[PATCH net] ax25: use after free in ax25_connect

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Hangyu Hua <hbh25y@gmail.com>
To: jreuter@yaina.de, ralf@linux-mips.org, davem@davemloft.net,
	kuba@kernel.org
Cc: linux-hams@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, Hangyu Hua <hbh25y@gmail.com>
Subject: [PATCH net] ax25: use after free in ax25_connect
Date: Tue, 11 Jan 2022 12:20:48 +0800	[thread overview]
Message-ID: <20220111042048.43532-1-hbh25y@gmail.com> (raw)

sk_to_ax25(sk) needs to be called after lock_sock(sk) to avoid UAF
caused by a race condition.

Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 net/ax25/af_ax25.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index cfca99e295b8..c5d62420a2a8 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1127,7 +1127,7 @@ static int __must_check ax25_connect(struct socket *sock,
 	struct sockaddr *uaddr, int addr_len, int flags)
 {
 	struct sock *sk = sock->sk;
-	ax25_cb *ax25 = sk_to_ax25(sk), *ax25t;
+	ax25_cb *ax25, *ax25t;
 	struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)uaddr;
 	ax25_digi *digi = NULL;
 	int ct = 0, err = 0;
@@ -1155,6 +1155,8 @@ static int __must_check ax25_connect(struct socket *sock,
 
 	lock_sock(sk);
 
+	ax25 = sk_to_ax25(sk);
+
 	/* deal with restarts */
 	if (sock->state == SS_CONNECTING) {
 		switch (sk->sk_state) {
-- 
2.25.1

next             reply	other threads:[~2022-01-11  4:20 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-11  4:20 Hangyu Hua [this message]
2022-01-11 20:56 ` [PATCH net] ax25: use after free in ax25_connect Eric Dumazet
2022-01-12  2:13   ` Hangyu Hua
2022-01-12  9:59     ` Eric Dumazet
2022-01-12 11:11       ` Hangyu Hua
2022-01-14  6:54         ` Hangyu Hua
2022-01-14 15:19           ` Eric Dumazet
2022-01-17  1:35             ` Hangyu Hua

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cfca99e295b dfblob:c5d62420a2a )
 OR (
bs:"[PATCH net] ax25: use after free in ax25_connect" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220111042048.43532-1-hbh25y@gmail.com \
    --to=hbh25y@gmail.com \
    --cc=davem@davemloft.net \
    --cc=jreuter@yaina.de \
    --cc=kuba@kernel.org \
    --cc=linux-hams@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=ralf@linux-mips.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.