Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp610951pxj; Thu, 20 May 2021 17:49:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy9axlT9F9P4BaWGAdBF0dSCWfZn336I4dAuawAVM6oHkejQax79htHQIAdezs26llDDaR7 X-Received: by 2002:aa7:d598:: with SMTP id r24mr7968066edq.250.1621558161262; Thu, 20 May 2021 17:49:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621558161; cv=none; d=google.com; s=arc-20160816; b=ibJ4GJnkWtPUz0TKSFLeSEJKA81cSmdde2ED5j4Rb85NKx2rm0DLnL578xFsgQwG1s oumRzoDja6OHqutVEIGf/PrfqfPaho2XWJA9X0zubSMWGxKD2iCegriPttQMQSx1Hugi P5C7tkKXL2K8Tsw628HPb6idQs5BodUqqr+cHm5jShWvocHKSbBHdTIhNzvRFgNgW5xn IG5MEynspvjc15DNFSTnvovoBfHmqjS7L41yJSC6h/TYUUTmPqzRo4y0HwBYAvXf+1lf +2XDR41WLC1KlgadelqqyCPut08UVNdVyE2nIwDS3j9H6bqMOMWvQBiTTkFgpyb6Sie7 pZpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0XAGYo1DwpExnrpXKfZUDPJd3DNm7C1WB2gtplM1q3I=; b=nLppNqPdpyhe0+ukLWnZ2v8IStfOc++H1ml+xCHJQEhEG2POWVGoqvTO/zap0WyL17 2JbMUxxOXGkcbDGO3NHyHo1CzaVZgITD0RO03JnrCO9DqwsPpfAD/89DGG6GZY6nQL8l 7PoNU46t+JJ33VOjWOWBPLXdX22hgIxSIEMgalotVJDkaNL1db6csbtMIWFA4b4E3Tvp dNjHhuPUzHDYx/IBs0uWnc4DyfACvv+Yar2X0VWZhX9zKKwI4BAqCoLwwfrcSRD3//z6 w458sLpGimxdZczmXoqxM7s35zb/TEZmaJn3YqpqxtXUYG7+2v6eogTBndQKrJSXQu/g hk/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BGyn5Etj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w24si4734653ejb.384.2021.05.20.17.48.57; Thu, 20 May 2021 17:49:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BGyn5Etj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241742AbhETLct (ORCPT + 99 others); Thu, 20 May 2021 07:32:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:56748 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239901AbhETLML (ORCPT ); Thu, 20 May 2021 07:12:11 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9B73E61D4A; Thu, 20 May 2021 10:07:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621505265; bh=rAZp+pNO+cBHxiI7/u1rKtYBdOdvzfsbYzUScq+ldJs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BGyn5EtjSelb0zTCNWkep0+162fpBQvQ3Xr9hNwRmi6v/xEM7mp0gMYFOtehJkjhC 9QR7K4le8E+XCrz5rwInGCk0CogGq/9eTTUPz+ZgvxJbmwP577siuyPigcu/YvYScG zLb9NbSj/A8/N8FFLQsqBkjrEi8Y/9DwRVZWzN0A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Or Cohen , Nadav Markus , "David S. Miller" Subject: [PATCH 4.4 056/190] net/nfc: fix use-after-free llcp_sock_bind/connect Date: Thu, 20 May 2021 11:22:00 +0200 Message-Id: <20210520092104.023990835@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092102.149300807@linuxfoundation.org> References: <20210520092102.149300807@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Or Cohen commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream. Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()") and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") fixed a refcount leak bug in bind/connect but introduced a use-after-free if the same local is assigned to 2 different sockets. This can be triggered by the following simple program: int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) ); addr.sa_family = AF_NFC; addr.nfc_protocol = NFC_PROTO_NFC_DEP; bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) close(sock1); close(sock2); Fix this by assigning NULL to llcp_sock->local after calling nfc_llcp_local_put. This addresses CVE-2021-23134. Reported-by: Or Cohen Reported-by: Nadav Markus Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") Signed-off-by: Or Cohen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_sock.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -120,12 +120,14 @@ static int llcp_sock_bind(struct socket GFP_KERNEL); if (!llcp_sock->service_name) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; ret = -EADDRINUSE; @@ -715,6 +717,7 @@ static int llcp_sock_connect(struct sock llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } @@ -753,6 +756,7 @@ static int llcp_sock_connect(struct sock sock_unlink: nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; nfc_llcp_sock_unlink(&local->connecting_sockets, sk); kfree(llcp_sock->service_name);