Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3514081pxp; Mon, 14 Mar 2022 23:10:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyIWEJGSGrFQ5fhtUi967FjVYBNUEsdjGii4eGWmm8Xi8obr936c2XlWuHLXLdkfOYla477 X-Received: by 2002:a17:907:7b8b:b0:6da:bad3:88b6 with SMTP id ne11-20020a1709077b8b00b006dabad388b6mr20953214ejc.360.1647324654387; Mon, 14 Mar 2022 23:10:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647324654; cv=none; d=google.com; s=arc-20160816; b=JKHKQCT3fiIxUmP+ObVNzNg5BGNh5KsanPWyEpCc0K68HX3SZvSB11yyyguNS7F++o FmBfII4Psfl83kwADu6aQKSeyRvjqRDAeDqhdNzuQZEQLMXEJ8b1PPNpvq8AuPk8V3Ny dGlF5no9MsXgEmFSGnskOkuP/z/f3xV3CR95era908ytS+e5OBFuTs0zE6QwJnRjA3Nj j1cuAstS3YrbffHMi2j84zZIrE8fvnKjWXnzqMdMs8eXNGIvs7P2oDMV3R9ci/wO7FM9 44RT7H2mXVBzC9GQLrFHJhMfWIuIx+KWshtFPC4K6scc96m1U4Nzrrdql8OH8tFcEnMW 24nQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=oMVUC2VLBPVUg3hzbgDMJXSc+aQ8orERMCWwhySlGyg=; b=FScTeuW0WSYgOAHMKmoweuuLHIeuiPcUFDkp+dTz6YkIo+xl7jSJg69NxuFfhaj06d 6bqnCpWXInr3ZV8/ucVq7pQQA4ameEg7slVnynEKceb40HkHut5LzIqIY+9CW7Y07bBr Q7Tvm8QgN2L+yEI5t+Ck2dZdVtJMofVvsFXaTht9Ercr1HT0jcHvE0IGnJVma/9hPZ10 1mCH68x5ufMaYnNAEuk2venUrJWupuNvTsZTJKr9vqMScfZ8wrGfrWfNhWDHiFATf5qV emKlOPbd5tvKbJB48CNxKwgqrMllFZ9mEWAxuAz5l3YvZxuN7/c3TbnPrPsFLHpDg+lf jbjA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PMPXsoK9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ji19-20020a170907981300b006da84283998si10733608ejc.681.2022.03.14.23.10.25; Mon, 14 Mar 2022 23:10:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PMPXsoK9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239809AbiCNL4w (ORCPT + 99 others); Mon, 14 Mar 2022 07:56:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238323AbiCNL4i (ORCPT ); Mon, 14 Mar 2022 07:56:38 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C76D65C1; Mon, 14 Mar 2022 04:55:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C0CA560FF3; Mon, 14 Mar 2022 11:55:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4DABBC340E9; Mon, 14 Mar 2022 11:55:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647258928; bh=X4C+EAnv+5PsvS5bhnuMIuDGUfEfKplyG40If4A0F78=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PMPXsoK9M12Pgol0cpmzTlJ6ziuF7APLLLiRqapZgpQWjxbzPHRv9mnnimfx/RGRm HT3Z+sKWI/MdipDf95GhPYsqdRsOS9wu0nvZzyzqN5foVZBKkgLALA1ARrKuggEftX C79oja/LDVVDwJATgjAwmZv1JRmnOvxYO9hVpPU4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thomas Osterried , Duoming Zhou , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 11/43] ax25: Fix NULL pointer dereference in ax25_kill_by_device Date: Mon, 14 Mar 2022 12:53:22 +0100 Message-Id: <20220314112734.736241254@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220314112734.415677317@linuxfoundation.org> References: <20220314112734.415677317@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Duoming Zhou [ Upstream commit 71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac ] When two ax25 devices attempted to establish connection, the requester use ax25_create(), ax25_bind() and ax25_connect() to initiate connection. The receiver use ax25_rcv() to accept connection and use ax25_create_cb() in ax25_rcv() to create ax25_cb, but the ax25_cb->sk is NULL. When the receiver is detaching, a NULL pointer dereference bug caused by sock_hold(sk) in ax25_kill_by_device() will happen. The corresponding fail log is shown below: =============================================================== BUG: KASAN: null-ptr-deref in ax25_device_event+0xfd/0x290 Call Trace: ... ax25_device_event+0xfd/0x290 raw_notifier_call_chain+0x5e/0x70 dev_close_many+0x174/0x220 unregister_netdevice_many+0x1f7/0xa60 unregister_netdevice_queue+0x12f/0x170 unregister_netdev+0x13/0x20 mkiss_close+0xcd/0x140 tty_ldisc_release+0xc0/0x220 tty_release_struct+0x17/0xa0 tty_release+0x62d/0x670 ... This patch add condition check in ax25_kill_by_device(). If s->sk is NULL, it will goto if branch to kill device. Fixes: 4e0f718daf97 ("ax25: improve the incomplete fix to avoid UAF and NPD bugs") Reported-by: Thomas Osterried Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ax25/af_ax25.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 184af6da0def..093b73c454d2 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -87,6 +87,13 @@ static void ax25_kill_by_device(struct net_device *dev) ax25_for_each(s, &ax25_list) { if (s->ax25_dev == ax25_dev) { sk = s->sk; + if (!sk) { + spin_unlock_bh(&ax25_list_lock); + s->ax25_dev = NULL; + ax25_disconnect(s, ENETUNREACH); + spin_lock_bh(&ax25_list_lock); + goto again; + } sock_hold(sk); spin_unlock_bh(&ax25_list_lock); lock_sock(sk); -- 2.34.1