From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Duoming Zhou <duoming@zju.edu.cn>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 11/45] ax25: improve the incomplete fix to avoid UAF and NPD bugs
Date: Mon, 21 Feb 2022 09:49:02 +0100 [thread overview]
Message-ID: <20220221084910.834764470@linuxfoundation.org> (raw)
In-Reply-To: <20220221084910.454824160@linuxfoundation.org>
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 4e0f718daf97d47cf7dec122da1be970f145c809 ]
The previous commit 1ade48d0c27d ("ax25: NPD bug when detaching
AX25 device") introduce lock_sock() into ax25_kill_by_device to
prevent NPD bug. But the concurrency NPD or UAF bug will occur,
when lock_sock() or release_sock() dereferences the ax25_cb->sock.
The NULL pointer dereference bug can be shown as below:
ax25_kill_by_device() | ax25_release()
| ax25_destroy_socket()
| ax25_cb_del()
... | ...
| ax25->sk=NULL;
lock_sock(s->sk); //(1) |
s->ax25_dev = NULL; | ...
release_sock(s->sk); //(2) |
... |
The root cause is that the sock is set to null before dereference
site (1) or (2). Therefore, this patch extracts the ax25_cb->sock
in advance, and uses ax25_list_lock to protect it, which can synchronize
with ax25_cb_del() and ensure the value of sock is not null before
dereference sites.
The concurrency UAF bug can be shown as below:
ax25_kill_by_device() | ax25_release()
| ax25_destroy_socket()
... | ...
| sock_put(sk); //FREE
lock_sock(s->sk); //(1) |
s->ax25_dev = NULL; | ...
release_sock(s->sk); //(2) |
... |
The root cause is that the sock is released before dereference
site (1) or (2). Therefore, this patch uses sock_hold() to increase
the refcount of sock and uses ax25_list_lock to protect it, which
can synchronize with ax25_cb_del() in ax25_destroy_socket() and
ensure the sock wil not be released before dereference sites.
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ax25/af_ax25.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 0232afd9d9c3c..36d2e1dfa1e6b 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -80,6 +80,7 @@ static void ax25_kill_by_device(struct net_device *dev)
{
ax25_dev *ax25_dev;
ax25_cb *s;
+ struct sock *sk;
if ((ax25_dev = ax25_dev_ax25dev(dev)) == NULL)
return;
@@ -88,13 +89,15 @@ static void ax25_kill_by_device(struct net_device *dev)
again:
ax25_for_each(s, &ax25_list) {
if (s->ax25_dev == ax25_dev) {
+ sk = s->sk;
+ sock_hold(sk);
spin_unlock_bh(&ax25_list_lock);
- lock_sock(s->sk);
+ lock_sock(sk);
s->ax25_dev = NULL;
- release_sock(s->sk);
+ release_sock(sk);
ax25_disconnect(s, ENETUNREACH);
spin_lock_bh(&ax25_list_lock);
-
+ sock_put(sk);
/* The entry could have been deleted from the
* list meanwhile and thus the next pointer is
* no longer valid. Play it safe and restart
--
2.34.1
next prev parent reply other threads:[~2022-02-21 8:54 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-21 8:48 [PATCH 4.14 00/45] 4.14.268-rc1 review Greg Kroah-Hartman
2022-02-21 8:48 ` [PATCH 4.14 01/45] Makefile.extrawarn: Move -Wunaligned-access to W=1 Greg Kroah-Hartman
2022-02-21 8:48 ` [PATCH 4.14 02/45] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup Greg Kroah-Hartman
2022-02-21 8:48 ` [PATCH 4.14 03/45] serial: parisc: GSC: fix build when IOSAPIC is not set Greg Kroah-Hartman
2022-02-21 8:48 ` [PATCH 4.14 04/45] parisc: Fix data TLB miss in sba_unmap_sg Greg Kroah-Hartman
2022-02-21 8:48 ` [PATCH 4.14 05/45] parisc: Fix sglist access in ccio-dma.c Greg Kroah-Hartman
2022-02-21 8:48 ` [PATCH 4.14 06/45] btrfs: send: in case of IO error log it Greg Kroah-Hartman
2022-02-21 8:48 ` [PATCH 4.14 07/45] net: ieee802154: at86rf230: Stop leaking skbs Greg Kroah-Hartman
2022-02-21 8:48 ` [PATCH 4.14 08/45] selftests/zram: Skip max_comp_streams interface on newer kernel Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 09/45] selftests/zram01.sh: Fix compression ratio calculation Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 10/45] selftests/zram: Adapt the situation that /dev/zram0 is being used Greg Kroah-Hartman
2022-02-21 8:49 ` Greg Kroah-Hartman [this message]
2022-02-21 8:49 ` [PATCH 4.14 12/45] vfs: make freeze_super abort when sync_filesystem returns error Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 13/45] quota: make dquot_quota_sync return errors from ->sync_fs Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 14/45] Revert "module, async: async_synchronize_full() on module init iff async is used" Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 15/45] iwlwifi: fix use-after-free Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 16/45] drm/radeon: Fix backlight control on iMac 12,1 Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 17/45] xfrm: Dont accidentally set RTO_ONLINK in decode_session4() Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 18/45] taskstats: Cleanup the use of task->exit_code Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 19/45] vsock: remove vsock from connected table when connect is interrupted by a signal Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 20/45] iwlwifi: pcie: fix locking when "HW not ready" Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 21/45] iwlwifi: pcie: gen2: " Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 22/45] net: ieee802154: ca8210: Fix lifs/sifs periods Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 23/45] ping: fix the dif and sdif check in ping_lookup Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 24/45] drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 25/45] bonding: fix data-races around agg_select_timer Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 26/45] libsubcmd: Fix use-after-free for realloc(..., 0) Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 27/45] ALSA: hda: Fix regression on forced probe mask option Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 28/45] ALSA: hda: Fix missing codec probe on Shenker Dock 15 Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 29/45] ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw() Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 30/45] ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_range() Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 31/45] powerpc/lib/sstep: fix ptesync build error Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 32/45] NFS: LOOKUP_DIRECTORY is also ok with symlinks Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 33/45] EDAC: Fix calculation of returned address and next offset in edac_align_ptr() Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 34/45] net: sched: limit TC_ACT_REPEAT loops Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 35/45] dmaengine: sh: rcar-dmac: Check for error num after setting mask Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 36/45] i2c: brcmstb: fix support for DSL and CM variants Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 37/45] mtd: rawnand: brcmnand: Refactored code to introduce helper functions Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 38/45] mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 39/45] KVM: x86/pmu: Use AMD64_RAW_EVENT_MASK for PERF_TYPE_RAW Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 40/45] NFS: Do not report writeback errors in nfs_getattr() Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 41/45] ARM: OMAP2+: hwmod: Add of_node_put() before break Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 42/45] ata: libata-core: Disable TRIM on M88V29 Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 43/45] tracing: Fix tp_printk option related with tp_printk_stop_on_boot Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 44/45] net: usb: qmi_wwan: Add support for Dell DW5829e Greg Kroah-Hartman
2022-02-21 8:49 ` [PATCH 4.14 45/45] net: macb: Align the dma and coherent dma masks Greg Kroah-Hartman
2022-02-21 20:27 ` [PATCH 4.14 00/45] 4.14.268-rc1 review Slade Watkins
2022-02-21 21:17 ` Guenter Roeck
2022-02-22 10:13 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220221084910.834764470@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=duoming@zju.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox