Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp141705pxu; Tue, 13 Oct 2020 19:29:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxf+mFYn5MCMc2AUZtSNZYvtA6jV9iGw3fyLgOtiZFIMfFUwvxfjTDMJ29tmsBixOpPAnIC X-Received: by 2002:a17:906:5488:: with SMTP id r8mr2817737ejo.483.1602642583439; Tue, 13 Oct 2020 19:29:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602642583; cv=none; d=google.com; s=arc-20160816; b=gzqiTCcWgqqrNso2m6n2Vchj/XQqArHoiQUTOu3rgxn9I68xjwKPiqI1HxpkHZIz9C agryehO5ULTXp/IWq3QDAt1Lt9w3g4TCd+aHRSmOTZgoumSKfUY8oXF9vnHfXXluF9yR Uh6/xTsXkGhEjguh5Tky1Q668Ai+wR/uo25ykIYrGlZ3VeRIP7mn5G7hsdKp5qvpf9KZ q57UmDQF4MBJmgNi4412HPkDB51xibXDxcNUP7rrWemz3ohDWFWvx4fEdzKVbeblP7fV peFfaon0/EYPGdlhtCy28OfWb/VCwDnC/X2j1/mMmznt8JHkunYTW0P8FVscHrc+BXhx SLaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=SpXSDSdlRFb9ggkqiY6j3lhSsXlTf+Fbt8H5fRXb3p0=; b=abImhzJihyUzSjwC8Ye2B6CHRBiwGtZxbK5+yQlbUk5QjvvRhbh0+D9Jix9RdaGaoY B4KINIEsEyzHtfStFkWOfEScsTKsJxJxiMSY2NBptzLuqToHkUUbdFKpQD4jPLbuLGid jhgXt+p8e5rvZ0f1egfSNakMXxLDxpURO3cDhCex7cAmhxWywb84/zpyw5bcDgfIFl10 Pi9onXRBS3+R5bOs/VBwGiDXjmPm7qRDSt/JJSBQsLkZmn0Po9LLzsOzkke/9GveKFrl /3IbR71aVKzEbTeetTZEHaB+ANK9MELnvd7Q7et0I1MkggWca+FfGXvBXUbMydKBIlq0 duiw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w23si1137832ejy.456.2020.10.13.19.29.19; Tue, 13 Oct 2020 19:29:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729395AbgJMRTJ (ORCPT + 99 others); Tue, 13 Oct 2020 13:19:09 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:60027 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388239AbgJMRTB (ORCPT ); Tue, 13 Oct 2020 13:19:01 -0400 Received: from mail-ej1-f71.google.com ([209.85.218.71]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kSNww-0004CI-Vl for linux-kernel@vger.kernel.org; Tue, 13 Oct 2020 17:18:59 +0000 Received: by mail-ej1-f71.google.com with SMTP id p19so39448ejy.11 for ; Tue, 13 Oct 2020 10:18:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=SpXSDSdlRFb9ggkqiY6j3lhSsXlTf+Fbt8H5fRXb3p0=; b=o+8S1yGX9AMwHNbqg2Cia4mOGQl+o1lNTEo5Bo2atnAnrEulUPMdDL64dSkbhhv0Pa Sm+3eajGS75iJUjnPKtM/e42iu+mjcqifntDfQzwD58Txq9548XoRrv2ulprbQNkpn05 CB0chw6kzowUwV2yJhDsOOiUTYSc0jtln0Qk6SfypF7O/jy6uM0pCw8J1MA4ANhcfdkJ 8ePM6EMy804A6/PD6kTv8z0v4Yhji1s6x6OmaXVWwjkzHh9tMDdldvCMEv2oF8+OaNoE q2wL2iNkr0xjtBzcEqmDfA/wO4+6cPlL9Zv6CuzuwcaHLdMmOygNcu0bpOaH9gjRWxpr 16pA== X-Gm-Message-State: AOAM530I/LNvrYIbfH6vyZtdMTrcxvovQ5oe9/Makk9GHVHHx1t3/y3X E8vnhQoQwX/AtgJRqcbyniou5rAehwShOp3q1CGBxAZDPmnUjVOSNp2F+WMVv6uXdR+myovju+/ oyPCt4cqZs7JaZLqA3hHjNYyYbrl+3hIWkTTQPklZwg== X-Received: by 2002:a17:906:4910:: with SMTP id b16mr763233ejq.546.1602609537702; Tue, 13 Oct 2020 10:18:57 -0700 (PDT) X-Received: by 2002:a17:906:4910:: with SMTP id b16mr763142ejq.546.1602609536787; Tue, 13 Oct 2020 10:18:56 -0700 (PDT) Received: from localhost.localdomain ([2a02:8108:4640:10c0:6cbe:6d37:31ed:e54b]) by smtp.gmail.com with ESMTPSA id g9sm192776edv.81.2020.10.13.10.18.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Oct 2020 10:18:56 -0700 (PDT) From: Kleber Sacilotto de Souza To: netdev@vger.kernel.org Cc: Gerrit Renker , "David S. Miller" , Jakub Kicinski , Thadeu Lima de Souza Cascardo , "Gustavo A. R. Silva" , "Alexander A. Klimov" , Kees Cook , Eric Dumazet , Alexey Kodanev , dccp@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/2] Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()" Date: Tue, 13 Oct 2020 19:18:49 +0200 Message-Id: <20201013171849.236025-3-kleber.souza@canonical.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201013171849.236025-1-kleber.souza@canonical.com> References: <20201013171849.236025-1-kleber.souza@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Thadeu Lima de Souza Cascardo This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1. This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be kept, allowing the socket to be reused as a listener socket, and the cloned socket will free its dccps_hc_tx_ccid, leading to a later use after free, when the listener socket is closed. This addresses CVE-2020-16119. Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()) Reported-by: Hadar Manor Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Kleber Sacilotto de Souza --- net/dccp/proto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/dccp/proto.c b/net/dccp/proto.c index 6d705d90c614..359e848dba6c 100644 --- a/net/dccp/proto.c +++ b/net/dccp/proto.c @@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags) dccp_clear_xmit_timers(sk); ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); + ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); dp->dccps_hc_rx_ccid = NULL; + dp->dccps_hc_tx_ccid = NULL; __skb_queue_purge(&sk->sk_receive_queue); __skb_queue_purge(&sk->sk_write_queue); -- 2.25.1