| Message ID | 20210303061654.127666-1-nixiaoming@huawei.com |
|---|---|
| Headers | show |
| Series | nfc: fix Resource leakage and endless loop | expand |
Hi xiaoming, the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem. if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name... Regards, kiyin. > -----Original Message----- > From: Xiaoming Ni [mailto:nixiaoming@huawei.com] > Sent: Wednesday, March 3, 2021 2:17 PM > To: linux-kernel@vger.kernel.org; kiyin(尹亮) <kiyin@tencent.com>; > stable@vger.kernel.org; gregkh@linuxfoundation.org; sameo@linux.intel.com; > linville@tuxdriver.com; davem@davemloft.net; kuba@kernel.org; > mkl@pengutronix.de; stefan@datenfreihafen.org; > matthieu.baerts@tessares.net; netdev@vger.kernel.org > Cc: nixiaoming@huawei.com; wangle6@huawei.com; xiaoqian9@huawei.com > Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated > llcp_sock_connect()(Internet mail) > > When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is > LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, > nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. > sk->sk_node->next will point to itself, that will make an endless loop and > hang-up the system. > To fix it, check whether sk->sk_state is LLCP_CONNECTING in > llcp_sock_connect() to avoid repeated invoking. > > fix CVE-2020-25673 > Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") > Reported-by: "kiyin(尹亮)" <kiyin@tencent.com> > Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 > Cc: <stable@vger.kernel.org> #v3.11 > Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com> > --- > net/nfc/llcp_sock.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index > 59172614b249..a3b46f888803 100644 > --- a/net/nfc/llcp_sock.c > +++ b/net/nfc/llcp_sock.c > @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, > struct sockaddr *_addr, > ret = -EISCONN; > goto error; > } > + if (sk->sk_state == LLCP_CONNECTING) { > + ret = -EINPROGRESS; > + goto error; > + } > > dev = nfc_get_device(addr->dev_idx); > if (dev == NULL) { > -- > 2.27.0 >
On 2021/3/3 17:28, kiyin(尹亮) wrote: > Hi xiaoming, > the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem. > if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name... I didn't find the code to modify sk->sk_state after a connect failure. Can you provide guidance? Based on my understanding of the current code: After llcp_sock_connect() is invoked using the meaningless service_name as the parameter, sk->sk_state is set to LLCP_CONNECTING. After that, no corresponding service responds to the request because the service_name is meaningless, the value of sk->sk_state remains unchanged. Therefore, when llcp_sock_connect() is invoked again, resources such as llcp_sock->service_name are not repeatedly applied because sk_state is set to LLCP_CONNECTING. In this way, the repeated invoking of llcp_sock_connect() does not repeatedly leak resources. Thanks Xiaoming Ni > >> -----Original Message----- >> From: Xiaoming Ni [mailto:nixiaoming@huawei.com] >> Sent: Wednesday, March 3, 2021 2:17 PM >> To: linux-kernel@vger.kernel.org; kiyin(尹亮) <kiyin@tencent.com>; >> stable@vger.kernel.org; gregkh@linuxfoundation.org; sameo@linux.intel.com; >> linville@tuxdriver.com; davem@davemloft.net; kuba@kernel.org; >> mkl@pengutronix.de; stefan@datenfreihafen.org; >> matthieu.baerts@tessares.net; netdev@vger.kernel.org >> Cc: nixiaoming@huawei.com; wangle6@huawei.com; xiaoqian9@huawei.com >> Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated >> llcp_sock_connect()(Internet mail) >> >> When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is >> LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, >> nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. >> sk->sk_node->next will point to itself, that will make an endless loop and >> hang-up the system. >> To fix it, check whether sk->sk_state is LLCP_CONNECTING in >> llcp_sock_connect() to avoid repeated invoking. >> >> fix CVE-2020-25673 >> Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") >> Reported-by: "kiyin(尹亮)" <kiyin@tencent.com> >> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 >> Cc: <stable@vger.kernel.org> #v3.11 >> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com> >> --- >> net/nfc/llcp_sock.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index >> 59172614b249..a3b46f888803 100644 >> --- a/net/nfc/llcp_sock.c >> +++ b/net/nfc/llcp_sock.c >> @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, >> struct sockaddr *_addr, >> ret = -EISCONN; >> goto error; >> } >> + if (sk->sk_state == LLCP_CONNECTING) { >> + ret = -EINPROGRESS; >> + goto error; >> + } >> >> dev = nfc_get_device(addr->dev_idx); >> if (dev == NULL) { >> -- >> 2.27.0 >> >
On Wed, Mar 03, 2021 at 02:16:50PM +0800, Xiaoming Ni wrote: > fix Resource leakage and endless loop in net/nfc/llcp_sock.c, > reported by "kiyin(尹亮)". > > Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 What happened to this series? Does it need to be resent against the latest networking tree? thanks, greg k-h
fix Resource leakage and endless loop in net/nfc/llcp_sock.c, reported by "kiyin(尹亮)". Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Xiaoming Ni (4): nfc: fix refcount leak in llcp_sock_bind() nfc: fix refcount leak in llcp_sock_connect() nfc: fix memory leak in llcp_sock_connect() nfc: Avoid endless loops caused by repeated llcp_sock_connect() net/nfc/llcp_sock.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
Hello: This series was applied to netdev/net.git (refs/heads/master): On Thu, 25 Mar 2021 11:51:09 +0800 you wrote: > fix Resource leakage and endless loop in net/nfc/llcp_sock.c, > reported by "kiyin(尹亮)". > > Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 > > Xiaoming Ni (4): > nfc: fix refcount leak in llcp_sock_bind() > nfc: fix refcount leak in llcp_sock_connect() > nfc: fix memory leak in llcp_sock_connect() > nfc: Avoid endless loops caused by repeated llcp_sock_connect() > > [...] Here is the summary with links: - [resend,1/4] nfc: fix refcount leak in llcp_sock_bind() https://git.kernel.org/netdev/net/c/c33b1cc62ac0 - [resend,2/4] nfc: fix refcount leak in llcp_sock_connect() https://git.kernel.org/netdev/net/c/8a4cd82d62b5 - [resend,3/4] nfc: fix memory leak in llcp_sock_connect() https://git.kernel.org/netdev/net/c/7574fcdbdcb3 - [resend,4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect() https://git.kernel.org/netdev/net/c/4b5db93e7f2a You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html