From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: Re: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF
 causing null pointer vulnerability.
Date: Wed, 18 Apr 2018 08:55:44 -0700
Message-ID: <20180418085544.29e54d74@xeon-e3>
References: <20180417195644.7d04aff0@xeon-e3>
        <49ed2fa7-cace-12c9-eb57-539cac783cb2@linux.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: Ursula Braun <ubraun@linux.vnet.ibm.com>, netdev@vger.kernel.org
To: Ursula Braun <ubraun@linux.ibm.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pl0-f66.google.com ([209.85.160.66]:46033 "EHLO
        mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752308AbeDRPzr (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 18 Apr 2018 11:55:47 -0400
Received: by mail-pl0-f66.google.com with SMTP id k9-v6so1366838pll.12
        for <netdev@vger.kernel.org>; Wed, 18 Apr 2018 08:55:47 -0700 (PDT)
In-Reply-To: <49ed2fa7-cace-12c9-eb57-539cac783cb2@linux.ibm.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Wed, 18 Apr 2018 13:46:20 +0200
Ursula Braun <ubraun@linux.ibm.com> wrote:

> On 04/18/2018 04:56 AM, Stephen Hemminger wrote:
> > This may already be fixed.
> > 
> > Begin forwarded message:
> > 
> > Date: Wed, 18 Apr 2018 01:52:59 +0000
> > From: bugzilla-daemon@bugzilla.kernel.org
> > To: stephen@networkplumber.org
> > Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability.
> > 
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=199429
> > 
> >             Bug ID: 199429
> >            Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null
> >                     pointer vulnerability.
> >            Product: Networking
> >            Version: 2.5
> >     Kernel Version: 4.16.0-rc7
> >           Hardware: All
> >                 OS: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: normal
> >           Priority: P1
> >          Component: Other
> >           Assignee: stephen@networkplumber.org
> >           Reporter: 1773876454@qq.com
> >         Regression: No
> > 
> > Created attachment 275431  
> >   --> https://bugzilla.kernel.org/attachment.cgi?id=275431&action=edit    
> > POC
> > 
> > Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug.
> > 
> > NET: Registered protocol family 43  
> 
> Thanks for reporting. This fix is needed here:
> 
>  net/smc/af_smc.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -1314,7 +1314,7 @@ static int smc_shutdown(struct socket *s
>  	    (sk->sk_state != SMC_APPCLOSEWAIT2) &&
>  	    (sk->sk_state != SMC_APPFINCLOSEWAIT))
>  		goto out;
> -	if (smc->use_fallback) {
> +	if (smc->use_fallback || sk->sk_state == SMC_LISTEN) {
>  		rc = kernel_sock_shutdown(smc->clcsock, how);
>  		sk->sk_shutdown = smc->clcsock->sk->sk_shutdown;
>  		if (sk->sk_shutdown == SHUTDOWN_MASK)
> 
> Kind regards, Ursula
> 

Please submit patch to linux net with proper signed-off-by and Fixes tags.
The maintainer (davem) will take care of getting this into upstream and stable.