Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4546417pxj; Wed, 12 May 2021 07:57:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxWlHFJuJjcY/rGDh3uGvmvCDdeIy0tjfh7LhcyH5KYi9FAUCiUtJr42MWEIUlgYLf9rO2j X-Received: by 2002:a05:6808:6cf:: with SMTP id m15mr25646514oih.30.1620831438392; Wed, 12 May 2021 07:57:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620831438; cv=none; d=google.com; s=arc-20160816; b=t0iNaDKpAchAar6NAxUfBEKH9dOU1rxxnn8L/sBZe0gzrBclPLgGv3ghFJLBq37lC8 MKIvrfnUdn+RtFiLpCb232FSzlHtoViUJTCivtdfZLPOXXIGds2azuq/uTLEDFL33wM8 dxhJTR+smeb2gtKEENPl8CI4bE+nm5Ib5sdm1MEotsvObnnjQhriafwUtQx7gPoldvR5 48aeVGqzaXqoa37jhGGvHTv7nf8suZY5JOmXafowYIK0dtQMZ+Qlw+yAESElqRdL0tJo Qns/jUC1awiMxGi0NjRtly5ynUncTPmghkj3gmkk/7AZPakYyL0OeKp4miZp3U4tm8gG KX1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VvUiP+/u95zP4eKNkrq2611ZcgxYZsJA+45JWvtINA4=; b=I8ziCw3/ELN4SDqCaZqhPiOy0AaDVGbOI706fBXNoZ4Kl422eWq+5UYNua3pLxFHgq iT3ReGVbKoFpTu9LHE+ynfAStmC9FgEU4zYLJSmgvGgmira/cAdiyLOobjV0Dtld6giB W9JjNNq1vqmu0deU8DnwB+pt6jI5DFzEMZxxE4niIeXDeaUsPZCAuzyweH0Sp28+zB5Q SQk3KtrIYYyNYfTMEFEPJYxH8hjKJGzub20vto/8T7oSnK+Zg0XfRT9dBpoydzvU8bcv j8K0X4s67vZUJrlHGlHQ8Aikc9+H4sjw2nrxE8lhAjrViqIq5LIKesjcVsKLnDlrTCJx 1evQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VLPzf9uC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x25si119982otp.204.2021.05.12.07.57.04; Wed, 12 May 2021 07:57:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VLPzf9uC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231887AbhELO4u (ORCPT + 99 others); Wed, 12 May 2021 10:56:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:46142 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232167AbhELOzb (ORCPT ); Wed, 12 May 2021 10:55:31 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id BB2B161413; Wed, 12 May 2021 14:54:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620831263; bh=XOWtBRHSuOX4EissREp2XcPj4qBiqUOKAOx7vuhzsuc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VLPzf9uC74TaiLlJbXNn+hHiFkTDyKWq05HbZ0xd820cVCIm3gOiuGy0FRoTeEpuh MVl0dqAaEt+b+ToF5qSLwOkube3AdxVvj46BqAB4LAT1+8L/4h6L1U6QPMBa8yM9c0 r0ZZaUOiWLV44PrpsMnWceMrFxUIhz7BFk4chqes= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Or Cohen , Nadav Markus , "David S. Miller" Subject: [PATCH 5.4 004/244] net/nfc: fix use-after-free llcp_sock_bind/connect Date: Wed, 12 May 2021 16:46:15 +0200 Message-Id: <20210512144743.183367973@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144743.039977287@linuxfoundation.org> References: <20210512144743.039977287@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Or Cohen commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream. Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()") and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") fixed a refcount leak bug in bind/connect but introduced a use-after-free if the same local is assigned to 2 different sockets. This can be triggered by the following simple program: int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) ); addr.sa_family = AF_NFC; addr.nfc_protocol = NFC_PROTO_NFC_DEP; bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) close(sock1); close(sock2); Fix this by assigning NULL to llcp_sock->local after calling nfc_llcp_local_put. This addresses CVE-2021-23134. Reported-by: Or Cohen Reported-by: Nadav Markus Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") Signed-off-by: Or Cohen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_sock.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -109,12 +109,14 @@ static int llcp_sock_bind(struct socket GFP_KERNEL); if (!llcp_sock->service_name) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; ret = -EADDRINUSE; @@ -709,6 +711,7 @@ static int llcp_sock_connect(struct sock llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } @@ -756,6 +759,7 @@ sock_unlink: sock_llcp_release: nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; put_dev: nfc_put_device(dev);