From: Marc Kleine-Budde <mkl@pengutronix.de>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, kuba@kernel.org, linux-can@vger.kernel.org,
kernel@pengutronix.de,
Ziyang Xuan <william.xuanziyang@huawei.com>,
stable@vger.kernel.org,
syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com,
Oleksij Rempel <o.rempel@pengutronix.de>,
Marc Kleine-Budde <mkl@pengutronix.de>
Subject: [PATCH net 02/11] can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
Date: Sun, 17 Oct 2021 23:01:33 +0200 [thread overview]
Message-ID: <20211017210142.2108610-3-mkl@pengutronix.de> (raw)
In-Reply-To: <20211017210142.2108610-1-mkl@pengutronix.de>
From: Ziyang Xuan <william.xuanziyang@huawei.com>
It will trigger UAF for rx_kref of j1939_priv as following.
cpu0 cpu1
j1939_sk_bind(socket0, ndev0, ...)
j1939_netdev_start
j1939_sk_bind(socket1, ndev0, ...)
j1939_netdev_start
j1939_priv_set
j1939_priv_get_by_ndev_locked
j1939_jsk_add
.....
j1939_netdev_stop
kref_put_lock(&priv->rx_kref, ...)
kref_get(&priv->rx_kref, ...)
REFCOUNT_WARN("addition on 0;...")
====================================================
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0
RIP: 0010:refcount_warn_saturate+0x169/0x1e0
Call Trace:
j1939_netdev_start+0x68b/0x920
j1939_sk_bind+0x426/0xeb0
? security_socket_bind+0x83/0xb0
The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to
protect.
Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/all/20210926104757.2021540-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Reported-by: syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
net/can/j1939/main.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c
index 08c8606cfd9c..9bc55ecb37f9 100644
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -249,11 +249,14 @@ struct j1939_priv *j1939_netdev_start(struct net_device *ndev)
struct j1939_priv *priv, *priv_new;
int ret;
- priv = j1939_priv_get_by_ndev(ndev);
+ spin_lock(&j1939_netdev_lock);
+ priv = j1939_priv_get_by_ndev_locked(ndev);
if (priv) {
kref_get(&priv->rx_kref);
+ spin_unlock(&j1939_netdev_lock);
return priv;
}
+ spin_unlock(&j1939_netdev_lock);
priv = j1939_priv_create(ndev);
if (!priv)
@@ -269,10 +272,10 @@ struct j1939_priv *j1939_netdev_start(struct net_device *ndev)
/* Someone was faster than us, use their priv and roll
* back our's.
*/
+ kref_get(&priv_new->rx_kref);
spin_unlock(&j1939_netdev_lock);
dev_put(ndev);
kfree(priv);
- kref_get(&priv_new->rx_kref);
return priv_new;
}
j1939_priv_set(ndev, priv);
--
2.33.0
next prev parent reply other threads:[~2021-10-17 21:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-17 21:01 pull-request: can 2021-10-17 Marc Kleine-Budde
2021-10-17 21:01 ` [PATCH net 01/11] can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer Marc Kleine-Budde
2021-10-17 21:01 ` Marc Kleine-Budde [this message]
2021-10-17 21:01 ` [PATCH net 03/11] can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with error length Marc Kleine-Budde
2021-10-17 21:01 ` [PATCH net 04/11] can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes Marc Kleine-Budde
2021-10-17 21:01 ` [PATCH net 05/11] can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible() Marc Kleine-Budde
2021-10-17 21:01 ` [PATCH net 06/11] can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg() Marc Kleine-Budde
2021-10-17 21:01 ` [PATCH net 07/11] can: rcar_can: fix suspend/resume Marc Kleine-Budde
2021-10-17 21:01 ` [PATCH net 08/11] can: m_can: fix iomap_read_fifo() and iomap_write_fifo() Marc Kleine-Budde
2021-10-17 21:01 ` [PATCH net 09/11] can: peak_pci: peak_pci_remove(): fix UAF Marc Kleine-Budde
2021-10-17 21:01 ` [PATCH net 10/11] can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification Marc Kleine-Budde
2021-10-17 21:01 ` [PATCH net 11/11] can: peak_usb: pcan_usb_fd_decode_status(): remove unnecessary test on the nullity of a pointer Marc Kleine-Budde
2021-10-18 12:10 ` pull-request: can 2021-10-17 patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211017210142.2108610-3-mkl@pengutronix.de \
--to=mkl@pengutronix.de \
--cc=davem@davemloft.net \
--cc=kernel@pengutronix.de \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=stable@vger.kernel.org \
--cc=syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com \
--cc=william.xuanziyang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).