diff options
author | David Gwynne <dlg@cvs.openbsd.org> | 2024-11-17 12:21:49 +0000 |
---|---|---|
committer | David Gwynne <dlg@cvs.openbsd.org> | 2024-11-17 12:21:49 +0000 |
commit | 4ecbbc09b86badfd4a091455e0cfb5d77d931c4b (patch) | |
tree | c64dba9695caa935c201672f52501448e4f64ba4 /sys/arch/amd64 | |
parent | b35763eebd3158c664a4430599eff4543aa370de (diff) |
make sure bpfsdetach is holding a bpf_d ref when invalidating stuff.
when bpfsdetach is called by an interface being destroyed, it
iterates over the bpf descriptors using the interface and calls
vdevgone and klist_invalidate against them. however, i'm not sure
the reference the interface holds against the bpf_d is accounted
for properly, so vdevgone might drop it to 0 and free it, which
makes the klist_invalidate a use after free.
avoid this by taking a bpf_d ref before calling vdevgone and
klist_invalidate so the memory can't be freed out from under the
feet of bpfsdetach.
Reported-by: syzbot+b3927f8ad162452a2f39@syzkaller.appspotmail.com
i wasn't able to reproduce whatever syzkaller did. it's possible
this is a double free, but we'll wait and see if it pops up again.
ok mpi@
Diffstat (limited to 'sys/arch/amd64')
0 files changed, 0 insertions, 0 deletions