Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp1593788pxb; Mon, 12 Apr 2021 01:45:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxjx8WeNFzMPKie4vBfwv/U+091olzvotgsXHOBQ43Pl5FH6eXuGZbgH7mkoMYu6E8LwfGJ X-Received: by 2002:a17:903:310f:b029:ea:c9ad:4fb2 with SMTP id w15-20020a170903310fb02900eac9ad4fb2mr9608173plc.12.1618217117570; Mon, 12 Apr 2021 01:45:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618217117; cv=none; d=google.com; s=arc-20160816; b=f84eUIg99700xYuaX+yzgw6sTQk2CqGHPb/HS3SauvW2Rcr6kC1JAh92vL3kDEm2PF XNBqVylcNTJ9zNNjywUVW21fXkJhLua5SVtZboRmT7kU7yOEOTD1dF0Gr7SMRCVrve/k +3ksW2Md8NpGkuYGWUW1RAZg1T+k9rWt8HOmK+YiYVcJF/KIBM7R5SbyY2AgGnKHJWNf Tt2RvVjiAyxTk0gJQtju6OLJ13SyOtc63oxIguqcwFBM9qHoo2GE9c0Gtcfk+2diR7c8 +4jY5CJTnHK9tRYYd0YduNoswsAJc1v/0Wz1uTCmaFQOQWipyeEJz58G7qWyVtHubX3J xQVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aM1XhZdQ+5ZJvNVsDewcgd4YbL05tTgQkuQd+LSV4cg=; b=ZCxNTpQPjVg1afjmPDUUt3kiK+EIgThdgibbSru+QYIw4PIP/qV6grG40NevfPVqO5 WUaPVT0/mbU6jglE3cwxiz3Rq0eaK7rZaszp5S49/r2mQeh7CD1vv3VD/hSiNAY9Z03L Dw7eAmPI+FjnfhU9TMDdEFyegd9zR1H/Uvsgq7Pp8GHeAETuvuLwAbTULsUYlKjJlZzL pevSkGLwIuD7gDpe6Z5QPy6Mu13fiLX1fFmr5OmoL6c7bYREsjBVntN0wHpNVDC9LM7R XrNUT5BJ3vGlwELQNmTpeFOdzdUqUZ3isNQbE576yNiaDvUxJquMLdUmq+gSGrw59Wqi 2dFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="mOFuP5Y/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w5si12132154pjh.156.2021.04.12.01.45.06; Mon, 12 Apr 2021 01:45:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="mOFuP5Y/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237556AbhDLIny (ORCPT + 99 others); Mon, 12 Apr 2021 04:43:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:35234 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237506AbhDLIne (ORCPT ); Mon, 12 Apr 2021 04:43:34 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4591861245; Mon, 12 Apr 2021 08:43:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1618216995; bh=oFAqnnUADnTEWjykGov1rmLc69VHpj5dRjoLHjvP8p0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mOFuP5Y/lsNOF2WFoLwlrQ9GyivLtVv9wRynjSNe79/tYJcstRgP7xBC1tU2mz9Sh jap7vRDCUuxBuqzVZFGbVYWa3l3C8LTPsADwMDbbYyw7V4vJ0GUy8tAF4bc6H0BH4a kwleDfNT9V8zU0WZpfPpLBSgQqkGkMxYozOErYzw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?kiyin ?= , Xiaoming Ni , "David S. Miller" Subject: [PATCH 4.19 04/66] nfc: fix refcount leak in llcp_sock_connect() Date: Mon, 12 Apr 2021 10:40:10 +0200 Message-Id: <20210412083958.277993168@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210412083958.129944265@linuxfoundation.org> References: <20210412083958.129944265@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiaoming Ni commit 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 upstream. nfc_llcp_local_get() is invoked in llcp_sock_connect(), but nfc_llcp_local_put() is not invoked in subsequent failure branches. As a result, refcount leakage occurs. To fix it, add calling nfc_llcp_local_put(). fix CVE-2020-25671 Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") Reported-by: "kiyin(尹亮)" Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Cc: #v3.6 Signed-off-by: Xiaoming Ni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_sock.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -716,6 +716,7 @@ static int llcp_sock_connect(struct sock llcp_sock->local = nfc_llcp_local_get(local); llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { + nfc_llcp_local_put(llcp_sock->local); ret = -ENOMEM; goto put_dev; } @@ -753,6 +754,7 @@ static int llcp_sock_connect(struct sock sock_unlink: nfc_llcp_put_ssap(local, llcp_sock->ssap); + nfc_llcp_local_put(llcp_sock->local); nfc_llcp_sock_unlink(&local->connecting_sockets, sk);