[Patch net] kcm: fix a socket double free

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [Patch net] kcm: fix a socket double free
@ 2016-08-29  4:28 Cong Wang
  2016-09-01  4:00 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Cong Wang @ 2016-08-29  4:28 UTC (permalink / raw)
  To: netdev; +Cc: dvyukov, Cong Wang, Tom Herbert

Dmitry reported a double free on kcm socket, which could
be easily reproduced by:

	#include <unistd.h>
	#include <sys/syscall.h>

	int main()
	{
	  int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
	  syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
	  return 0;
	}

This is because on the error path, after we install
the new socket file, we call sock_release() to clean
up the socket, which leaves the fd pointing to a freed
socket. Fix this by calling sys_close() on that fd
directly.

Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/kcm/kcmsock.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index cb39e05..4116932 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -13,6 +13,7 @@
 #include <linux/socket.h>
 #include <linux/uaccess.h>
 #include <linux/workqueue.h>
+#include <linux/syscalls.h>
 #include <net/kcm.h>
 #include <net/netns/generic.h>
 #include <net/sock.h>
@@ -2029,7 +2030,7 @@ static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 			if (copy_to_user((void __user *)arg, &info,
 					 sizeof(info))) {
 				err = -EFAULT;
-				sock_release(newsock);
+				sys_close(info.fd);
 			}
 		}
 
-- 
1.8.4.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Patch net] kcm: fix a socket double free
  2016-08-29  4:28 [Patch net] kcm: fix a socket double free Cong Wang
@ 2016-09-01  4:00 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2016-09-01  4:00 UTC (permalink / raw)
  To: xiyou.wangcong; +Cc: netdev, dvyukov, tom

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Sun, 28 Aug 2016 21:28:26 -0700

> Dmitry reported a double free on kcm socket, which could
> be easily reproduced by:
> 
> 	#include <unistd.h>
> 	#include <sys/syscall.h>
> 
> 	int main()
> 	{
> 	  int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
> 	  syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
> 	  return 0;
> 	}
> 
> This is because on the error path, after we install
> the new socket file, we call sock_release() to clean
> up the socket, which leaves the fd pointing to a freed
> socket. Fix this by calling sys_close() on that fd
> directly.
> 
> Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: Tom Herbert <tom@herbertland.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-09-01  4:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-29  4:28 [Patch net] kcm: fix a socket double free Cong Wang
2016-09-01  4:00 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).