Where is it actually used after being freed?
This is not an inherrent problem in C, but it is a problem in programming etiquette.
The programmer should've either named the function `sock_put_free` or changed the declaration to require a double pointer parameter to a struct socket.
CVE-2019-8912
Benjamin Hill
James Sanchez
it's used after free in several places. there's a write after free in sockfs_setattr. It's a real short function, just look at it: elixir.bootlin.com
the contract is "if sock->sk is not NULL , then it's good to use", and that contract is broken in elixir.bootlin.com
Jason Richardson
also
in Rust the required amount of expertise and discipline is "don't use unsafe {}", because the borrow checker doesn't allow this problem at all.
C sets a high bar before the problem is "not a problem"; most other languages have the bar quite a bit lower. Problems can be problems even if the required expertise and discipline isn't actually superhuman.
Colton Miller
SCORE ANOTHER POINT FOR C
Jayden Myers
LOOOOOOOOOOOOOL
Nathaniel Bailey
Sebastian Foster
What about all the other vulnerabilities though? In which files are those?
Camden Rogers
the only reason rust doesn't have these types of vulnerabilities is because nobody uses it and nobody cares to check anything that does because it's all irrelevant.
it's the same reason there's so few virus's on OSX and linux, not because there can't be, but because it's irrelevant to target.
Angel Davis
nice damage control
Jack Wright
#!/usr/bin/env stap%{#include %}function null_it (sock) %{ struct socket *sock; sock = (struct socket *) STAP_ARG_sock; sock->sk = NULL;%}probe kernel.function("af_alg_release").return { null_it($sock);}... something like that.