From patchwork Mon Jun 8 14:04:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Baffo X-Patchwork-Id: 5012 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp1907649mab; Mon, 8 Jun 2026 07:05:14 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8p+pNLzOzz5t22BwTREup923sfbHl40fUQd1J4kFYbg/6Ys2VHrFINC5jr88mdppbv35Tk/4wxJlM=@openvpn.net X-Received: by 2002:a05:6820:16ac:b0:69d:7fdb:3416 with SMTP id 006d021491bc7-69e6d488543mr5960157eaf.21.1780927513829; Mon, 08 Jun 2026 07:05:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780927513; cv=none; d=google.com; s=arc-20240605; b=HkAc9PIgyyb/wJU0bYkqs9STJxrFbhK52SxhWdv2czlkx7tCb3u3l+ku2nKTg25MVb hAkSmZVK+zQfRz2WJJC3C6wEhCncQnIrIjFHIoqTg7I82Z9Ek9/lhgS4gFe0Qrf0508x ckWh+TSCw2Avgd5t6SyK+Eq4GOoc+Ir5MpWoiBuSvnvBihz5QPtpVig4wpSpSNP+8iPe hzvjf4c+Bs3CfWlBVHno/2ev/BCrdL0Y3qYQlr9OZ6cq0s4YDWwF2D2BDfHdxnPEtkhC B64jYXPM0WNjxyVEqTtNaYBGwpMpUk0DU2gCO8aZfULtHGORcQC8yAy0NVuvFOFCrWA/ SXOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature:dkim-signature; bh=gok+oA+NMzAK3aM/pulY+MlLS1bUwh5L/3jZuY79vgg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ZtQ62AB+3Hh6T0An1LNo2Jd7a1lz5Jx8WkfXnMQMrk9f6rcTClTIshaT23BGqfUKIe vmnLyEJ7/T4nm7XZJtCcgOapL345vXR6AjQuOzD/T7ZYcNhy1HWVsYNq9l0I2Oi4B5su U5nqGUr87DQJ5qEVJ4c91V4p2+ljEh9RVMABLIjCn1hMsEFOVQwBAdhu2FRHg7mDTPrc pq4aSR/DxC/zn7QmM+7bvfE2iyZZPUUycdzD5ghwABW/jqzpXKSzy6hou8FtmK5/lK5D YOewQiouNODsoAn6Shf1vAzokx2m0qB+RL92jE947vBGNex4r9UFPFiocSZA/z6IYyea Q1zA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=QFfzR3q1; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="KfpbXe/Q"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ddYQ9m5T; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=kH6s6V9F; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-440d860958fsi13662203fac.116.2026.06.08.07.05.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jun 2026 07:05:13 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=QFfzR3q1; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="KfpbXe/Q"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ddYQ9m5T; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=kH6s6V9F; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=gok+oA+NMzAK3aM/pulY+MlLS1bUwh5L/3jZuY79vgg=; b=QFfzR3q1ph1GWDVShOqiuPIt21 LVbdC9PpOqpB0cnHp+snsW6adGlkslx0xV+ph/u4QdrHKNY8/AAVslw5vFuLS4QV2jxDEvnku+3Rl PW2CPDBB7zTgrC3rqq3gFaIKt3FHT9sDYgVR2u8rk5NdvMHzU9tsHJlYbhbSWO4Fggck=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wWabF-0005gm-Jj; Mon, 08 Jun 2026 14:05:07 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wWabB-0005gd-Qn for openvpn-devel@lists.sourceforge.net; Mon, 08 Jun 2026 14:05:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ruG0BPTrSKimGHNNRIVKdyugdiqp2DX7N6BFYBjtp74=; b=KfpbXe/QQtAtrKnBrJgThReaf3 D7nlhS9a5pATfbWl0DJnksmvHucPHit3vAim2q2Yt4MKB5Fa3zrAILTHBL7lG7BJtP42Bztj1xMt1 3xh91Esm+GS+7jFRB0AKDMIkJ2xfOnLyprKmaaKF6oYADxyQo9y+LAF0pqAlZ6T2Qgk0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=ruG0BPTrSKimGHNNRIVKdyugdiqp2DX7N6BFYBjtp74=; b=d dYQ9m5TyMQely2P8309H8ThyPoEY/ObUQl2wvKuUMsO0mdTCeWfuk2RN2WV2C1LPZ4NGuNy0sMUoH lER38Vzqz2F0j4JWJztDDVHG4DSM7sQhDB8yOxNGvXkJ+BHow/TPIsJUoJwdqkfWop57o3OOlOrSF Nh0gLcNpP85uk4M4=; Received: from mout-b-201.mailbox.org ([195.10.208.61]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wWab6-0008UL-Ao for openvpn-devel@lists.sourceforge.net; Mon, 08 Jun 2026 14:05:03 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-201.mailbox.org (Postfix) with ESMTPS id 4gYv1d1xy0zDrr2; Mon, 8 Jun 2026 16:04:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1780927493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=ruG0BPTrSKimGHNNRIVKdyugdiqp2DX7N6BFYBjtp74=; b=kH6s6V9Ff4KBjrzyiVA6ZvzSC5NQww6NdVdShcuOK1T1ddJyWsoBd0kLws5LqLkPF080BX Ag+9hVWbEkt/vt3o90JyTZkEH+7dVUa5XPLg7KhroCr6Mc6IA2z3J7rPwLJsqEmeZwhRum /E4/5Xlt0uC4oBA6Yl2DroUx7MtDwXrf8cdI8DYV8ODMHa9CdtRfwa23bTUv/k6uwGgFw7 85q8gNhKZxllswhPXDKDhhHg8wUMNBLc0B8Xsa636cf+Vw9bVS89BEPzHM0TDKpr9D68ZS HZdXWrmd2ba2XfNlhJsRqv+zMxCesGHJk1JM9DRm/s2HUzup7hSv5ASuQC+9aw== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of marco@mandelbit.com designates 2001:67c:2050:b231:465::1 as permitted sender) smtp.mailfrom=marco@mandelbit.com From: Marco Baffo To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Jun 2026 16:04:46 +0200 Message-ID: <20260608140446.546040-1-marco@mandelbit.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gYv1d1xy0zDrr2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: unlock_ovpn() iterates over the release_list using llist_for_each_entry() and drops the peer reference inside the loop body via ovpn_peer_put(). If this drops the last reference, the peer is eventually freed. However, llist_for_each_entry() reads peer->release_entry.next in the loop advance expression, which runs after the body. By that time t [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1wWab6-0008UL-Ao Subject: [Openvpn-devel] [PATCH ovpn net] ovpn: fix use after free in unlock_ovpn() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867437848837135248 X-GMAIL-MSGID: 1867437848837135248 unlock_ovpn() iterates over the release_list using llist_for_each_entry() and drops the peer reference inside the loop body via ovpn_peer_put(). If this drops the last reference, the peer is eventually freed. However, llist_for_each_entry() reads peer->release_entry.next in the loop advance expression, which runs after the body. By that time the peer may have already been freed, resulting in a use after free when advancing to the next list entry. Fix this by using llist_for_each_entry_safe(), which caches the next pointer before executing the loop body. Signed-off-by: Marco Baffo --- drivers/net/ovpn/peer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index c02dfab51a6e..ff7c6ce9fcad 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -26,11 +26,11 @@ static void unlock_ovpn(struct ovpn_priv *ovpn, struct llist_head *release_list) __releases(&ovpn->lock) { - struct ovpn_peer *peer; + struct ovpn_peer *peer, *next; spin_unlock_bh(&ovpn->lock); - llist_for_each_entry(peer, release_list->first, release_entry) { + llist_for_each_entry_safe(peer, next, release_list->first, release_entry) { ovpn_socket_release(peer); ovpn_peer_put(peer); }