blob: 893336efacd9d0318162b30d40b0d471b930cbf1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
Description: race condition in rose_bind()
References:
https://bugzilla.redhat.com/show_bug.cgi?id=2120595
Notes:
carnil> Possible fix is 2df91e397d85 ("net: rose: add netdev ref
carnil> tracker to 'struct rose_sock'") but as of 2022-08-30 no
carnil> clarification in RHBZ#2120595.
bwh> This is not fixed by commit 2df91e397d85. The problem is that
bwh> rose_bind() doesn't prevent two concurrent bind calls on the same
bwh> socket from succeeding. It checks that the SOCK_ZAPPED flag is set
bwh> at the top, and clears it at the bottom, leaving a race condition
bwh> between those bit operations.
bwh> In bullseye and newer releases this is mitigated because we
bwh> disabled auto-loading of the rose module.
Bugs:
upstream: needed
6.1-upstream-stable: needed
5.10-upstream-stable: needed
4.19-upstream-stable: needed
sid: needed
6.1-bookworm-security: needed
5.10-bullseye-security: needed
4.19-buster-security: needed
|
