From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 077/105] socket, bpf: fix possible use after free
Date: Tue, 10 Oct 2017 21:50:48 +0200 [thread overview]
Message-ID: <20171010192545.630210017@linuxfoundation.org> (raw)
In-Reply-To: <20171010192533.717049376@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit eefca20eb20c66b06cf5ed09b49b1a7caaa27b7b ]
Starting from linux-4.4, 3WHS no longer takes the listener lock.
Since this time, we might hit a use-after-free in sk_filter_charge(),
if the filter we got in the memcpy() of the listener content
just happened to be replaced by a thread changing listener BPF filter.
To fix this, we need to make sure the filter refcount is not already
zero before incrementing it again.
Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/filter.c | 15 +++++++++++++--
net/core/sock.c | 5 ++++-
2 files changed, 17 insertions(+), 3 deletions(-)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -937,20 +937,31 @@ void sk_filter_uncharge(struct sock *sk,
/* try to charge the socket memory if there is space available
* return true on success
*/
-bool sk_filter_charge(struct sock *sk, struct sk_filter *fp)
+static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp)
{
u32 filter_size = bpf_prog_size(fp->prog->len);
/* same check as in sock_kmalloc() */
if (filter_size <= sysctl_optmem_max &&
atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) {
- atomic_inc(&fp->refcnt);
atomic_add(filter_size, &sk->sk_omem_alloc);
return true;
}
return false;
}
+bool sk_filter_charge(struct sock *sk, struct sk_filter *fp)
+{
+ if (!atomic_inc_not_zero(&fp->refcnt))
+ return false;
+
+ if (!__sk_filter_charge(sk, fp)) {
+ sk_filter_release(fp);
+ return false;
+ }
+ return true;
+}
+
static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp)
{
struct sock_filter *old_prog;
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1528,13 +1528,16 @@ struct sock *sk_clone_lock(const struct
sock_reset_flag(newsk, SOCK_DONE);
skb_queue_head_init(&newsk->sk_error_queue);
- filter = rcu_dereference_protected(newsk->sk_filter, 1);
+ rcu_read_lock();
+ filter = rcu_dereference(sk->sk_filter);
if (filter != NULL)
/* though it's an empty new sock, the charging may fail
* if sysctl_optmem_max was changed between creation of
* original socket and cloning
*/
is_charged = sk_filter_charge(newsk, filter);
+ RCU_INIT_POINTER(newsk->sk_filter, filter);
+ rcu_read_unlock();
if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk, sk))) {
/* We need to make sure that we don't uncharge the new
next prev parent reply other threads:[~2017-10-10 20:49 UTC|newest]
Thread overview: 121+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-10 19:49 [PATCH 4.9 000/105] 4.9.55-stable review Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 001/105] USB: gadgetfs: Fix crash caused by inadequate synchronization Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 002/105] USB: gadgetfs: fix copy_to_user while holding spinlock Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 003/105] usb: gadget: udc: atmel: set vbus irqflags explicitly Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 004/105] usb: gadget: udc: renesas_usb3: fix for no-data control transfer Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 005/105] usb: gadget: udc: renesas_usb3: fix Pn_RAMMAP.Pn_MPKT value Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 006/105] usb: gadget: udc: renesas_usb3: Fix return value of usb3_write_pipe() Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 007/105] usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 008/105] usb-storage: fix bogus hardware error messages for ATA pass-thru devices Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 009/105] usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 010/105] usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 011/105] ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 012/105] usb: pci-quirks.c: Corrected timeout values used in handshake Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 014/105] USB: dummy-hcd: fix connection failures (wrong speed) Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 015/105] USB: dummy-hcd: fix infinite-loop resubmission bug Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 016/105] USB: dummy-hcd: Fix erroneous synchronization change Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 017/105] USB: devio: Dont corrupt user memory Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 018/105] usb: gadget: mass_storage: set msg_registered after msg registered Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 019/105] USB: g_mass_storage: Fix deadlock when driver is unbound Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 020/105] USB: uas: fix bug in handling of alternate settings Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 021/105] USB: core: harden cdc_parse_cdc_header Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 022/105] usb: Increase quirk delay for USB devices Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 023/105] USB: fix out-of-bounds in usb_set_configuration Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 024/105] xhci: fix finding correct bus_state structure for USB 3.1 hosts Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 025/105] xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 026/105] xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 027/105] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts" Greg Kroah-Hartman
2017-10-10 19:49 ` [PATCH 4.9 028/105] iio: adc: twl4030: Fix an error handling path in twl4030_madc_probe() Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 029/105] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of twl4030_madc_probe() Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 030/105] iio: ad_sigma_delta: Implement a dedicated reset function Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 031/105] staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 032/105] iio: core: Return error for failed read_reg Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 033/105] IIO: BME280: Updates to Humidity readings need ctrl_reg write! Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 034/105] iio: ad7793: Fix the serial interface reset Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 035/105] iio: adc: mcp320x: Fix readout of negative voltages Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 036/105] iio: adc: mcp320x: Fix oops on module unload Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 037/105] uwb: properly check kthread_run return value Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 038/105] uwb: ensure that endpoint is interrupt Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 039/105] staging: vchiq_2835_arm: Fix NULL ptr dereference in free_pagelist Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 040/105] mm, oom_reaper: skip mm structs with mmu notifiers Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 041/105] lib/ratelimit.c: use deferred printk() version Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 042/105] lsm: fix smack_inode_removexattr and xattr_getsecurity memleak Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 043/105] ALSA: compress: Remove unused variable Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 044/105] Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members" Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 045/105] ALSA: usx2y: Suppress kernel warning at page allocation failures Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 046/105] mlxsw: spectrum: Prevent mirred-related crash on removal Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 047/105] net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 048/105] sctp: potential read out of bounds in sctp_ulpevent_type_enabled() Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 049/105] tcp: update skb->skb_mstamp more carefully Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 050/105] bpf/verifier: reject BPF_ALU64|BPF_END Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 051/105] tcp: fix data delivery rate Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 052/105] udpv6: Fix the checksum computation when HW checksum does not apply Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 053/105] ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 054/105] net: phy: Fix mask value write on gmii2rgmii converter speed register Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 055/105] ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 056/105] net/sched: cls_matchall: fix crash when used with classful qdisc Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 057/105] tcp: fastopen: fix on syn-data transmit failure Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 058/105] net: emac: Fix napi poll list corruption Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 059/105] packet: hold bind lock when rebinding to fanout hook Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 060/105] bpf: one perf event close wont free bpf program attached by another perf event Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 061/105] isdn/i4l: fetch the ppp_write buffer in one shot Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 062/105] net_sched: always reset qdisc backlog in qdisc_reset() Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 063/105] net: qcom/emac: specify the correct size when mapping a DMA buffer Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 064/105] vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 065/105] l2tp: Avoid schedule while atomic in exit_net Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 066/105] l2tp: fix race condition in l2tp_tunnel_delete Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 067/105] tun: bail out from tun_get_user() if the skb is empty Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 068/105] net: dsa: Fix network device registration order Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 069/105] packet: in packet_do_bind, test fanout with bind_lock held Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 070/105] packet: only test po->has_vnet_hdr once in packet_snd Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 071/105] net: Set sk_prot_creator when cloning sockets to the right proto Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 072/105] netlink: do not proceed if dumps start() errs Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 073/105] ip6_gre: ip6gre_tap device should keep dst Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 074/105] ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 075/105] tipc: use only positive error codes in messages Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 076/105] net: rtnetlink: fix info leak in RTM_GETSTATS call Greg Kroah-Hartman
2017-10-10 19:50 ` Greg Kroah-Hartman [this message]
2017-10-10 19:50 ` [PATCH 4.9 078/105] powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 079/105] powerpc/tm: Fix illegal TM state in signal handler Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 080/105] percpu: make this_cpu_generic_read() atomic w.r.t. interrupts Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 081/105] driver core: platform: Dont read past the end of "driver_override" buffer Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 082/105] Drivers: hv: fcopy: restore correct transfer length Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 083/105] stm class: Fix a use-after-free Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 084/105] ftrace: Fix kmemleak in unregister_ftrace_graph Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 085/105] HID: i2c-hid: allocate hid buffers for real worst case Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 086/105] HID: wacom: leds: Dont try to control the EKRs read-only LEDs Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 087/105] HID: wacom: Always increment hdev refcount within wacom_get_hdev_data Greg Kroah-Hartman
2017-10-10 19:50 ` [PATCH 4.9 088/105] HID: wacom: bits shifted too much for 9th and 10th buttons Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 089/105] rocker: fix rocker_tlv_put_* functions for KASAN Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 090/105] netlink: fix nla_put_{u8,u16,u32} " Greg Kroah-Hartman
2017-10-11 9:54 ` Arnd Bergmann
2017-10-10 19:51 ` [PATCH 4.9 091/105] iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 092/105] iwlwifi: add workaround to disable wide channels in 5GHz Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 093/105] scsi: sd: Do not override max_sectors_kb sysfs setting Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 094/105] brcmfmac: add length check in brcmf_cfg80211_escan_handler() Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 095/105] brcmfmac: setup passive scan if requested by user-space Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 097/105] nvme-pci: Use PCI bus address for data/queues in CMB Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 098/105] mmc: core: add driver strength selection when selecting hs400es Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 099/105] sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 100/105] vfs: deny copy_file_range() for non regular files Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 101/105] ext4: fix data corruption for mmap writes Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 102/105] ext4: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 103/105] ext4: dont allow encrypted operations without keys Greg Kroah-Hartman
2017-10-10 19:51 ` [PATCH 4.9 104/105] f2fs: " Greg Kroah-Hartman
2017-10-11 0:58 ` [PATCH 4.9 000/105] 4.9.55-stable review Shuah Khan
2017-10-11 12:56 ` Greg Kroah-Hartman
2017-10-11 22:54 ` Shuah Khan
2017-10-12 10:39 ` Greg Kroah-Hartman
2017-10-12 11:54 ` Greg Kroah-Hartman
2017-10-12 12:13 ` Greg Kroah-Hartman
2017-10-12 13:45 ` Shuah Khan
2017-10-12 14:10 ` Xin Long
2017-10-12 15:18 ` Andreas Radke
2017-10-12 15:25 ` Xin Long
2017-10-12 15:35 ` Shuah Khan
2017-10-12 16:54 ` Shuah Khan
2017-10-12 17:08 ` Ben Hutchings
2017-10-12 17:16 ` David Miller
2017-10-12 19:18 ` Greg KH
2017-10-11 13:19 ` Guenter Roeck
2017-10-11 20:25 ` Tom Gall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171010192545.630210017@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).