2021-03-04 08:30:26

by Xiaoming Ni

Subject: [PATCH 0/4] nfc: fix Resource leakage and endless loop

fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
reported by "kiyin(尹亮)".

Link: https://www.openwall.com/lists/oss-security/2020/11/01/1



Xiaoming Ni (4):
nfc: fix refcount leak in llcp_sock_bind()
nfc: fix refcount leak in llcp_sock_connect()
nfc: fix memory leak in llcp_sock_connect()
nfc: Avoid endless loops caused by repeated llcp_sock_connect()

net/nfc/llcp_sock.c | 10 ++++++++++
1 file changed, 10 insertions(+)

--
2.27.0

2021-03-04 08:31:54

by Xiaoming Ni

Subject: [PATCH 1/4] nfc: fix refcount leak in llcp_sock_bind()

nfc_llcp_local_get() is invoked in llcp_sock_bind(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25670
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <[email protected]>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <[email protected]> #v3.6
Signed-off-by: Xiaoming Ni <[email protected]>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index d257ed3b732a..68832ee4b9f8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
llcp_sock->service_name_len,
GFP_KERNEL);
if (!llcp_sock->service_name) {
+ nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM;
goto put_dev;
}
llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
kfree(llcp_sock->service_name);
llcp_sock->service_name = NULL;
ret = -EADDRINUSE;
--
2.27.0

2021-03-04 21:16:26

by Xiaoming Ni

Subject: [PATCH 3/4] nfc: fix memory leak in llcp_sock_connect()

In llcp_sock_connect(), use kmemdup to allocate memory for
"llcp_sock->service_name". The memory is not released in the sock_unlink
label of the subsequent failure branch.
As a result, memory leakage occurs.

fix CVE-2020-25672

Fixes: d646960f7986 ("NFC: Initial LLCP support")
Reported-by: "kiyin(尹亮)" <[email protected]>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <[email protected]> #v3.3
Signed-off-by: Xiaoming Ni <[email protected]>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 9e2799ee1595..59172614b249 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -746,6 +746,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,

sock_unlink:
nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
+ kfree(llcp_sock->service_name);
+ llcp_sock->service_name = NULL;

sock_llcp_release:
nfc_llcp_put_ssap(local, llcp_sock->ssap);
--
2.27.0

2021-03-04 21:17:01

by Xiaoming Ni

Subject: [PATCH 2/4] nfc: fix refcount leak in llcp_sock_connect()

nfc_llcp_local_get() is invoked in llcp_sock_connect(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25671
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <[email protected]>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <[email protected]> #v3.6
Signed-off-by: Xiaoming Ni <[email protected]>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 68832ee4b9f8..9e2799ee1595 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -704,6 +704,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
llcp_sock->local = nfc_llcp_local_get(local);
llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM;
goto put_dev;
}
@@ -748,6 +749,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,

sock_llcp_release:
nfc_llcp_put_ssap(local, llcp_sock->ssap);
+ nfc_llcp_local_put(llcp_sock->local);

put_dev:
nfc_put_device(dev);
--
2.27.0

2021-03-04 21:18:10

by Xiaoming Ni

Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()

When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
sk->sk_node->next will point to itself, that will make an endless loop
and hang-up the system.
To fix it, check whether sk->sk_state is LLCP_CONNECTING in
llcp_sock_connect() to avoid repeated invoking.

fix CVE-2020-25673
Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Reported-by: "kiyin(尹亮)" <[email protected]>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <[email protected]> #v3.11
Signed-off-by: Xiaoming Ni <[email protected]>
---
net/nfc/llcp_sock.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 59172614b249..a3b46f888803 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
ret = -EISCONN;
goto error;
}
+ if (sk->sk_state == LLCP_CONNECTING) {
+ ret = -EINPROGRESS;
+ goto error;
+ }

dev = nfc_get_device(addr->dev_idx);
if (dev == NULL) {
--
2.27.0

2021-03-04 23:17:51

by kiyin(尹亮)

Subject: RE: [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()(Internet mail)

Hi xiaoming,
the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem.
if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name...

Regards,
kiyin.

> -----Original Message-----
> From: Xiaoming Ni [mailto:[email protected]]
> Sent: Wednesday, March 3, 2021 2:17 PM
> To: [email protected]; kiyin(尹亮) <[email protected]>;
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected];
> [email protected]; [email protected]
> Cc: [email protected]; [email protected]; [email protected]
> Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated
> llcp_sock_connect()(Internet mail)
>
> When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
> LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
> nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
> sk->sk_node->next will point to itself, that will make an endless loop and
> hang-up the system.
> To fix it, check whether sk->sk_state is LLCP_CONNECTING in
> llcp_sock_connect() to avoid repeated invoking.
>
> fix CVE-2020-25673
> Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
> Reported-by: "kiyin(尹亮)" <[email protected]>
> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
> Cc: <[email protected]> #v3.11
> Signed-off-by: Xiaoming Ni <[email protected]>
> ---
> net/nfc/llcp_sock.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index
> 59172614b249..a3b46f888803 100644
> --- a/net/nfc/llcp_sock.c
> +++ b/net/nfc/llcp_sock.c
> @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock,
> struct sockaddr *_addr,
> ret = -EISCONN;
> goto error;
> }
> + if (sk->sk_state == LLCP_CONNECTING) {
> + ret = -EINPROGRESS;
> + goto error;
> + }
>
> dev = nfc_get_device(addr->dev_idx);
> if (dev == NULL) {
> --
> 2.27.0
>

2021-03-05 03:25:43

by Xiaoming Ni

Subject: Re: [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()(Internet mail)

On 2021/3/3 17:28, kiyin(尹亮) wrote:
> Hi xiaoming,
> the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem.
> if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name...

I didn't find the code to modify sk->sk_state after a connect failure.
Can you provide guidance?

Based on my understanding of the current code:
After llcp_sock_connect() is invoked using the meaningless service_name
as the parameter, sk->sk_state is set to LLCP_CONNECTING. After that, no
corresponding service responds to the request because the service_name
is meaningless, the value of sk->sk_state remains unchanged.
Therefore, when llcp_sock_connect() is invoked again, resources such as
llcp_sock->service_name are not repeatedly applied because sk_state is
set to LLCP_CONNECTING.

In this way, the repeated invoking of llcp_sock_connect() does not
repeatedly leak resources.

Thanks
Xiaoming Ni


>
>> -----Original Message-----
>> From: Xiaoming Ni [mailto:[email protected]]
>> Sent: Wednesday, March 3, 2021 2:17 PM
>> To: [email protected]; kiyin(尹亮) <[email protected]>;
>> [email protected]; [email protected]; [email protected];
>> [email protected]; [email protected]; [email protected];
>> [email protected]; [email protected];
>> [email protected]; [email protected]
>> Cc: [email protected]; [email protected]; [email protected]
>> Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated
>> llcp_sock_connect()(Internet mail)
>>
>> When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
>> LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
>> nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
>> sk->sk_node->next will point to itself, that will make an endless loop and
>> hang-up the system.
>> To fix it, check whether sk->sk_state is LLCP_CONNECTING in
>> llcp_sock_connect() to avoid repeated invoking.
>>
>> fix CVE-2020-25673
>> Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
>> Reported-by: "kiyin(尹亮)" <[email protected]>
>> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
>> Cc: <[email protected]> #v3.11
>> Signed-off-by: Xiaoming Ni <[email protected]>
>> ---
>> net/nfc/llcp_sock.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index
>> 59172614b249..a3b46f888803 100644
>> --- a/net/nfc/llcp_sock.c
>> +++ b/net/nfc/llcp_sock.c
>> @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock,
>> struct sockaddr *_addr,
>> ret = -EISCONN;
>> goto error;
>> }
>> + if (sk->sk_state == LLCP_CONNECTING) {
>> + ret = -EINPROGRESS;
>> + goto error;
>> + }
>>
>> dev = nfc_get_device(addr->dev_idx);
>> if (dev == NULL) {
>> --
>> 2.27.0
>>
>

2021-03-24 01:10:47

by Greg Kroah-Hartman

Subject: Re: [PATCH 0/4] nfc: fix Resource leakage and endless loop

On Wed, Mar 03, 2021 at 02:16:50PM +0800, Xiaoming Ni wrote:
> fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
> reported by "kiyin(尹亮)".
>
> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1

What happened to this series?

Does it need to be resent against the latest networking tree?

thanks,

greg k-h

2021-03-25 03:58:33

by Xiaoming Ni

Subject: [PATCH resend 0/4] nfc: fix Resource leakage and endless loop

fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
reported by "kiyin(尹亮)".

Link: https://www.openwall.com/lists/oss-security/2020/11/01/1

Xiaoming Ni (4):
nfc: fix refcount leak in llcp_sock_bind()
nfc: fix refcount leak in llcp_sock_connect()
nfc: fix memory leak in llcp_sock_connect()
nfc: Avoid endless loops caused by repeated llcp_sock_connect()

net/nfc/llcp_sock.c | 10 ++++++++++
1 file changed, 10 insertions(+)

--
2.27.0

2021-03-25 03:58:32

by Xiaoming Ni

Subject: [PATCH resend 1/4] nfc: fix refcount leak in llcp_sock_bind()

nfc_llcp_local_get() is invoked in llcp_sock_bind(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25670
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <[email protected]>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <[email protected]> #v3.6
Signed-off-by: Xiaoming Ni <[email protected]>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index d257ed3b732a..68832ee4b9f8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
llcp_sock->service_name_len,
GFP_KERNEL);
if (!llcp_sock->service_name) {
+ nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM;
goto put_dev;
}
llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
kfree(llcp_sock->service_name);
llcp_sock->service_name = NULL;
ret = -EADDRINUSE;
--
2.27.0

2021-03-25 03:58:33

by Xiaoming Ni

Subject: [PATCH resend 2/4] nfc: fix refcount leak in llcp_sock_connect()

nfc_llcp_local_get() is invoked in llcp_sock_connect(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25671
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <[email protected]>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <[email protected]> #v3.6
Signed-off-by: Xiaoming Ni <[email protected]>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 68832ee4b9f8..9e2799ee1595 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -704,6 +704,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
llcp_sock->local = nfc_llcp_local_get(local);
llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM;
goto put_dev;
}
@@ -748,6 +749,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,

sock_llcp_release:
nfc_llcp_put_ssap(local, llcp_sock->ssap);
+ nfc_llcp_local_put(llcp_sock->local);

put_dev:
nfc_put_device(dev);
--
2.27.0

2021-03-25 04:00:29

by Xiaoming Ni

Subject: [PATCH resend 3/4] nfc: fix memory leak in llcp_sock_connect()

In llcp_sock_connect(), use kmemdup to allocate memory for
"llcp_sock->service_name". The memory is not released in the sock_unlink
label of the subsequent failure branch.
As a result, memory leakage occurs.

fix CVE-2020-25672

Fixes: d646960f7986 ("NFC: Initial LLCP support")
Reported-by: "kiyin(尹亮)" <[email protected]>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <[email protected]> #v3.3
Signed-off-by: Xiaoming Ni <[email protected]>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 9e2799ee1595..59172614b249 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -746,6 +746,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,

sock_unlink:
nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
+ kfree(llcp_sock->service_name);
+ llcp_sock->service_name = NULL;

sock_llcp_release:
nfc_llcp_put_ssap(local, llcp_sock->ssap);
--
2.27.0

2021-03-26 00:31:41

by patchwork-bot+netdevbpf

Subject: Re: [PATCH resend 0/4] nfc: fix Resource leakage and endless loop

Hello:

This series was applied to netdev/net.git (refs/heads/master):

On Thu, 25 Mar 2021 11:51:09 +0800 you wrote:
> fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
> reported by "kiyin(尹亮)".
>
> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
>
> Xiaoming Ni (4):
> nfc: fix refcount leak in llcp_sock_bind()
> nfc: fix refcount leak in llcp_sock_connect()
> nfc: fix memory leak in llcp_sock_connect()
> nfc: Avoid endless loops caused by repeated llcp_sock_connect()
>
> [...]

Here is the summary with links:
- [resend,1/4] nfc: fix refcount leak in llcp_sock_bind()
https://git.kernel.org/netdev/net/c/c33b1cc62ac0
- [resend,2/4] nfc: fix refcount leak in llcp_sock_connect()
https://git.kernel.org/netdev/net/c/8a4cd82d62b5
- [resend,3/4] nfc: fix memory leak in llcp_sock_connect()
https://git.kernel.org/netdev/net/c/7574fcdbdcb3
- [resend,4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()
https://git.kernel.org/netdev/net/c/4b5db93e7f2a

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html