[PATCH 2/2] can: isotp: fix tx.buf use-after-free in isotp_sendmsg()

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Oliver Hartkopp <socketcan@hartkopp.net>
To: ali.norouzi@keysight.com, security@kernel.org,
	torvalds@linuxfoundation.org
Cc: mkl@pengutronix.de, socketcan@hartkopp.net, stable@vger.kernel.org
Subject: [PATCH 2/2] can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
Date: Wed, 18 Mar 2026 17:19:14 +0100	[thread overview]
Message-ID: <20260318161914.15140-3-socketcan@hartkopp.net> (raw)
In-Reply-To: <20260318161914.15140-1-socketcan@hartkopp.net>

isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access
to so->tx.buf. isotp_release() waits for ISOTP_IDLE via
wait_event_interruptible() and then calls kfree(so->tx.buf).

If a signal interrupts the wait_event_interruptible() inside close()
while tx.state is ISOTP_SENDING, the loop exits early and release
proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)
while sendmsg may still be reading so->tx.buf for the final CAN frame
in isotp_fill_dataframe().

The so->tx.buf can be allocated once when the standard tx.buf length needs
to be extended. Move the kfree() of this potentially extended tx.buf to
sk_destruct time when either isotp_sendmsg() and isotp_release() are done.

Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
Cc: stable@vger.kernel.org
Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
Co-developed-by: Ali Norouzi <ali.norouzi@keysight.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
---
 net/can/isotp.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/net/can/isotp.c b/net/can/isotp.c
index da3b72e7afcc..2770f43f4951 100644
--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -1246,16 +1246,10 @@ static int isotp_release(struct socket *sock)
 	hrtimer_cancel(&so->rxtimer);
 
 	so->ifindex = 0;
 	so->bound = 0;
 
-	if (so->rx.buf != so->rx.sbuf)
-		kfree(so->rx.buf);
-
-	if (so->tx.buf != so->tx.sbuf)
-		kfree(so->tx.buf);
-
 	sock_orphan(sk);
 	sock->sk = NULL;
 
 	release_sock(sk);
 	sock_prot_inuse_add(net, sk->sk_prot, -1);
@@ -1620,10 +1614,25 @@ static int isotp_notifier(struct notifier_block *nb, unsigned long msg,
 	isotp_busy_notifier = NULL;
 	spin_unlock(&isotp_notifier_lock);
 	return NOTIFY_DONE;
 }
 
+static void isotp_sock_destruct(struct sock *sk)
+{
+	struct isotp_sock *so = isotp_sk(sk);
+
+	/* do the standard CAN sock destruct work */
+	can_sock_destruct(sk);
+
+	/* free potential extended PDU buffers */
+	if (so->rx.buf != so->rx.sbuf)
+		kfree(so->rx.buf);
+
+	if (so->tx.buf != so->tx.sbuf)
+		kfree(so->tx.buf);
+}
+
 static int isotp_init(struct sock *sk)
 {
 	struct isotp_sock *so = isotp_sk(sk);
 
 	so->ifindex = 0;
@@ -1664,10 +1673,13 @@ static int isotp_init(struct sock *sk)
 
 	spin_lock(&isotp_notifier_lock);
 	list_add_tail(&so->notifier, &isotp_notifier_list);
 	spin_unlock(&isotp_notifier_lock);
 
+	/* re-assign default can_sock_destruct() reference */
+	sk->sk_destruct = isotp_sock_destruct;
+
 	return 0;
 }
 
 static __poll_t isotp_poll(struct file *file, struct socket *sock, poll_table *wait)
 {
-- 
2.51.0

next prev parent reply	other threads:[~2026-03-18 16:19 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260318161914.15140-1-socketcan@hartkopp.net>
2026-03-18 16:19 ` [PATCH 1/2] can: gw: fix OOB heap access in cgw_csum_crc8_rel() Oliver Hartkopp
2026-03-18 16:19 ` Oliver Hartkopp [this message]
2026-03-18 16:51 Oliver Hartkopp
2026-03-18 16:51 ` [PATCH 2/2] can: isotp: fix tx.buf use-after-free in isotp_sendmsg() Oliver Hartkopp
2026-03-19 13:13   ` Oliver Hartkopp
2026-03-19 13:33     ` Marc Kleine-Budde
2026-03-19 13:34       ` Oliver Hartkopp
2026-03-19 13:23   ` Marc Kleine-Budde
2026-03-19 14:58   ` Marc Kleine-Budde
2026-03-19 15:10     ` Ali Norouzi
2026-03-19 15:16       ` Marc Kleine-Budde
2026-03-19 15:27       ` Oliver Hartkopp
2026-03-19 15:50         ` Marc Kleine-Budde
2026-03-23  8:47           ` Oliver Hartkopp
2026-03-23  9:35             ` Marc Kleine-Budde
2026-03-19 15:12     ` Oliver Hartkopp
2026-03-19 15:23       ` Marc Kleine-Budde

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:da3b72e7afc dfblob:2770f43f495 )
 OR (
bs:"[PATCH 2/2] can: isotp: fix tx.buf use-after-free in isotp_sendmsg()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260318161914.15140-3-socketcan@hartkopp.net \
    --to=socketcan@hartkopp.net \
    --cc=ali.norouzi@keysight.com \
    --cc=mkl@pengutronix.de \
    --cc=security@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox