path: root/src/bloombucket.h
diff options
authorJason A. Donenfeld <>2020-06-23 00:28:45 -0600
committerJason A. Donenfeld <>2020-07-12 12:20:49 -0600
commit4257c71bcc1ac209973fd0052dbb99e9e33894a6 (patch)
tree741d353e8497eb48cfdd5b04ac187d45698fac9d /src/bloombucket.h
parentEliminate pointless 'child' variable and just cast the config_found() result to (diff)
net: prevent if_clone_destroy from racing with rest of stackHEADmaster
You can crash a system by running something like: for i in 1 2 3; do while true; do ifconfig bridge0 create& ifconfig bridge0 destroy& done& done This works with every type of interface I've tried. It appears that if_clone_destroy and if_clone_create race with other ioctls, which causes a variety of different UaFs or just general logic errors. One common root cause appears to be that most ifioctl functions use ifunit() to find an interface by name, which traverses if_list. Writes to if_list are protected by a lock, but reads are apparently unprotected. There's also the question of the life time of the object returned from ifunit(). Most things that access &ifnet's if_list are done without locking, and even if those accesses were to be locked, the lock would be released before the object is no longer used, causing the UaF in that case as well. This patch fixes the issue by making if_clone_{create,destroy} exclusive with all other ifioctls.
Diffstat (limited to 'src/bloombucket.h')
0 files changed, 0 insertions, 0 deletions