From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ursula Braun Subject: Re: Fw: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability. Date: Wed, 18 Apr 2018 13:46:20 +0200 Message-ID: <49ed2fa7-cace-12c9-eb57-539cac783cb2@linux.ibm.com> References: <20180417195644.7d04aff0@xeon-e3> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org To: Stephen Hemminger , Ursula Braun Return-path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:50912 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753519AbeDRLq0 (ORCPT ); Wed, 18 Apr 2018 07:46:26 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w3IBjG0v134234 for ; Wed, 18 Apr 2018 07:46:26 -0400 Received: from e06smtp11.uk.ibm.com (e06smtp11.uk.ibm.com [195.75.94.107]) by mx0a-001b2d01.pphosted.com with ESMTP id 2he243a2ph-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Wed, 18 Apr 2018 07:46:25 -0400 Received: from localhost by e06smtp11.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 18 Apr 2018 12:46:24 +0100 In-Reply-To: <20180417195644.7d04aff0@xeon-e3> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 04/18/2018 04:56 AM, Stephen Hemminger wrote: > This may already be fixed. > > Begin forwarded message: > > Date: Wed, 18 Apr 2018 01:52:59 +0000 > From: bugzilla-daemon@bugzilla.kernel.org > To: stephen@networkplumber.org > Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability. > > > https://bugzilla.kernel.org/show_bug.cgi?id=199429 > > Bug ID: 199429 > Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null > pointer vulnerability. > Product: Networking > Version: 2.5 > Kernel Version: 4.16.0-rc7 > Hardware: All > OS: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Other > Assignee: stephen@networkplumber.org > Reporter: 1773876454@qq.com > Regression: No > > Created attachment 275431 > --> https://bugzilla.kernel.org/attachment.cgi?id=275431&action=edit > POC > > Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug. > > NET: Registered protocol family 43 Thanks for reporting. This fix is needed here: net/smc/af_smc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -1314,7 +1314,7 @@ static int smc_shutdown(struct socket *s (sk->sk_state != SMC_APPCLOSEWAIT2) && (sk->sk_state != SMC_APPFINCLOSEWAIT)) goto out; - if (smc->use_fallback) { + if (smc->use_fallback || sk->sk_state == SMC_LISTEN) { rc = kernel_sock_shutdown(smc->clcsock, how); sk->sk_shutdown = smc->clcsock->sk->sk_shutdown; if (sk->sk_shutdown == SHUTDOWN_MASK) Kind regards, Ursula