Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp544604pxj; Thu, 20 May 2021 15:50:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzHB+Jc88T331yi2nYGHA8AJPhE2X9og+ZQwko0DDgDcM/sTS7CtdL9wpq5bEfvfRT0pg+P X-Received: by 2002:a05:6638:505:: with SMTP id i5mr8578618jar.141.1621551032885; Thu, 20 May 2021 15:50:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621551032; cv=none; d=google.com; s=arc-20160816; b=gk98k/aR4Svumz9ygGjHbRL+6BQPqWAEZR/+vFnYE055vA8PPIzqsp4BIZ3VftLNtV zo3oNhy8GJu6vxO+ew3m6ljGzTy2vSDbok7jk5hgmEtrVAbpk3VXP97kpOTqN888+KK9 9xcaXwbwSgeoSXkTNF80XBQ8ApIRtXBtdNK+p/0jnyirqxkQHJ2XVjcVM1RKhJpAP2Ex f2ACR99P1Qpa3IXwY4P23evHnghfe58enk6n/VjaCmKKsSiLTO/TK02C88Wyeph61LCJ jmf0hajA7YEsanLY/uhJvfm5ocR2vp2IIJq23UXPF7TxwW1gwczEtPZyvD05U6JKv1qr GYPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5jO0h5K8vDLEirreU8P2xR6I6eF+Lor3z8lOQUHSjSs=; b=fG9XG0oCjo40LE85DsJczGII4LLpAUbdoDG7ZHTr/Hhkyu23z+DOKaryImt0pq3iPx wPDYs5xOkLmDODu5mfivT+AF2yH2wkswVTyOerVX83Y4Bq/uFoa8wJnIqltzm3Fwf26O 2d4FMHsCzr1Ef9n+/U+UsNIWauALbTfspEDEWVO3uXTd4BTDoyANChkTnQ52yavy/HSz lpPomgyfGlfH1IsdUrlZTWPEtkFTVSAWlnBi7FWxmVNHCWbu14R+idQSpKZqkwGan4IC 2Mvf/tQuRlL6puFwH8+qGeF8mO8bRJqx7e9rIgbUxj38z1/2BvwPYr9Wh4fryB+DYV41 qf3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="JNQ//R2z"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d70si4084996iog.4.2021.05.20.15.50.19; Thu, 20 May 2021 15:50:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="JNQ//R2z"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239733AbhETLLa (ORCPT + 99 others); Thu, 20 May 2021 07:11:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:52068 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239110AbhETKvs (ORCPT ); Thu, 20 May 2021 06:51:48 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 52EAE617C9; Thu, 20 May 2021 10:00:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621504804; bh=UX0XKPTdDTy/mbmYjVl+qgSNN60V0sjiGcON+9tifMY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JNQ//R2zRnH7MDJ0c/XW+3BjIYKMtlQEupPE+NAFPC0c1uqla7Irtrfe0eWscPO6J H3Xi7DyMKbmPXEeljGFrhXCv55F2UCsnGnAo+hvDoG5IxqcOrOqpig9mkMUzPS+UIb nqHG18ZwAjIwCNfmhTtB9w5a1BuY/p4/aEe8TYUo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Or Cohen , Nadav Markus , "David S. Miller" Subject: [PATCH 4.9 071/240] net/nfc: fix use-after-free llcp_sock_bind/connect Date: Thu, 20 May 2021 11:21:03 +0200 Message-Id: <20210520092111.063684823@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092108.587553970@linuxfoundation.org> References: <20210520092108.587553970@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Or Cohen commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream. Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()") and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") fixed a refcount leak bug in bind/connect but introduced a use-after-free if the same local is assigned to 2 different sockets. This can be triggered by the following simple program: int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) ); addr.sa_family = AF_NFC; addr.nfc_protocol = NFC_PROTO_NFC_DEP; bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) close(sock1); close(sock2); Fix this by assigning NULL to llcp_sock->local after calling nfc_llcp_local_put. This addresses CVE-2021-23134. Reported-by: Or Cohen Reported-by: Nadav Markus Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") Signed-off-by: Or Cohen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_sock.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -120,12 +120,14 @@ static int llcp_sock_bind(struct socket GFP_KERNEL); if (!llcp_sock->service_name) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; ret = -EADDRINUSE; @@ -721,6 +723,7 @@ static int llcp_sock_connect(struct sock llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } @@ -759,6 +762,7 @@ static int llcp_sock_connect(struct sock sock_unlink: nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; nfc_llcp_sock_unlink(&local->connecting_sockets, sk); kfree(llcp_sock->service_name);