Re: KASAN: use-after-free Read in sock_release

From: Christoph Hellwig
Date: Thu Nov 30 2017 - 08:18:44 EST


On Thu, Nov 30, 2017 at 02:07:19AM +0000, Al Viro wrote:
> Incidentally, grepping for sys_close() shows another piece of fun in
> net/netfilter/xt_bpf.c. Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S
> IT; THERE'S NO REMOVING IT ON FAILURE EXITS. sys_close() should
> never, ever be used that way. Sigh...

Would be great do unexport the thing. Except that we also have
binfmt_misc (which looks legit) and autofs4, which on crack decided
that close() isn't a fun syscall, they'd much rather have an ioctl
that does exactly the same..