| Message ID | 20260608140446.546040-1-marco@mandelbit.com |
|---|---|
| State | New |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id
jc29csp1907649mab;
Mon, 8 Jun 2026 07:05:14 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AFNElJ8p+pNLzOzz5t22BwTREup923sfbHl40fUQd1J4kFYbg/6Ys2VHrFINC5jr88mdppbv35Tk/4wxJlM=@openvpn.net
X-Received: by 2002:a05:6820:16ac:b0:69d:7fdb:3416 with SMTP id
006d021491bc7-69e6d488543mr5960157eaf.21.1780927513829;
Mon, 08 Jun 2026 07:05:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780927513; cv=none;
d=google.com; s=arc-20240605;
b=HkAc9PIgyyb/wJU0bYkqs9STJxrFbhK52SxhWdv2czlkx7tCb3u3l+ku2nKTg25MVb
hAkSmZVK+zQfRz2WJJC3C6wEhCncQnIrIjFHIoqTg7I82Z9Ek9/lhgS4gFe0Qrf0508x
ckWh+TSCw2Avgd5t6SyK+Eq4GOoc+Ir5MpWoiBuSvnvBihz5QPtpVig4wpSpSNP+8iPe
hzvjf4c+Bs3CfWlBVHno/2ev/BCrdL0Y3qYQlr9OZ6cq0s4YDWwF2D2BDfHdxnPEtkhC
B64jYXPM0WNjxyVEqTtNaYBGwpMpUk0DU2gCO8aZfULtHGORcQC8yAy0NVuvFOFCrWA/
SXOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:message-id:date:to:from:dkim-signature:dkim-signature
:dkim-signature:dkim-signature;
bh=gok+oA+NMzAK3aM/pulY+MlLS1bUwh5L/3jZuY79vgg=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=ZtQ62AB+3Hh6T0An1LNo2Jd7a1lz5Jx8WkfXnMQMrk9f6rcTClTIshaT23BGqfUKIe
vmnLyEJ7/T4nm7XZJtCcgOapL345vXR6AjQuOzD/T7ZYcNhy1HWVsYNq9l0I2Oi4B5su
U5nqGUr87DQJ5qEVJ4c91V4p2+ljEh9RVMABLIjCn1hMsEFOVQwBAdhu2FRHg7mDTPrc
pq4aSR/DxC/zn7QmM+7bvfE2iyZZPUUycdzD5ghwABW/jqzpXKSzy6hou8FtmK5/lK5D
YOewQiouNODsoAn6Shf1vAzokx2m0qB+RL92jE947vBGNex4r9UFPFiocSZA/z6IYyea
Q1zA==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=QFfzR3q1;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b="KfpbXe/Q";
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=ddYQ9m5T;
dkim=neutral (body hash did not verify) header.i=@mandelbit.com
header.s=MBO0001 header.b=kH6s6V9F;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
586e51a60fabf-440d860958fsi13662203fac.116.2026.06.08.07.05.13
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 08 Jun 2026 07:05:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=QFfzR3q1;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b="KfpbXe/Q";
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=ddYQ9m5T;
dkim=neutral (body hash did not verify) header.i=@mandelbit.com
header.s=MBO0001 header.b=kH6s6V9F;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Owner;
bh=gok+oA+NMzAK3aM/pulY+MlLS1bUwh5L/3jZuY79vgg=; b=QFfzR3q1ph1GWDVShOqiuPIt21
LVbdC9PpOqpB0cnHp+snsW6adGlkslx0xV+ph/u4QdrHKNY8/AAVslw5vFuLS4QV2jxDEvnku+3Rl
PW2CPDBB7zTgrC3rqq3gFaIKt3FHT9sDYgVR2u8rk5NdvMHzU9tsHJlYbhbSWO4Fggck=;
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1wWabF-0005gm-Jj;
Mon, 08 Jun 2026 14:05:07 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <marco@mandelbit.com>) id 1wWabB-0005gd-Qn
for openvpn-devel@lists.sourceforge.net;
Mon, 08 Jun 2026 14:05:04 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID:
Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=ruG0BPTrSKimGHNNRIVKdyugdiqp2DX7N6BFYBjtp74=; b=KfpbXe/QQtAtrKnBrJgThReaf3
D7nlhS9a5pATfbWl0DJnksmvHucPHit3vAim2q2Yt4MKB5Fa3zrAILTHBL7lG7BJtP42Bztj1xMt1
3xh91Esm+GS+7jFRB0AKDMIkJ2xfOnLyprKmaaKF6oYADxyQo9y+LAF0pqAlZ6T2Qgk0=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From
:Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=ruG0BPTrSKimGHNNRIVKdyugdiqp2DX7N6BFYBjtp74=; b=d
dYQ9m5TyMQely2P8309H8ThyPoEY/ObUQl2wvKuUMsO0mdTCeWfuk2RN2WV2C1LPZ4NGuNy0sMUoH
lER38Vzqz2F0j4JWJztDDVHG4DSM7sQhDB8yOxNGvXkJ+BHow/TPIsJUoJwdqkfWop57o3OOlOrSF
Nh0gLcNpP85uk4M4=;
Received: from mout-b-201.mailbox.org ([195.10.208.61])
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1wWab6-0008UL-Ao for openvpn-devel@lists.sourceforge.net;
Mon, 08 Jun 2026 14:05:03 +0000
Received: from smtp1.mailbox.org (smtp1.mailbox.org
[IPv6:2001:67c:2050:b231:465::1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
SHA256)
(No client certificate requested)
by mout-b-201.mailbox.org (Postfix) with ESMTPS id 4gYv1d1xy0zDrr2;
Mon, 8 Jun 2026 16:04:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com;
s=MBO0001; t=1780927493;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=ruG0BPTrSKimGHNNRIVKdyugdiqp2DX7N6BFYBjtp74=;
b=kH6s6V9Ff4KBjrzyiVA6ZvzSC5NQww6NdVdShcuOK1T1ddJyWsoBd0kLws5LqLkPF080BX
Ag+9hVWbEkt/vt3o90JyTZkEH+7dVUa5XPLg7KhroCr6Mc6IA2z3J7rPwLJsqEmeZwhRum
/E4/5Xlt0uC4oBA6Yl2DroUx7MtDwXrf8cdI8DYV8ODMHa9CdtRfwa23bTUv/k6uwGgFw7
85q8gNhKZxllswhPXDKDhhHg8wUMNBLc0B8Xsa636cf+Vw9bVS89BEPzHM0TDKpr9D68ZS
HZdXWrmd2ba2XfNlhJsRqv+zMxCesGHJk1JM9DRm/s2HUzup7hSv5ASuQC+9aw==
Authentication-Results: outgoing_mbo_mout; dkim=none;
spf=pass (outgoing_mbo_mout: domain of marco@mandelbit.com designates
2001:67c:2050:b231:465::1 as permitted sender)
smtp.mailfrom=marco@mandelbit.com
From: Marco Baffo <marco@mandelbit.com>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 8 Jun 2026 16:04:46 +0200
Message-ID: <20260608140446.546040-1-marco@mandelbit.com>
MIME-Version: 1.0
X-Rspamd-Queue-Id: 4gYv1d1xy0zDrr2
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-1.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: unlock_ovpn() iterates over the release_list using
llist_for_each_entry()
and drops the peer reference inside the loop body via ovpn_peer_put(). If
this drops the last reference, the peer is eventually freed. However,
llist_for_each_entry()
reads peer->release_entry.next in the loop advance expression, which runs
after the body. By that time t [...]
Content analysis details: (-0.2 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
X-Headers-End: 1wWab6-0008UL-Ao
Subject: [Openvpn-devel] [PATCH ovpn net] ovpn: fix use after free in
unlock_ovpn()
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: 1867437848837135248
X-GMAIL-MSGID: 1867437848837135248
|
| Series |
[Openvpn-devel,ovpn,net] ovpn: fix use after free in unlock_ovpn()
|
|
Commit Message
Marco Baffo
June 8, 2026, 2:04 p.m. UTC
unlock_ovpn() iterates over the release_list using llist_for_each_entry()
and drops the peer reference inside the loop body via ovpn_peer_put().
If this drops the last reference, the peer is eventually freed. However,
llist_for_each_entry() reads peer->release_entry.next in the loop advance
expression, which runs after the body. By that time the peer may have
already been freed, resulting in a use after free when advancing to the
next list entry.
Fix this by using llist_for_each_entry_safe(), which caches the next
pointer before executing the loop body.
Signed-off-by: Marco Baffo <marco@mandelbit.com>
---
drivers/net/ovpn/peer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
From: Antonio Quartulli <antonio@openvpn.net> On Mon, 08 Jun 2026 16:04:46 +0200, Marco Baffo wrote: > unlock_ovpn() iterates over the release_list using llist_for_each_entry() > and drops the peer reference inside the loop body via ovpn_peer_put(). > > If this drops the last reference, the peer is eventually freed. However, > llist_for_each_entry() reads peer->release_entry.next in the loop advance > expression, which runs after the body. By that time the peer may have > already been freed, resulting in a use after free when advancing to the > next list entry. > > [...] Applied, thanks! [1/1] ovpn: fix use after free in unlock_ovpn() commit: b53407df27741dc81a85e1aec63fefb1da19ee8d Best regards,
diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index c02dfab51a6e..ff7c6ce9fcad 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -26,11 +26,11 @@ static void unlock_ovpn(struct ovpn_priv *ovpn, struct llist_head *release_list) __releases(&ovpn->lock) { - struct ovpn_peer *peer; + struct ovpn_peer *peer, *next; spin_unlock_bh(&ovpn->lock); - llist_for_each_entry(peer, release_list->first, release_entry) { + llist_for_each_entry_safe(peer, next, release_list->first, release_entry) { ovpn_socket_release(peer); ovpn_peer_put(peer); }