On Wed, Dec 30, 2015 at 01:45:15PM +0100, Dmitry Vyukov wrote: > > This seems to be a zero-day. Should we CC stable@xxxxxxxxxxxxxxx ? > > Code in 03c8efc1ffeb6b82a22c1af8dd908af349563314 (Oct 19, 2010) contained: > > + sock_init_data(newsock, sk2); > + > + err = type->accept(ask->private, sk2); > + if (err) { > + sk_free(sk2); > + goto unlock; > + } > > There were no sock_graft call, but sock_init_data also sets > newsock->sk = sk2, which seems to be enough for the double-free. But accept only started failing because the newly added has_key check. Otherwise the only way for it to fail is if we run out of memory. IOW the bug can only be easily triggered in the current crypto tree. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html