2023-12-12 18:50:42

by Siddh Raman Pant

[permalink] [raw]
Subject: [PATCH net-next v5 1/2] nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local

llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls
nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for
getting the headroom and tailroom needed for skb allocation.

Parallelly the nfc_dev can be freed, as the refcount is decreased via
nfc_free_device(), leading to a UAF reported by Syzkaller, which can
be summarized as follows:

(1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()
-> nfc_alloc_send_skb() -> Dereference *nfc_dev
(2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()
-> put_device() -> nfc_release() -> Free *nfc_dev

When a reference to llcp_local is acquired, we do not acquire the same
for the nfc_dev. This leads to freeing even when the llcp_local is in
use, and this is the case with the UAF described above too.

Thus, when we acquire a reference to llcp_local, we should acquire a
reference to nfc_dev, and release the references appropriately later.

References for llcp_local is initialized in nfc_llcp_register_device()
(which is called by nfc_register_device()). Thus, we should acquire a
reference to nfc_dev there.

nfc_unregister_device() calls nfc_llcp_unregister_device() which in
turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is
appropriately released later.

Reported-and-tested-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
Reviewed-by: Suman Ghosh <[email protected]>
Signed-off-by: Siddh Raman Pant <[email protected]>
---
net/nfc/llcp_core.c | 72 +++++++++++++++++++++++++++++----------------
1 file changed, 47 insertions(+), 25 deletions(-)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..2f77200a3720 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,

static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
{
+ /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
+ * we hold a reference to local, we also need to hold a reference to
+ * the device to avoid UAF.
+ */
+ if (!nfc_get_device(local->dev->idx))
+ return NULL;
+
kref_get(&local->ref);

return local;
@@ -177,10 +184,18 @@ static void local_release(struct kref *ref)

int nfc_llcp_local_put(struct nfc_llcp_local *local)
{
+ struct nfc_dev *dev;
+ int ret;
+
if (local == NULL)
return 0;

- return kref_put(&local->ref, local_release);
+ dev = local->dev;
+
+ ret = kref_put(&local->ref, local_release);
+ nfc_put_device(dev);
+
+ return ret;
}

static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
@@ -901,7 +916,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,

if (dsap != LLCP_SAP_SDP) {
sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
- if (sock == NULL || sock->sk.sk_state != LLCP_LISTEN) {
+ if (!sock || sock->sk.sk_state != LLCP_LISTEN) {
reason = LLCP_DM_NOBOUND;
goto fail;
}
@@ -910,7 +925,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
size_t sn_len;

sn = nfc_llcp_connect_sn(skb, &sn_len);
- if (sn == NULL) {
+ if (!sn) {
reason = LLCP_DM_NOBOUND;
goto fail;
}
@@ -918,7 +933,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
pr_debug("Service name length %zu\n", sn_len);

sock = nfc_llcp_sock_get_sn(local, sn, sn_len);
- if (sock == NULL) {
+ if (!sock) {
reason = LLCP_DM_NOBOUND;
goto fail;
}
@@ -928,39 +943,31 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,

parent = &sock->sk;

- if (sk_acceptq_is_full(parent)) {
- reason = LLCP_DM_REJ;
- release_sock(&sock->sk);
- sock_put(&sock->sk);
- goto fail;
- }
+ if (sk_acceptq_is_full(parent))
+ goto fail_put_sock;

if (sock->ssap == LLCP_SDP_UNBOUND) {
u8 ssap = nfc_llcp_reserve_sdp_ssap(local);

pr_debug("First client, reserving %d\n", ssap);

- if (ssap == LLCP_SAP_MAX) {
- reason = LLCP_DM_REJ;
- release_sock(&sock->sk);
- sock_put(&sock->sk);
- goto fail;
- }
+ if (ssap == LLCP_SAP_MAX)
+ goto fail_put_sock;

sock->ssap = ssap;
}

new_sk = nfc_llcp_sock_alloc(NULL, parent->sk_type, GFP_ATOMIC, 0);
- if (new_sk == NULL) {
- reason = LLCP_DM_REJ;
- release_sock(&sock->sk);
- sock_put(&sock->sk);
- goto fail;
- }
+ if (!new_sk)
+ goto fail_put_sock;

new_sock = nfc_llcp_sock(new_sk);
- new_sock->dev = local->dev;
+
new_sock->local = nfc_llcp_local_get(local);
+ if (!new_sock->local)
+ goto fail_free_new_sock;
+
+ new_sock->dev = local->dev;
new_sock->rw = sock->rw;
new_sock->miux = sock->miux;
new_sock->nfc_protocol = sock->nfc_protocol;
@@ -1004,8 +1011,14 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,

return;

+fail_free_new_sock:
+ sock_put(&new_sock->sk);
+ nfc_llcp_sock_free(new_sock);
+fail_put_sock:
+ reason = LLCP_DM_REJ;
+ release_sock(&sock->sk);
+ sock_put(&sock->sk);
fail:
- /* Send DM */
nfc_llcp_send_dm(local, dsap, ssap, reason);
}

@@ -1597,7 +1610,16 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
if (local == NULL)
return -ENOMEM;

- local->dev = ndev;
+ /* As we are going to initialize local's refcount, we need to get the
+ * nfc_dev to avoid UAF, otherwise there is no point in continuing.
+ * See nfc_llcp_local_get().
+ */
+ local->dev = nfc_get_device(ndev->idx);
+ if (!local->dev) {
+ kfree(local);
+ return -ENODEV;
+ }
+
INIT_LIST_HEAD(&local->list);
kref_init(&local->ref);
mutex_init(&local->sdp_lock);
--
2.42.0


2023-12-13 07:40:36

by Krzysztof Kozlowski

[permalink] [raw]
Subject: Re: [PATCH net-next v5 1/2] nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local

On 12/12/2023 19:49, Siddh Raman Pant wrote:
> llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls
> nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for
> getting the headroom and tailroom needed for skb allocation.
>
> Parallelly the nfc_dev can be freed, as the refcount is decreased via
> nfc_free_device(), leading to a UAF reported by Syzkaller, which can
> be summarized as follows:
>
> (1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()
> -> nfc_alloc_send_skb() -> Dereference *nfc_dev
> (2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()
> -> put_device() -> nfc_release() -> Free *nfc_dev
>
> When a reference to llcp_local is acquired, we do not acquire the same
> for the nfc_dev. This leads to freeing even when the llcp_local is in
> use, and this is the case with the UAF described above too.
>
> Thus, when we acquire a reference to llcp_local, we should acquire a
> reference to nfc_dev, and release the references appropriately later.
>
> References for llcp_local is initialized in nfc_llcp_register_device()
> (which is called by nfc_register_device()). Thus, we should acquire a
> reference to nfc_dev there.
>
> nfc_unregister_device() calls nfc_llcp_unregister_device() which in
> turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is
> appropriately released later.
>
> Reported-and-tested-by: [email protected]
> Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
> Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
> Reviewed-by: Suman Ghosh <[email protected]>
> Signed-off-by: Siddh Raman Pant <[email protected]>
> ---
> net/nfc/llcp_core.c | 72 +++++++++++++++++++++++++++++----------------
> 1 file changed, 47 insertions(+), 25 deletions(-)
>
> diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
> index 1dac28136e6a..2f77200a3720 100644
> --- a/net/nfc/llcp_core.c
> +++ b/net/nfc/llcp_core.c
> @@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
>
> static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
> {
> + /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
> + * we hold a reference to local, we also need to hold a reference to
> + * the device to avoid UAF.
> + */
> + if (!nfc_get_device(local->dev->idx))
> + return NULL;
> +
> kref_get(&local->ref);
>
> return local;
> @@ -177,10 +184,18 @@ static void local_release(struct kref *ref)
>
> int nfc_llcp_local_put(struct nfc_llcp_local *local)
> {
> + struct nfc_dev *dev;
> + int ret;
> +
> if (local == NULL)
> return 0;
>
> - return kref_put(&local->ref, local_release);
> + dev = local->dev;
> +
> + ret = kref_put(&local->ref, local_release);
> + nfc_put_device(dev);
> +
> + return ret;
> }
>
> static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
> @@ -901,7 +916,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
>
> if (dsap != LLCP_SAP_SDP) {
> sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
> - if (sock == NULL || sock->sk.sk_state != LLCP_LISTEN) {
> + if (!sock || sock->sk.sk_state != LLCP_LISTEN) {

This is unrelated change. Please keep all cleanups separate from fixes.

> reason = LLCP_DM_NOBOUND;
> goto fail;
> }
> @@ -910,7 +925,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
> size_t sn_len;
>
> sn = nfc_llcp_connect_sn(skb, &sn_len);
> - if (sn == NULL) {
> + if (!sn) {

Not related.

> reason = LLCP_DM_NOBOUND;
> goto fail;
> }
> @@ -918,7 +933,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
> pr_debug("Service name length %zu\n", sn_len);
>
> sock = nfc_llcp_sock_get_sn(local, sn, sn_len);
> - if (sock == NULL) {
> + if (!sock) {

Not related.

> reason = LLCP_DM_NOBOUND;
> goto fail;
> }
> @@ -928,39 +943,31 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
>
> parent = &sock->sk;
>
> - if (sk_acceptq_is_full(parent)) {
> - reason = LLCP_DM_REJ;
> - release_sock(&sock->sk);
> - sock_put(&sock->sk);
> - goto fail;
> - }
> + if (sk_acceptq_is_full(parent))
> + goto fail_put_sock;

I would argue that you reshuffle here more code than needed for the fix.

This should fix only missing dev reference, not reshuffle code. It's a
bugfix, not cleanup.

>
> if (sock->ssap == LLCP_SDP_UNBOUND) {
> u8 ssap = nfc_llcp_reserve_sdp_ssap(local);
>
> pr_debug("First client, reserving %d\n", ssap);
>
> - if (ssap == LLCP_SAP_MAX) {
> - reason = LLCP_DM_REJ;
> - release_sock(&sock->sk);
> - sock_put(&sock->sk);
> - goto fail;
> - }
> + if (ssap == LLCP_SAP_MAX)
> + goto fail_put_sock;
>
> sock->ssap = ssap;
> }
>


Best regards,
Krzysztof

2023-12-14 17:25:20

by Siddh Raman Pant

[permalink] [raw]
Subject: Re: [PATCH net-next v5 1/2] nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local

On Wed, 13 Dec 2023 13:10:16 +0530, Krzysztof Kozlowski wrote:
> > - if (sk_acceptq_is_full(parent)) {
> > - reason = LLCP_DM_REJ;
> > - release_sock(&sock->sk);
> > - sock_put(&sock->sk);
> > - goto fail;
> > - }
> > + if (sk_acceptq_is_full(parent))
> > + goto fail_put_sock;
>
> I would argue that you reshuffle here more code than needed for the fix.
>
> This should fix only missing dev reference, not reshuffle code. It's a
> bugfix, not cleanup.

So this should not be done? I did it because you told to extend the
cleanup label in v3 discussion.

Thanks,
Siddh

2023-12-15 07:23:02

by Krzysztof Kozlowski

[permalink] [raw]
Subject: Re: [PATCH net-next v5 1/2] nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local

On 14/12/2023 18:23, Siddh Raman Pant wrote:
> On Wed, 13 Dec 2023 13:10:16 +0530, Krzysztof Kozlowski wrote:
>>> - if (sk_acceptq_is_full(parent)) {
>>> - reason = LLCP_DM_REJ;
>>> - release_sock(&sock->sk);
>>> - sock_put(&sock->sk);
>>> - goto fail;
>>> - }
>>> + if (sk_acceptq_is_full(parent))
>>> + goto fail_put_sock;
>>
>> I would argue that you reshuffle here more code than needed for the fix.
>>
>> This should fix only missing dev reference, not reshuffle code. It's a
>> bugfix, not cleanup.
>
> So this should not be done? I did it because you told to extend the
> cleanup label in v3 discussion.

It can be done but not in the same commit. You must not combine fixes
with other changes. Also, each commit is one logical change.

Best regards,
Krzysztof