
> index 382a428..2cba899 100644
> --- a/net/bridge/br_multicast.c
> +++ b/net/bridge/br_multicast.c
> @@ -707,7 +707,8 @@ static int br_multicast_add_group(struct net_bridge *br,
>  		goto err;
>  
>  	if (!port) {
> -		hlist_add_head(&mp->mglist, &br->mglist);
> +		if (hlist_unhashed(&mp->mglist))
> +			hlist_add_head(&mp->mglist, &br->mglist);
>  		mod_timer(&mp->timer, now + br->multicast_membership_interval);
>  		goto out;
>  	}
> -- 
> 1.7.5.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

Patch

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 382a428..2cba899 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -707,7 +707,8 @@  static int br_multicast_add_group(struct net_bridge *br,
 		goto err;
 
 	if (!port) {
-		hlist_add_head(&mp->mglist, &br->mglist);
+		if (hlist_unhashed(&mp->mglist))
+			hlist_add_head(&mp->mglist, &br->mglist);
 		mod_timer(&mp->timer, now + br->multicast_membership_interval);
 		goto out;
 	}