| Message ID | a60f2c4e9eb8cce9da01c5bd561684011f7fa7da.1627061136.git.lucien.xin@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [net-next] tipc: fix an use-after-free issue in tipc_recvmsg | expand |
Hello: This patch was applied to netdev/net-next.git (refs/heads/master): On Fri, 23 Jul 2021 13:25:36 -0400 you wrote: > syzbot reported an use-after-free crash: > > BUG: KASAN: use-after-free in tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979 > Call Trace: > tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979 > sock_recvmsg_nosec net/socket.c:943 [inline] > sock_recvmsg net/socket.c:961 [inline] > sock_recvmsg+0xca/0x110 net/socket.c:957 > tipc_conn_rcv_from_sock+0x162/0x2f0 net/tipc/topsrv.c:398 > tipc_conn_recv_work+0xeb/0x190 net/tipc/topsrv.c:421 > process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 > worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 > > [...] Here is the summary with links: - [net-next] tipc: fix an use-after-free issue in tipc_recvmsg https://git.kernel.org/netdev/net-next/c/cc19862ffe45 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 9b0b311c7ec1..b0dd183a4dbc 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1973,10 +1973,12 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m, tipc_node_distr_xmit(sock_net(sk), &xmitq); } - if (!skb_cb->bytes_read) - tsk_advance_rx_queue(sk); + if (skb_cb->bytes_read) + goto exit; + + tsk_advance_rx_queue(sk); - if (likely(!connected) || skb_cb->bytes_read) + if (likely(!connected)) goto exit; /* Send connection flow control advertisement when applicable */
syzbot reported an use-after-free crash: BUG: KASAN: use-after-free in tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979 Call Trace: tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979 sock_recvmsg_nosec net/socket.c:943 [inline] sock_recvmsg net/socket.c:961 [inline] sock_recvmsg+0xca/0x110 net/socket.c:957 tipc_conn_rcv_from_sock+0x162/0x2f0 net/tipc/topsrv.c:398 tipc_conn_recv_work+0xeb/0x190 net/tipc/topsrv.c:421 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 As Hoang pointed out, it was caused by skb_cb->bytes_read still accessed after calling tsk_advance_rx_queue() to free the skb in tipc_recvmsg(). This patch is to fix it by accessing skb_cb->bytes_read earlier than calling tsk_advance_rx_queue(). Fixes: f4919ff59c28 ("tipc: keep the skb in rcv queue until the whole data is read") Reported-by: syzbot+e6741b97d5552f97c24d@syzkaller.appspotmail.com Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Jon Maloy <jmaloy@redhat.com> --- net/tipc/socket.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)