From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
To: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-nfc@lists.01.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com,
stable@vger.kernel.org
Subject: Re: [PATCH 1/7] nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
Date: Sat, 15 Jan 2022 13:31:28 +0100 [thread overview]
Message-ID: <dc675285-1ece-cfc6-d68f-12f58c470c41@canonical.com> (raw)
In-Reply-To: <20220115122650.128182-2-krzysztof.kozlowski@canonical.com>
On 15/01/2022 13:26, Krzysztof Kozlowski wrote:
> Syzbot detected a NULL pointer dereference of nfc_llcp_sock->dev pointer
> (which is a 'struct nfc_dev *') with calls to llcp_sock_sendmsg() after
> a failed llcp_sock_bind(). The message being sent is a SOCK_DGRAM.
>
> KASAN report:
>
> BUG: KASAN: null-ptr-deref in nfc_alloc_send_skb+0x2d/0xc0
> Read of size 4 at addr 00000000000005c8 by task llcp_sock_nfc_a/899
>
> CPU: 5 PID: 899 Comm: llcp_sock_nfc_a Not tainted 5.16.0-rc6-next-20211224-00001-gc6437fbf18b0 #125
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x45/0x59
> ? nfc_alloc_send_skb+0x2d/0xc0
> __kasan_report.cold+0x117/0x11c
> ? mark_lock+0x480/0x4f0
> ? nfc_alloc_send_skb+0x2d/0xc0
> kasan_report+0x38/0x50
> nfc_alloc_send_skb+0x2d/0xc0
> nfc_llcp_send_ui_frame+0x18c/0x2a0
> ? nfc_llcp_send_i_frame+0x230/0x230
> ? __local_bh_enable_ip+0x86/0xe0
> ? llcp_sock_connect+0x470/0x470
> ? llcp_sock_connect+0x470/0x470
> sock_sendmsg+0x8e/0xa0
> ____sys_sendmsg+0x253/0x3f0
> ...
>
> The issue was visible only with multiple simultaneous calls to bind() and
> sendmsg(), which resulted in most of the bind() calls to fail. The
> bind() was failing on checking if there is available WKS/SDP/SAP
> (respective bit in 'struct nfc_llcp_local' fields). When there was no
> available WKS/SDP/SAP, the bind returned error but the sendmsg() to such
> socket was able to trigger mentioned NULL pointer dereference of
> nfc_llcp_sock->dev.
>
> The code looks simply racy and currently it protects several paths
> against race with checks for (!nfc_llcp_sock->local) which is NULL-ified
> in error paths of bind(). The llcp_sock_sendmsg() did not have such
> check but called function nfc_llcp_send_ui_frame() had, although not
> protected with lock_sock().
>
> Therefore the race could look like (same socket is used all the time):
> CPU0 CPU1
> ==== ====
> llcp_sock_bind()
> - lock_sock()
> - success
> - release_sock()
> - return 0
> llcp_sock_sendmsg()
> - lock_sock()
> - release_sock()
> llcp_sock_bind(), same socket
> - lock_sock()
> - error
> - nfc_llcp_send_ui_frame()
> - if (!llcp_sock->local)
> - llcp_sock->local = NULL
> - nfc_put_device(dev)
> - dereference llcp_sock->dev
> - release_sock()
> - return -ERRNO
>
> The nfc_llcp_send_ui_frame() checked llcp_sock->local outside of the
> lock, which is racy and ineffective check. Instead, its caller
> llcp_sock_sendmsg(), should perform the check inside lock_sock().
>
> Reported-by: syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com
Syzbot confirmed fix, so this could be replaced with:
Reported-and-tested-by: syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com
Best regards,
Krzysztof
next prev parent reply other threads:[~2022-01-15 12:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-15 12:26 [PATCH 0/7] nfc: llcp: fix and improvements Krzysztof Kozlowski
2022-01-15 12:26 ` [PATCH 1/7] nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() Krzysztof Kozlowski
2022-01-15 12:31 ` Krzysztof Kozlowski [this message]
2022-01-15 12:26 ` [PATCH 2/7] nfc: llcp: nullify llcp_sock->dev on connect() error paths Krzysztof Kozlowski
2022-01-15 12:26 ` [PATCH 3/7] nfc: llcp: simplify llcp_sock_connect() " Krzysztof Kozlowski
2022-01-15 12:26 ` [PATCH 4/7] nfc: llcp: use centralized exiting of bind on errors Krzysztof Kozlowski
2022-01-15 12:26 ` [PATCH 5/7] nfc: llcp: use test_bit() Krzysztof Kozlowski
2022-01-15 12:26 ` [PATCH 6/7] nfc: llcp: protect nfc_llcp_sock_unlink() calls Krzysztof Kozlowski
2022-01-15 12:26 ` [PATCH 7/7] nfc: llcp: Revert "NFC: Keep socket alive until the DISC PDU is actually sent" Krzysztof Kozlowski
2022-01-16 12:32 ` [PATCH 0/7] nfc: llcp: fix and improvements David Miller
2022-01-16 16:58 ` Krzysztof Kozlowski
2022-01-18 20:14 ` Jakub Kicinski
[not found] ` <20220116134122.2197-1-hdanton@sina.com>
2022-01-16 16:50 ` [PATCH 1/7] nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() Krzysztof Kozlowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dc675285-1ece-cfc6-d68f-12f58c470c41@canonical.com \
--to=krzysztof.kozlowski@canonical.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfc@lists.01.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).