Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp4225540pxb; Mon, 21 Feb 2022 15:19:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJwur6BgRtsmORGcDGrRNCL4tvm5NEKnkSWIkhgNibdOAeHh2DHU1HX0s9pw4DM9QbkC4Ns0 X-Received: by 2002:a17:902:b210:b0:14f:d0ff:46bb with SMTP id t16-20020a170902b21000b0014fd0ff46bbmr3240918plr.47.1645485551884; Mon, 21 Feb 2022 15:19:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645485551; cv=none; d=google.com; s=arc-20160816; b=yCXuGFwX5dOmKJ6OI4mPSj0Xjps+FsVXlBb13U8F0FlMkQb4/rRTRlAFACVhhoZBMi vfNUCZ8aOH+Deh1oCw7CTF11mvnGIlW5h/9zZ3vuv8irPw30ZbED7HsVECMOtRVBiri9 0GO/d+0AG1A9uaYty/srTLHGvNOaBf50BHqy3uwqPkzKekfESY8TkfdJ7+oTdNv7U5W/ O7h6m4NCr5jRwPcYh9clNFH6dPtruscV9PoAs0MbWhAFAYsgILPBKePPEcGZf1tbX77X /jCiqNHQv+df9wwLBU2QDSM8t+58Gl+ViS+MF4U0dQmgMVCXecr1Sq4JW0dvgNzUayNl rBHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QKZBR62FLUmS85XBY4cYEAgpab4nPh0HLXvg25Lj6ws=; b=XWzy6URuZl0Uo3NeD7wEd667l3WPkVqcpIyyaw+B8hPOCxHYFk4puZ9qqhBhRisAKk bMbM4zHx1muQ94x5hHvW+0MreKESvEInErDOArXwL/gTuhvHrEOzTerkn3FunuQuHZmU +h9hcBuj1J2Ua8i+isn3G6eRpsNuYhZCSEM1w3w2HHnYBfZK6YtMcdeCxzq7I+qZxheX SCpaiaPDXa7BceGCAZDv+w7CjhrfJ4r/Cbu6pFl6luvL2NQTvMIE0euVLdzX9t4CzFso zzhBAw+Kbk/5q0tqWLyBkYyb6QkU+Oxxiz7DneKDUe3tUoHLTw+C7uf0MI+K46fG6B8h fIKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tAtuij+s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pg15-20020a17090b1e0f00b001bc6da41e36si463728pjb.118.2022.02.21.15.18.57; Mon, 21 Feb 2022 15:19:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tAtuij+s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351658AbiBUJwW (ORCPT + 99 others); Mon, 21 Feb 2022 04:52:22 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:42384 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352471AbiBUJra (ORCPT ); Mon, 21 Feb 2022 04:47:30 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2124331374; Mon, 21 Feb 2022 01:19:57 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B3A4460F46; Mon, 21 Feb 2022 09:19:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 971E4C340E9; Mon, 21 Feb 2022 09:19:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1645435196; bh=dzgvD5fCB9/BzXR2I4sstOpNngSBG7g9smFuubhhq2Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tAtuij+s8Lzgw696nfZmomNu9xji1lU/a/wngf4D2MS76sct0TvvYwmQDa4usmxRf /4JJtimfeiK7jatbmmgfh0BLO+A9ephTUAn80Jdk2eHqwcwSEA8v/8ipRJfpRSkf1S si3/6ulXicnP/bxhqOmc3TBpc4BOYUmyETMPRgCE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Duoming Zhou , "David S. Miller" , Sasha Levin Subject: [PATCH 5.16 047/227] ax25: improve the incomplete fix to avoid UAF and NPD bugs Date: Mon, 21 Feb 2022 09:47:46 +0100 Message-Id: <20220221084936.444795974@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220221084934.836145070@linuxfoundation.org> References: <20220221084934.836145070@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Duoming Zhou [ Upstream commit 4e0f718daf97d47cf7dec122da1be970f145c809 ] The previous commit 1ade48d0c27d ("ax25: NPD bug when detaching AX25 device") introduce lock_sock() into ax25_kill_by_device to prevent NPD bug. But the concurrency NPD or UAF bug will occur, when lock_sock() or release_sock() dereferences the ax25_cb->sock. The NULL pointer dereference bug can be shown as below: ax25_kill_by_device() | ax25_release() | ax25_destroy_socket() | ax25_cb_del() ... | ... | ax25->sk=NULL; lock_sock(s->sk); //(1) | s->ax25_dev = NULL; | ... release_sock(s->sk); //(2) | ... | The root cause is that the sock is set to null before dereference site (1) or (2). Therefore, this patch extracts the ax25_cb->sock in advance, and uses ax25_list_lock to protect it, which can synchronize with ax25_cb_del() and ensure the value of sock is not null before dereference sites. The concurrency UAF bug can be shown as below: ax25_kill_by_device() | ax25_release() | ax25_destroy_socket() ... | ... | sock_put(sk); //FREE lock_sock(s->sk); //(1) | s->ax25_dev = NULL; | ... release_sock(s->sk); //(2) | ... | The root cause is that the sock is released before dereference site (1) or (2). Therefore, this patch uses sock_hold() to increase the refcount of sock and uses ax25_list_lock to protect it, which can synchronize with ax25_cb_del() in ax25_destroy_socket() and ensure the sock wil not be released before dereference sites. Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ax25/af_ax25.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 02f43f3e2c564..44a8730c26acc 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -77,6 +77,7 @@ static void ax25_kill_by_device(struct net_device *dev) { ax25_dev *ax25_dev; ax25_cb *s; + struct sock *sk; if ((ax25_dev = ax25_dev_ax25dev(dev)) == NULL) return; @@ -85,13 +86,15 @@ static void ax25_kill_by_device(struct net_device *dev) again: ax25_for_each(s, &ax25_list) { if (s->ax25_dev == ax25_dev) { + sk = s->sk; + sock_hold(sk); spin_unlock_bh(&ax25_list_lock); - lock_sock(s->sk); + lock_sock(sk); s->ax25_dev = NULL; - release_sock(s->sk); + release_sock(sk); ax25_disconnect(s, ENETUNREACH); spin_lock_bh(&ax25_list_lock); - + sock_put(sk); /* The entry could have been deleted from the * list meanwhile and thus the next pointer is * no longer valid. Play it safe and restart -- 2.34.1