Date: Sat, 14 Jan 2012 05:11:05 +0100 From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= <clemun@gmail.com> To: freebsd-security@freebsd.org Subject: Re: Double SCTP_INP_RUNLOCK() in SCTP result in KP Message-ID: <CAKSJdABCYLDQ5awgTC7n8evK1JEPesV=ekjFtwCCthFnaNqQ=A@mail.gmail.com> In-Reply-To: <CAKSJdACFPgQLJ%2Bh1Ay2Cwozi2EV0=GXmcw58PbdTAPprHVhv2A@mail.gmail.com> References: <CAKSJdACFPgQLJ%2Bh1Ay2Cwozi2EV0=GXmcw58PbdTAPprHVhv2A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Oups mistake, the LOCK() should be on line 3041, same problem just above on line 3021, UNLOCK() instead of LOCK(). -clem1 Le 14 janvier 2012 05:03, Cl=E9ment Lecigne <clemun@gmail.com> a =E9crit : > Hi, > > In sctp_ussreq.c, lines are based from HEAD: > > 3041 =A0 =A0SCTP_INP_RUNLOCK(inp); > 3042 =A0 =A0onoff =3D sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO)= ; > 3043 =A0 =A0SCTP_INP_RUNLOCK(inp); > > The SCTP_INP_RUNLOCK(in) on line 3043 must be SCTP_INP_LOCK(in), typo? > That results in an easily user triggerable kernel panic through > getsockopt(). I don't think user can do something evil with this > double unlock which result in a kernel panic due to a NULL dereference > in mtx_unlock() on my fresh FreeBSD 9.0. > > Bests, > -clem1 --=20 -clem1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKSJdABCYLDQ5awgTC7n8evK1JEPesV=ekjFtwCCthFnaNqQ=A>