From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, David Howells <dhowells@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.5 45/56] rxrpc: Fix use-after-free in rxrpc_receive_data()
Date: Thu, 30 Jan 2020 19:39:02 +0100 [thread overview]
Message-ID: <20200130183617.195550238@linuxfoundation.org> (raw)
In-Reply-To: <20200130183608.849023566@linuxfoundation.org>
From: David Howells <dhowells@redhat.com>
[ Upstream commit 122d74fac84204b9a98263636f6f9a3b2e665639 ]
The subpacket scanning loop in rxrpc_receive_data() references the
subpacket count in the private data part of the sk_buff in the loop
termination condition. However, when the final subpacket is pasted into
the ring buffer, the function is no longer has a ref on the sk_buff and
should not be looking at sp->* any more. This point is actually marked in
the code when skb is cleared (but sp is not - which is an error).
Fix this by caching sp->nr_subpackets in a local variable and using that
instead.
Also clear 'sp' to catch accesses after that point.
This can show up as an oops in rxrpc_get_skb() if sp->nr_subpackets gets
trashed by the sk_buff getting freed and reused in the meantime.
Fixes: e2de6c404898 ("rxrpc: Use info in skbuff instead of reparsing a jumbo packet")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/input.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -413,7 +413,7 @@ static void rxrpc_input_data(struct rxrp
{
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
enum rxrpc_call_state state;
- unsigned int j;
+ unsigned int j, nr_subpackets;
rxrpc_serial_t serial = sp->hdr.serial, ack_serial = 0;
rxrpc_seq_t seq0 = sp->hdr.seq, hard_ack;
bool immediate_ack = false, jumbo_bad = false;
@@ -457,7 +457,8 @@ static void rxrpc_input_data(struct rxrp
call->ackr_prev_seq = seq0;
hard_ack = READ_ONCE(call->rx_hard_ack);
- if (sp->nr_subpackets > 1) {
+ nr_subpackets = sp->nr_subpackets;
+ if (nr_subpackets > 1) {
if (call->nr_jumbo_bad > 3) {
ack = RXRPC_ACK_NOSPACE;
ack_serial = serial;
@@ -465,11 +466,11 @@ static void rxrpc_input_data(struct rxrp
}
}
- for (j = 0; j < sp->nr_subpackets; j++) {
+ for (j = 0; j < nr_subpackets; j++) {
rxrpc_serial_t serial = sp->hdr.serial + j;
rxrpc_seq_t seq = seq0 + j;
unsigned int ix = seq & RXRPC_RXTX_BUFF_MASK;
- bool terminal = (j == sp->nr_subpackets - 1);
+ bool terminal = (j == nr_subpackets - 1);
bool last = terminal && (sp->rx_flags & RXRPC_SKB_INCL_LAST);
u8 flags, annotation = j;
@@ -506,7 +507,7 @@ static void rxrpc_input_data(struct rxrp
}
if (call->rxtx_buffer[ix]) {
- rxrpc_input_dup_data(call, seq, sp->nr_subpackets > 1,
+ rxrpc_input_dup_data(call, seq, nr_subpackets > 1,
&jumbo_bad);
if (ack != RXRPC_ACK_DUPLICATE) {
ack = RXRPC_ACK_DUPLICATE;
@@ -564,6 +565,7 @@ static void rxrpc_input_data(struct rxrp
* ring.
*/
skb = NULL;
+ sp = NULL;
}
if (last) {
next prev parent reply other threads:[~2020-01-30 18:53 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-30 18:38 [PATCH 5.5 00/56] 5.5.1-stable review Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 01/56] Bluetooth: btusb: fix non-atomic allocation in completion handler Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 02/56] orinoco_usb: fix interface sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 03/56] rsi_91x_usb: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 04/56] usb: dwc3: pci: add ID for the Intel Comet Lake -V variant Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 05/56] usb: host: xhci-tegra: set MODULE_FIRMWARE for tegra186 Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 06/56] USB: serial: ir-usb: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 07/56] USB: serial: ir-usb: fix link-speed handling Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 08/56] USB: serial: ir-usb: fix IrLAP framing Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 09/56] usb: dwc3: turn off VBUS when leaving host mode Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 10/56] usb: typec: wcove: fix "op-sink-microwatt" default that was in mW Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 11/56] usb: typec: fusb302: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 12/56] staging: most: net: fix buffer overflow Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 13/56] staging: wlan-ng: ensure error return is actually returned Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 14/56] staging: vt6656: correct packet types for CTS protect, mode Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 15/56] staging: vt6656: use NULLFUCTION stack on mac80211 Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 16/56] staging: vt6656: Fix false Tx excessive retries reporting Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 17/56] serial: 8250_bcm2835aux: Fix line mismatch on driver unbind Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 18/56] serial: imx: fix a race condition in receive path Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 19/56] debugfs: Return -EPERM when locked down Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 20/56] component: do not dereference opaque pointer in debugfs Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 21/56] binder: fix log spam for existing debugfs file creation Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 22/56] mei: hdcp: bind only with i915 on the same PCH Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 23/56] mei: me: add comet point (lake) H device ids Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 24/56] mei: me: add jasper point DID Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 25/56] iio: adc: stm32-dfsdm: fix single conversion Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 26/56] iio: st_gyro: Correct data for LSM9DS0 gyro Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 27/56] driver core: Fix test_async_driver_probe if NUMA is disabled Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 28/56] crypto: chelsio - fix writing tfm flags to wrong place Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 29/56] CIFS: Fix task struct use-after-free on reconnect Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 30/56] cifs: set correct max-buffer-size for smb2_ioctl_init() Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 31/56] cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 32/56] ath9k: fix storage endpoint lookup Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 33/56] brcmfmac: fix interface sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 34/56] rtl8xxxu: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 35/56] zd1211rw: fix storage endpoint lookup Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 36/56] mvneta driver disallow XDP program on hardware buffer management Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 37/56] net_sched: ematch: reject invalid TCF_EM_SIMPLE Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 38/56] net_sched: fix ops->bind_class() implementations Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 39/56] net_sched: walk through all child classes in tc_bind_tclass() Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 40/56] net: socionext: fix possible user-after-free in netsec_process_rx Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 41/56] net: socionext: fix xdp_result initialization " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 42/56] udp: segment looped gso packets correctly Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 43/56] mlxsw: minimal: Fix an error handling path in mlxsw_m_port_create() Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 44/56] net: include struct nhmsg size in nh nlmsg size Greg Kroah-Hartman
2020-01-30 18:39 ` Greg Kroah-Hartman [this message]
2020-01-30 18:39 ` [PATCH 5.5 46/56] rsi: fix use-after-free on failed probe and unbind Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 47/56] rsi: fix use-after-free on probe errors Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 48/56] rsi: fix memory leak on failed URB submission Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 49/56] rsi: fix non-atomic allocation in completion handler Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 50/56] crypto: af_alg - Use bh_lock_sock in sk_destruct Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 51/56] crypto: vmx - reject xts inputs that are too short Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 52/56] crypto: caam - do not reset pointer size from MCFGR register Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 53/56] crypto: pcrypt - Fix user-after-free on module unload Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 54/56] KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 55/56] Revert "um: Enable CONFIG_CONSTRUCTORS" Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 56/56] power/supply: ingenic-battery: Dont change scale if theres only one Greg Kroah-Hartman
2020-01-31 4:40 ` [PATCH 5.5 00/56] 5.5.1-stable review shuah
2020-01-31 6:06 ` Greg Kroah-Hartman
2020-01-31 11:04 ` Jon Hunter
2020-01-31 21:24 ` Greg Kroah-Hartman
2020-01-31 14:54 ` Naresh Kamboju
2020-01-31 21:26 ` Greg Kroah-Hartman
2020-01-31 17:32 ` Guenter Roeck
2020-01-31 21:25 ` Greg Kroah-Hartman
2020-01-31 22:33 ` Jeffrin Jose
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200130183617.195550238@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).