Ack: Re: [maverick, maverick/ti-omap4 CVE 1/1] bridge: Fix mglist corruption that leads to memory corruption

Herton Ronaldo Krzesinski herton.krzesinski at canonical.com
Wed Feb 1 11:46:44 UTC 2012 

On Wed, Feb 01, 2012 at 10:28:44AM +0000, Andy Whitcroft wrote:
> From: Herbert Xu <herbert at gondor.apana.org.au>
> 
> The list mp->mglist is used to indicate whether a multicast group
> is active on the bridge interface itself as opposed to one of the
> constituent interfaces in the bridge.
> 
> Unfortunately the operation that adds the mp->mglist node to the
> list neglected to check whether it has already been added.  This
> leads to list corruption in the form of nodes pointing to itself.
> 
> Normally this would be quite obvious as it would cause an infinite
> loop when walking the list.  However, as this list is never actually
> walked (which means that we don't really need it, I'll get rid of
> it in a subsequent patch), this instead is hidden until we perform
> a delete operation on the affected nodes.
> 
> As the same node may now be pointed to by more than one node, the
> delete operations can then cause modification of freed memory.
> 
> This was observed in practice to cause corruption in 512-byte slabs,
> most commonly leading to crashes in jbd2.
> 
> Thanks to Josef Bacik for pointing me in the right direction.
> 
> Reported-by: Ian Page Hands <ihands at redhat.com>
> Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> 
> (cherry picked from commit 6b0d6a9b4296fa16a28d10d416db7a770fc03287)
> CVE-2011-0716
> BugLink: http://bugs.launchpad.net/bugs/917813
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
>  net/bridge/br_multicast.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
> index 382a428..2cba899 100644
> --- a/net/bridge/br_multicast.c
> +++ b/net/bridge/br_multicast.c
> @@ -707,7 +707,8 @@ static int br_multicast_add_group(struct net_bridge *br,
>  		goto err;
>  
>  	if (!port) {
> -		hlist_add_head(&mp->mglist, &br->mglist);
> +		if (hlist_unhashed(&mp->mglist))
> +			hlist_add_head(&mp->mglist, &br->mglist);
>  		mod_timer(&mp->timer, now + br->multicast_membership_interval);
>  		goto out;
>  	}
> -- 
> 1.7.5.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

More information about the kernel-team mailing list