From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+4d5170758f3762109542@syzkaller.appspotmail.com,
David Miller <davem@davemloft.net>,
Oliver Hartkopp <socketcan@hartkopp.net>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Jouni Hogander <jouni.hogander@unikie.com>
Subject: [PATCH 5.4 25/46] slip: Fix use-after-free Read in slip_open
Date: Tue, 3 Dec 2019 23:35:45 +0100 [thread overview]
Message-ID: <20191203212739.816120146@linuxfoundation.org> (raw)
In-Reply-To: <20191203212705.175425505@linuxfoundation.org>
From: Jouni Hogander <jouni.hogander@unikie.com>
[ Upstream commit e58c1912418980f57ba2060017583067f5f71e52 ]
Slip_open doesn't clean-up device which registration failed from the
slip_devs device list. On next open after failure this list is iterated
and freed device is accessed. Fix this by calling sl_free_netdev in error
path.
Here is the trace from the Syzbot:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
Cc: David Miller <davem@davemloft.net>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/slip/slip.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -855,6 +855,7 @@ err_free_chan:
sl->tty = NULL;
tty->disc_data = NULL;
clear_bit(SLF_INUSE, &sl->flags);
+ sl_free_netdev(sl->dev);
free_netdev(sl->dev);
err_exit:
next prev parent reply other threads:[~2019-12-03 22:38 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-03 22:35 [PATCH 5.4 00/46] 5.4.2-stable review Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 01/46] io_uring: async workers should inherit the user creds Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 02/46] net: separate out the msghdr copy from ___sys_{send,recv}msg() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 03/46] net: disallow ancillary data for __sys_{send,recv}msg_file() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 04/46] crypto: inside-secure - Fix stability issue with Macchiatobin Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 05/46] driver core: platform: use the correct callback type for bus_find_device Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 06/46] usb: dwc2: use a longer core rest timeout in dwc2_core_reset() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 07/46] staging: wilc1000: fix illegal memory access in wilc_parse_join_bss_param() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 08/46] staging: rtl8192e: fix potential use after free Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 09/46] staging: rtl8723bs: Drop ACPI device ids Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 10/46] staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 11/46] USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 12/46] mei: bus: prefix device names on bus with the bus name Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 13/46] mei: me: add comet point V device id Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 14/46] thunderbolt: Power cycle the router if NVM authentication fails Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 15/46] x86/fpu: Dont cache access to fpu_fpregs_owner_ctx Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 16/46] gve: Fix the queue page list allocated pages count Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 17/46] macvlan: schedule bc_work even if error Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 18/46] mdio_bus: dont use managed reset-controller Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 19/46] net: dsa: sja1105: fix sja1105_parse_rgmii_delays() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 20/46] net: macb: add missed tasklet_kill Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 21/46] net: psample: fix skb_over_panic Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 22/46] net: sched: fix `tc -s class show` no bstats on class with nolock subqueues Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 23/46] openvswitch: fix flow command message size Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 24/46] sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook Greg Kroah-Hartman
2019-12-03 22:35 ` Greg Kroah-Hartman [this message]
2019-12-03 22:35 ` [PATCH 5.4 26/46] sctp: cache netns in sctp_ep_common Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 27/46] openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 28/46] openvswitch: remove another BUG_ON() Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 29/46] net/tls: take into account that bpf_exec_tx_verdict() may free the record Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 30/46] net/tls: free the record on encryption error Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 31/46] net: skmsg: fix TLS 1.3 crash with full sk_msg Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 32/46] selftests/tls: add a test for fragmented messages Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 33/46] net/tls: remove the dead inplace_crypto code Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 34/46] net/tls: use sg_next() to walk sg entries Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 35/46] selftests: bpf: test_sockmap: handle file creation failures gracefully Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 36/46] selftests: bpf: correct perror strings Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 37/46] tipc: fix link name length check Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 38/46] selftests: pmtu: use -oneline for ip route list cache Greg Kroah-Hartman
2019-12-03 22:35 ` [PATCH 5.4 39/46] r8169: fix jumbo configuration for RTL8168evl Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 40/46] r8169: fix resume on cable plug-in Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 41/46] ext4: add more paranoia checking in ext4_expand_extra_isize handling Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 42/46] Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()" Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 43/46] crypto: talitos - Fix build error by selecting LIB_DES Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 44/46] HID: core: check whether Usage Page item is after Usage ID items Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 45/46] platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer Greg Kroah-Hartman
2019-12-03 22:36 ` [PATCH 5.4 46/46] platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size Greg Kroah-Hartman
2019-12-04 10:26 ` [PATCH 5.4 00/46] 5.4.2-stable review Jon Hunter
2019-12-04 10:26 ` Jon Hunter
2019-12-04 13:23 ` Amol Grover
2019-12-04 17:13 ` Greg Kroah-Hartman
2019-12-05 16:43 ` Amol Grover
2019-12-06 13:05 ` Greg Kroah-Hartman
2019-12-04 13:56 ` Naresh Kamboju
2019-12-04 20:38 ` Greg Kroah-Hartman
2019-12-04 17:50 ` shuah
2019-12-04 20:37 ` Greg Kroah-Hartman
2019-12-04 19:05 ` Guenter Roeck
2019-12-04 20:37 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191203212739.816120146@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jouni.hogander@unikie.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.bulwahn@gmail.com \
--cc=socketcan@hartkopp.net \
--cc=stable@vger.kernel.org \
--cc=syzbot+4d5170758f3762109542@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.