Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp413696pxj; Thu, 20 May 2021 12:15:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxZ/KKH7Kgnqk/69l4nLJjJ0F3boANDkljFuEE7fvvx0px8erdY+KM9tGIkYr3qqW/jx7MV X-Received: by 2002:a50:fb8c:: with SMTP id e12mr6640447edq.93.1621538100024; Thu, 20 May 2021 12:15:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621538100; cv=none; d=google.com; s=arc-20160816; b=j7hp1txkAaEMGxC7p+RUGPQiJCsODNoNloTsl0PiB5DxW4WsOZaAGYQw+hNTKGOvNF AQEwHY+Uhzj+8BXpXEdOfNztglfW2MG8kR0FBQho9tZz30Hn+jK2NJfyGcVjcEiBiIBj ABmc3hA8F4jjiJOlqGwKaq59izii7hD5C6zv1P5lVDJWraJBa1iade4MUX0PgsiPyDDk nQthdeZl92DM0DAYTBcOPP2IjxeWx/fAloCSC7V/rtUGY9wj7Oceo7IbnVNXfqjfLk90 wPOV5AUdugLnHHc0wfoI0jkJIs+ZCVcWXuHsXr6gUesDfwljNjqZl0jsvGdTMXi5xcLA PKdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7OMbA48RDJ9uMNLhB9kbIpcp/gqX1sqLApgbQhO2lCk=; b=kkEMRHfrViNKsyNIrdq06S53Oi+v7zdW32kPPiDqNaOF67nOO1lfQ9EhzmPNnaySFL bvdmdv3OMvG7fYyHtsyozadkdOoz9JNWaU7TAyIzUyYFJNMdDcB6MCHKgZIs2S3AWSHf GpHzF7e4b5V9Kb1JOQWvIcQRrzCUfmKY46rdWfiB7p8UzrorUMLYKN7e0dCwlVcuMoDL icsCaPnN902Z3OlgaesHgkZ3bL6CdB6X1KLL4AF/zVwJpYTdlYk3MqBBrTPRhDY1p+0a eY+X45ZPn9KtriiDOMJOYktUbpuFWxWGKBopIsgLMXC6aTwI2lEzdc7bwnZQKQsMVDTT dC+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=aePU3xja; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id df11si2777146edb.250.2021.05.20.12.14.36; Thu, 20 May 2021 12:15:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=aePU3xja; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237842AbhETKjB (ORCPT + 99 others); Thu, 20 May 2021 06:39:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:55682 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236605AbhETKYV (ORCPT ); Thu, 20 May 2021 06:24:21 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CC8C561A2B; Thu, 20 May 2021 09:49:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621504149; bh=AEtUL+1aobeMG5FJpxMXI8SYQHa0ydB1YzuOROKDAUQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aePU3xjaVVdXLiSOzP92ft/vY9gk/V/Gg6q5O6NhZU/I8pbHU0GRFNGutpbuEA1Re /ezCh2X2I+r/nTtE3gxAMoSeNMJkCX7Noo/GLHs8thlBKhfj1qN/7TIeRoHu1J/0Hu 25wDfHlgump0klJBAaNSPuwK4zwoJljf8K/jxiOQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Or Cohen , Nadav Markus , "David S. Miller" Subject: [PATCH 4.14 114/323] net/nfc: fix use-after-free llcp_sock_bind/connect Date: Thu, 20 May 2021 11:20:06 +0200 Message-Id: <20210520092124.004883706@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092120.115153432@linuxfoundation.org> References: <20210520092120.115153432@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Or Cohen commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream. Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()") and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") fixed a refcount leak bug in bind/connect but introduced a use-after-free if the same local is assigned to 2 different sockets. This can be triggered by the following simple program: int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) ); addr.sa_family = AF_NFC; addr.nfc_protocol = NFC_PROTO_NFC_DEP; bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) close(sock1); close(sock2); Fix this by assigning NULL to llcp_sock->local after calling nfc_llcp_local_put. This addresses CVE-2021-23134. Reported-by: Or Cohen Reported-by: Nadav Markus Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") Signed-off-by: Or Cohen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_sock.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -121,12 +121,14 @@ static int llcp_sock_bind(struct socket GFP_KERNEL); if (!llcp_sock->service_name) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; ret = -EADDRINUSE; @@ -722,6 +724,7 @@ static int llcp_sock_connect(struct sock llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } @@ -760,6 +763,7 @@ static int llcp_sock_connect(struct sock sock_unlink: nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; nfc_llcp_sock_unlink(&local->connecting_sockets, sk); kfree(llcp_sock->service_name);