| Message ID | 20260527113954.3592539-1-marco@mandelbit.com |
|---|---|
| State | New |
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:4ec9:b0:861:c897:cb9d with SMTP id i9csp319715mas;
Wed, 27 May 2026 04:40:27 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AFNElJ9oklUAtK5Tinr8cwAebjwm6uP7VQOEcAp5lqfE2o7ByuoM+9Da+o7jJs5AMBPnULTGHbD3ZfT3kTo=@openvpn.net
X-Received: by 2002:a05:6870:788d:b0:42c:ecc9:58b5 with SMTP id
586e51a60fabf-43b5aad138fmr14206128fac.11.1779882027505;
Wed, 27 May 2026 04:40:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779882027; cv=none;
d=google.com; s=arc-20240605;
b=eYful52Uk49BRMsHIBTjIYK5cvxl0pmLtZ6WSIjJcVGPKMCoO3QO3j189RdHayv3Hc
EHPVU4AXigkM9Z/C0kDJHSPtcpWdGYICbVtbo6cEk8Cub4UrGUJjq5pv0zEdY83xb7RS
u5qIhf6V4bHyDV8r2K9ITxfsylk+xaCBWMdLL1yNq9t6dC0CFkF8VjcY8P1aPnCqO0V7
KhW5XML41NYZNbk2n8ehSfmwsl79j0xkREUDOoRf/ntfTIOEnbNQ3k2me6UrzAgrKSGf
ibyoV9kxcBiPxIIDfu+QXfL6NhCCVH+XG7IPz6vXuKYu8rk7GV52wkS7EhmvVQA64Iju
U6pA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:message-id:date:to:from:dkim-signature:dkim-signature
:dkim-signature:dkim-signature;
bh=gok+oA+NMzAK3aM/pulY+MlLS1bUwh5L/3jZuY79vgg=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=WZU4PT6CjZLLEjdtHgs37b9m4SCXlrslzKjo+jVTwEXZtJHm9DnV+CiJrJRcm6lste
Rp84yfJ9+IbI5myfycPMmqv3mkUKWU8+qwz3Nfmf9SYTLJBt/ilSU34eJsMeernP4IUj
Xuoo5yUyjjl0pPs4ArDSz+8R1hNVv5Wd4izJE+gtN66e0eARIit+BOs/M/eZJVQpuZJk
QcssYw7OpLlElu3FCnzmPytN5XMpIQ23DDrdRfyxEOJHW0QqtotSpDnMeHoNs3P0FVKJ
+XX1q+gYorii7FgC0k7rkNY0Q1o7x8Zg8U89OKCs7uBj1VxN4CbRkVuH5j0rM1/YOIZj
s0hg==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=CYZXY8qY;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=UgY1vmAT;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=GdljbjUO;
dkim=neutral (body hash did not verify) header.i=@mandelbit.com
header.s=MBO0001 header.b=JZRvCdYX;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
586e51a60fabf-43b634fc860si13313875fac.31.2026.05.27.04.40.27
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Wed, 27 May 2026 04:40:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=CYZXY8qY;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=UgY1vmAT;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=GdljbjUO;
dkim=neutral (body hash did not verify) header.i=@mandelbit.com
header.s=MBO0001 header.b=JZRvCdYX;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Owner;
bh=gok+oA+NMzAK3aM/pulY+MlLS1bUwh5L/3jZuY79vgg=; b=CYZXY8qY4ul8+lSaBhUmxK4hC+
4Yl6EzS2At/5+cS8r79wsy/AlDejjVfZ4+CZGClBkpmPG1vfBjTczrGP6Ak3J0rBe0K7OMhi8yvKp
JPzQykLE98n3QiJakKjl0JPZ5ASo3UU0OK7UGAHeYXEHcHnZSJElVbbCdAmXoAfbvTXU=;
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1wSCcR-0004Gt-Pu;
Wed, 27 May 2026 11:40:16 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <marco@mandelbit.com>) id 1wSCcO-0004Gj-Jf
for openvpn-devel@lists.sourceforge.net;
Wed, 27 May 2026 11:40:14 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID:
Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=ruG0BPTrSKimGHNNRIVKdyugdiqp2DX7N6BFYBjtp74=; b=UgY1vmAT66crxV7v1n9CVomv0m
dx7YJinNl8rSpTt7ETSTtC6VpI+LTbtZD7P+e0RQ90/ZoprWx2WKqgq/iQwe7KVHLWhLZ2xkmsmw8
oQw6zBfkldbCacOyrYpery9B6GgkezG+aD+bzFPGllWXQSl5WKQUI8gVA4+U790PCOpM=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From
:Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=ruG0BPTrSKimGHNNRIVKdyugdiqp2DX7N6BFYBjtp74=; b=G
dljbjUOfB0AQVfQIa8kqYkQwxrH3SylVWlY7D+EiYomDG8+Hn+vL78+YqLlvZdJbpkjGxe7JwBgW7
omewBO25pu4CLkGm4qwYIcL9rzdYzuLPE36rEPtlqqIBKtOf48mjoOHXfV7yGLom9XIZVIo1LESpz
dG7+HAIoWYzYbKhY=;
Received: from mout-b-112.mailbox.org ([195.10.208.42])
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1wSCcM-0004Xe-Vq for openvpn-devel@lists.sourceforge.net;
Wed, 27 May 2026 11:40:13 +0000
Received: from smtp102.mailbox.org (smtp102.mailbox.org
[IPv6:2001:67c:2050:b231:465::102])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
SHA256)
(No client certificate requested)
by mout-b-112.mailbox.org (Postfix) with ESMTPS id 4gQSMz0VygzDvQX;
Wed, 27 May 2026 13:39:59 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com;
s=MBO0001; t=1779881999;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=ruG0BPTrSKimGHNNRIVKdyugdiqp2DX7N6BFYBjtp74=;
b=JZRvCdYXazdyEClQiFM08Ke+KDoduPCBxYgRN3pj6QD+8pfqxaQq13b+tU5fHqNPNfFAup
Bprq2PXU95mlL1Ruxj+ZowlqQ8R7DyWyumqjNuSab9yCFFBnhg1UU/YIm8yvbA0p7yPtVR
7RcWzU3LPzAp80Jc7YdGdXAiWBJiBGjk83Js/wAtIKeqE0l2PuJOzG9lpjiyZTYcvQvcEo
1rM1c8pTkJ/Nrr0qc8Q9Yx7L/rwXiMFE4H4Im/2kU9lox0ImSCf5kCvDlrwlyKe4Oo7P3X
b/OChDFRneVcCKuru+Mbh749rnDc2XM/eK9BRXP5rLqKKAUB9HEpEzfw7fhjgg==
Authentication-Results: outgoing_mbo_mout; dkim=none;
spf=pass (outgoing_mbo_mout: domain of marco@mandelbit.com designates
2001:67c:2050:b231:465::102 as permitted sender)
smtp.mailfrom=marco@mandelbit.com
From: Marco Baffo <marco@mandelbit.com>
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 27 May 2026 13:39:54 +0200
Message-ID: <20260527113954.3592539-1-marco@mandelbit.com>
MIME-Version: 1.0
X-Rspamd-Queue-Id: 4gQSMz0VygzDvQX
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-2.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: unlock_ovpn() iterates over the release_list using
llist_for_each_entry()
and drops the peer reference inside the loop body via ovpn_peer_put(). If
this drops the last reference, the peer is eventually freed. However,
llist_for_each_entry()
reads peer->release_entry.next in the loop advance expression, which runs
after the body. By that time t [...]
Content analysis details: (-0.2 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
X-Headers-End: 1wSCcM-0004Xe-Vq
Subject: [Openvpn-devel] [RFC ovpn net] ovpn: fix use after free in
unlock_ovpn()
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: 1866341576520825340
X-GMAIL-MSGID: 1866341576520825340
|
| Series |
[Openvpn-devel,RFC,ovpn,net] ovpn: fix use after free in unlock_ovpn()
|
expand
|
diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index c02dfab51a6e..ff7c6ce9fcad 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -26,11 +26,11 @@ static void unlock_ovpn(struct ovpn_priv *ovpn, struct llist_head *release_list) __releases(&ovpn->lock) { - struct ovpn_peer *peer; + struct ovpn_peer *peer, *next; spin_unlock_bh(&ovpn->lock); - llist_for_each_entry(peer, release_list->first, release_entry) { + llist_for_each_entry_safe(peer, next, release_list->first, release_entry) { ovpn_socket_release(peer); ovpn_peer_put(peer); }
unlock_ovpn() iterates over the release_list using llist_for_each_entry() and drops the peer reference inside the loop body via ovpn_peer_put(). If this drops the last reference, the peer is eventually freed. However, llist_for_each_entry() reads peer->release_entry.next in the loop advance expression, which runs after the body. By that time the peer may have already been freed, resulting in a use after free when advancing to the next list entry. Fix this by using llist_for_each_entry_safe(), which caches the next pointer before executing the loop body. Signed-off-by: Marco Baffo <marco@mandelbit.com> --- drivers/net/ovpn/peer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)