Message ID | 1328092124-28336-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On Wed, Feb 01, 2012 at 10:28:44AM +0000, Andy Whitcroft wrote: > From: Herbert Xu <herbert@gondor.apana.org.au> > > The list mp->mglist is used to indicate whether a multicast group > is active on the bridge interface itself as opposed to one of the > constituent interfaces in the bridge. > > Unfortunately the operation that adds the mp->mglist node to the > list neglected to check whether it has already been added. This > leads to list corruption in the form of nodes pointing to itself. > > Normally this would be quite obvious as it would cause an infinite > loop when walking the list. However, as this list is never actually > walked (which means that we don't really need it, I'll get rid of > it in a subsequent patch), this instead is hidden until we perform > a delete operation on the affected nodes. > > As the same node may now be pointed to by more than one node, the > delete operations can then cause modification of freed memory. > > This was observed in practice to cause corruption in 512-byte slabs, > most commonly leading to crashes in jbd2. > > Thanks to Josef Bacik for pointing me in the right direction. > > Reported-by: Ian Page Hands <ihands@redhat.com> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > Signed-off-by: David S. Miller <davem@davemloft.net> > > (cherry picked from commit 6b0d6a9b4296fa16a28d10d416db7a770fc03287) > CVE-2011-0716 > BugLink: http://bugs.launchpad.net/bugs/917813 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > net/bridge/br_multicast.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c > index 382a428..2cba899 100644 > --- a/net/bridge/br_multicast.c > +++ b/net/bridge/br_multicast.c > @@ -707,7 +707,8 @@ static int br_multicast_add_group(struct net_bridge *br, > goto err; > > if (!port) { > - hlist_add_head(&mp->mglist, &br->mglist); > + if (hlist_unhashed(&mp->mglist)) > + hlist_add_head(&mp->mglist, &br->mglist); > mod_timer(&mp->timer, now + br->multicast_membership_interval); > goto out; > } > -- > 1.7.5.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 382a428..2cba899 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -707,7 +707,8 @@ static int br_multicast_add_group(struct net_bridge *br, goto err; if (!port) { - hlist_add_head(&mp->mglist, &br->mglist); + if (hlist_unhashed(&mp->mglist)) + hlist_add_head(&mp->mglist, &br->mglist); mod_timer(&mp->timer, now + br->multicast_membership_interval); goto out; }