Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1075867ybl; Wed, 14 Aug 2019 10:18:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqzy9nJm+3dUAeNdtwNAs2YgjSsqiVNnjoKw53jC161OyT6Q6Zy4WM1sEMinEWIsHnJVGHk2 X-Received: by 2002:a17:90a:bc42:: with SMTP id t2mr719326pjv.121.1565803091628; Wed, 14 Aug 2019 10:18:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565803091; cv=none; d=google.com; s=arc-20160816; b=KBDiQaRby5qWVuEorVGQexj+JZkgEnm6Plkk4oiqvxJ/MSAOG7SxVTfyObTyG6C9Bb Cvqd8nMtqZCIUssOcnlPo/j7aIPWWBRJKI0VJKbV7NTLBL5AxJZ/erMd0UPX5ECzaqjY gl1jM3SJIBo0XpszXR7cgrqQsuuc5iGOfWqPqm6mqzNATckjt/Rcm7KpXXy8j7sfZIyG eTzIincTP4NWnFsWuJgeqfAF8bG0PENIS/o2dDRKvoMSzlftO1N3Z6Q4+da4BDHkHQJ1 Kg/PvULG0ogd3R0m7f6QPbY4GwzgzD269NOD7bnh8EzM9AUmmEj53vPJ3wzH/MadxO86 jbtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Q3HUxpQdfN0yNiEr2ftSjO+2IonSwxfDwW0d6UAa4pc=; b=kiVMSTZWDwapYbPsq1aKExGIj47BMwXnqM9RY5FFKMzihA8PM5xtae6YAa17yLsv1I n9Hy5iADE5pIPovxlBbOWtR8PCo6eoc9TNGJiz8FdG8QVR4ta6vhaFGl3S5H4EDikKA5 FIxb3dSVvF/pYamslFy7216Oc23VCXWYjW7O5D4UEwokmeCwiKJmxuAf7xNeATTEhizK Helex0CBvuajs9f90fdWpw+htgNy0mnhxUORJ0WtdJ+oKyQUF3//1bJ2cQbRoliwEpsQ 110Kfy2CZErHrWPO4TSedq6U3Xq+BEqmSdZYFCOTXZDWDmmwMHrUwr9Dqpug5EBfeA+3 fO4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Dm8TqVNj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id gn5si245764plb.170.2019.08.14.10.17.55; Wed, 14 Aug 2019 10:18:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Dm8TqVNj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730897AbfHNRN1 (ORCPT + 99 others); Wed, 14 Aug 2019 13:13:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:37644 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730869AbfHNRNX (ORCPT ); Wed, 14 Aug 2019 13:13:23 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4150D20665; Wed, 14 Aug 2019 17:13:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1565802802; bh=ybXdM9q+D0assHnEXTbPJ7lFEhy1R43tnhHrQ5xnTmU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Dm8TqVNjc9xMkcFw77UPzeUikXfjeoRZNA+9u0rKnU8zhieOPFyi8QDFOTQSROybs n+IrlM1W93L9kfC5M0vqz0ESErrKH87SZ/56zdsfQGbN1nPs/oLif2oqk31UApBasc j3TMjYEec8ZPW/RrIii4C2zvkPYbjVL+ZRYeM6rE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Denis Andzakovic , Eric Dumazet , Ben Hutchings , Salvatore Bonaccorso Subject: [PATCH 4.14 14/69] tcp: Clear sk_send_head after purging the write queue Date: Wed, 14 Aug 2019 19:01:12 +0200 Message-Id: <20190814165746.523313498@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190814165744.822314328@linuxfoundation.org> References: <20190814165744.822314328@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ben Hutchings Denis Andzakovic discovered a potential use-after-free in older kernel versions, using syzkaller. tcp_write_queue_purge() frees all skbs in the TCP write queue and can leave sk->sk_send_head pointing to freed memory. tcp_disconnect() clears that pointer after calling tcp_write_queue_purge(), but tcp_connect() does not. It is (surprisingly) possible to add to the write queue between disconnection and reconnection, so this needs to be done in both places. This bug was introduced by backports of commit 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()") and does not exist upstream because of earlier changes in commit 75c119afe14f ("tcp: implement rb-tree based retransmit queue"). The latter is a major change that's not suitable for stable. Reported-by: Denis Andzakovic Bisected-by: Salvatore Bonaccorso Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()") Cc: # before 4.15 Cc: Eric Dumazet Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- include/net/tcp.h | 3 +++ 1 file changed, 3 insertions(+) --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1613,6 +1613,8 @@ static inline void tcp_init_send_head(st sk->sk_send_head = NULL; } +static inline void tcp_init_send_head(struct sock *sk); + /* write queue abstraction */ static inline void tcp_write_queue_purge(struct sock *sk) { @@ -1621,6 +1623,7 @@ static inline void tcp_write_queue_purge tcp_chrono_stop(sk, TCP_CHRONO_BUSY); while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL) sk_wmem_free_skb(sk, skb); + tcp_init_send_head(sk); sk_mem_reclaim(sk); tcp_clear_all_retrans_hints(tcp_sk(sk)); tcp_init_send_head(sk);