From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com,
Hyunwoo Kim <v4bel@theori.io>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 04/53] netrom: Fix use-after-free caused by accept on already connected socket
Date: Mon, 20 Feb 2023 14:35:30 +0100 [thread overview]
Message-ID: <20230220133548.325521603@linuxfoundation.org> (raw)
In-Reply-To: <20230220133548.158615609@linuxfoundation.org>
From: Hyunwoo Kim <v4bel@theori.io>
[ Upstream commit 611792920925fb088ddccbe2783c7f92fdfb6b64 ]
If you call listen() and accept() on an already connect()ed
AF_NETROM socket, accept() can successfully connect.
This is because when the peer socket sends data to sendmsg,
the skb with its own sk stored in the connected socket's
sk->sk_receive_queue is connected, and nr_accept() dequeues
the skb waiting in the sk->sk_receive_queue.
As a result, nr_accept() allocates and returns a sock with
the sk of the parent AF_NETROM socket.
And here use-after-free can happen through complex race conditions:
```
cpu0 cpu1
1. socket_2 = socket(AF_NETROM)
.
.
listen(socket_2)
accepted_socket = accept(socket_2)
2. socket_1 = socket(AF_NETROM)
nr_create() // sk refcount : 1
connect(socket_1)
3. write(accepted_socket)
nr_sendmsg()
nr_output()
nr_kick()
nr_send_iframe()
nr_transmit_buffer()
nr_route_frame()
nr_loopback_queue()
nr_loopback_timer()
nr_rx_frame()
nr_process_rx_frame(sk, skb); // sk : socket_1's sk
nr_state3_machine()
nr_queue_rx_frame()
sock_queue_rcv_skb()
sock_queue_rcv_skb_reason()
__sock_queue_rcv_skb()
__skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue
4. listen(socket_1)
nr_listen()
uaf_socket = accept(socket_1)
nr_accept()
skb_dequeue(&sk->sk_receive_queue);
5. close(accepted_socket)
nr_release()
nr_write_internal(sk, NR_DISCREQ)
nr_transmit_buffer() // NR_DISCREQ
nr_route_frame()
nr_loopback_queue()
nr_loopback_timer()
nr_rx_frame() // sk : socket_1's sk
nr_process_rx_frame() // NR_STATE_3
nr_state3_machine() // NR_DISCREQ
nr_disconnect()
nr_sk(sk)->state = NR_STATE_0;
6. close(socket_1) // sk refcount : 3
nr_release() // NR_STATE_0
sock_put(sk); // sk refcount : 0
sk_free(sk);
close(uaf_socket)
nr_release()
sock_hold(sk); // UAF
```
KASAN report by syzbot:
```
BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520
Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x461 mm/kasan/report.c:417
kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x141/0x190 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
__refcount_add include/linux/refcount.h:193 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
sock_hold include/net/sock.h:775 [inline]
nr_release+0x66/0x460 net/netrom/af_netrom.c:520
__sock_release+0xcd/0x280 net/socket.c:650
sock_close+0x1c/0x20 net/socket.c:1365
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0x16f/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xaa8/0x2950 kernel/exit.c:867
do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
get_signal+0x21c3/0x2450 kernel/signal.c:2859
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6c19e3c9b9
Code: Unable to access opcode bytes at 0x7f6c19e3c98f.
RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9
RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006
RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0
R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Allocated by task 5128:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:968 [inline]
__kmalloc+0x5a/0xd0 mm/slab_common.c:981
kmalloc include/linux/slab.h:584 [inline]
sk_prot_alloc+0x140/0x290 net/core/sock.c:2038
sk_alloc+0x3a/0x7a0 net/core/sock.c:2091
nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433
__sock_create+0x359/0x790 net/socket.c:1515
sock_create net/socket.c:1566 [inline]
__sys_socket_create net/socket.c:1603 [inline]
__sys_socket_create net/socket.c:1588 [inline]
__sys_socket+0x133/0x250 net/socket.c:1636
__do_sys_socket net/socket.c:1649 [inline]
__se_sys_socket net/socket.c:1647 [inline]
__x64_sys_socket+0x73/0xb0 net/socket.c:1647
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5128:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:177 [inline]
__cache_free mm/slab.c:3394 [inline]
__do_kmem_cache_free mm/slab.c:3580 [inline]
__kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587
sk_prot_free net/core/sock.c:2074 [inline]
__sk_destruct+0x5df/0x750 net/core/sock.c:2166
sk_destruct net/core/sock.c:2181 [inline]
__sk_free+0x175/0x460 net/core/sock.c:2192
sk_free+0x7c/0xa0 net/core/sock.c:2203
sock_put include/net/sock.h:1991 [inline]
nr_release+0x39e/0x460 net/netrom/af_netrom.c:554
__sock_release+0xcd/0x280 net/socket.c:650
sock_close+0x1c/0x20 net/socket.c:1365
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0x16f/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xaa8/0x2950 kernel/exit.c:867
do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
get_signal+0x21c3/0x2450 kernel/signal.c:2859
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
```
To fix this issue, nr_listen() returns -EINVAL for sockets that
successfully nr_connect().
Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netrom/af_netrom.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index aebc804c10aa..b5a99b517207 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -403,6 +403,11 @@ static int nr_listen(struct socket *sock, int backlog)
struct sock *sk = sock->sk;
lock_sock(sk);
+ if (sock->state != SS_UNCONNECTED) {
+ release_sock(sk);
+ return -EINVAL;
+ }
+
if (sk->sk_state != TCP_LISTEN) {
memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN);
sk->sk_max_ack_backlog = backlog;
--
2.39.0
next prev parent reply other threads:[~2023-02-20 13:38 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-20 13:35 [PATCH 4.14 00/53] 4.14.306-rc1 review Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 01/53] firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 02/53] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 03/53] ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() Greg Kroah-Hartman
2023-02-20 13:35 ` Greg Kroah-Hartman [this message]
2023-02-20 13:35 ` [PATCH 4.14 05/53] squashfs: harden sanity check in squashfs_read_xattr_id_table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 06/53] sctp: do not check hb_timer.expires when resetting hb_timer Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 07/53] net: openvswitch: fix flow memory leak in ovs_flow_cmd_new Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 08/53] scsi: target: core: Fix warning on RT kernels Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 09/53] scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 10/53] net/x25: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 11/53] usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 12/53] fbcon: Check font dimension limits Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 13/53] watchdog: diag288_wdt: do not use stack buffers for hardware data Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 14/53] watchdog: diag288_wdt: fix __diag288() inline assembly Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 15/53] efi: Accept version 2 of memory attributes table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 16/53] iio: hid: fix the retval in accel_3d_capture_sample Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 17/53] iio: adc: berlin2-adc: Add missing of_node_put() in error path Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 18/53] iio:adc:twl6030: Enable measurements of VUSB, VBAT and others Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 19/53] parisc: Fix return code of pdc_iodc_print() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 20/53] parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 21/53] mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 22/53] mm/swapfile: add cond_resched() in get_swap_pages() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 23/53] Squashfs: fix handling and sanity checking of xattr_ids count Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 24/53] serial: 8250_dma: Fix DMA Rx completion race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 25/53] serial: 8250_dma: Fix DMA Rx rearm race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 26/53] btrfs: limit device extents to the device size Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 27/53] ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 28/53] ALSA: pci: lx6464es: fix a debug loop Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 29/53] pinctrl: aspeed: Fix confusing types in return value Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 30/53] pinctrl: single: fix potential NULL dereference Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 31/53] net: USB: Fix wrong-direction WARNING in plusb.c Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 32/53] usb: core: add quirk for Alcor Link AK9563 smartcard reader Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 33/53] migrate: hugetlb: check for hugetlb shared PMD in node migration Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 34/53] tools/virtio: fix the vringh test for virtio ring changes Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 35/53] net/rose: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 36/53] nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 37/53] aio: fix mremap after fork null-deref Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 38/53] Revert "x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 39/53] mmc: sdio: fix possible resource leaks in some error paths Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 40/53] ALSA: hda/conexant: add a new hda codec SN6180 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 41/53] hugetlb: check for undefined shift on 32 bit architectures Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 42/53] revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 43/53] i40e: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 44/53] net: bgmac: fix BCM5358 support by setting correct flags Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 45/53] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 46/53] net/usb: kalmia: Dont pass act_len in usb_bulk_msg error path Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 47/53] net: stmmac: Restrict warning on disabling DMA store and fwd mode Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 48/53] net: mpls: fix stale pointer if allocation fails during device rename Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 49/53] ipv6: Fix datagram socket connection with DSCP Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 50/53] ipv6: Fix tcp " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 51/53] i40e: Add checking for null for nlmsg_find_attr() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 52/53] kvm: initialize all of the kvm_debugregs structure before sending it to userspace Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 53/53] nilfs2: fix underflow in second superblock position calculations Greg Kroah-Hartman
2023-02-21 12:41 ` [PATCH 4.14 00/53] 4.14.306-rc1 review Naresh Kamboju
2023-02-21 14:20 ` Jon Hunter
2023-02-21 16:19 ` Guenter Roeck
2023-02-23 2:55 ` Slade Watkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230220133548.325521603@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=kuniyu@amazon.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com \
--cc=v4bel@theori.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.