From patchwork Fri Apr 15 17:49:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 563092 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D868DC433EF for ; Fri, 15 Apr 2022 17:50:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343671AbiDORws (ORCPT ); Fri, 15 Apr 2022 13:52:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343900AbiDORwZ (ORCPT ); Fri, 15 Apr 2022 13:52:25 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B31E15575B for ; Fri, 15 Apr 2022 10:49:55 -0700 (PDT) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FHmi5D009434 for ; Fri, 15 Apr 2022 17:49:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=jR3UYk3LFNCqnZzGMIu06KF81R1/ARZcfCfpGQXguJQ=; b=WvqNrSD9T/QtsBHKFMCi2cG21UrFBkyiZvjqqh1lgQSSCYkuqNJ2DMoxuJDeI3FpdTwc 4PzN3QqHmKgccHZ1PGnj2YQPf2vFoEC+CIv3CHLBKUyejN7sGc43vIYzxKqapdEVF7De rSjOd78ooiX4Dey03TwBeNUAppM+ALcohMr3/FnL9pA85b25cG61d9pVwlUw7niWQwU4 3KgOHrWyqH98hP0IAbY7khXzXtX2KKccAFrG1FlKjSMvY5UlH7Db+8Tzj7H9DJP9Lb5V 5egZJDug0Gp0plTPoD+Ik0kaOSZYvmRsyAvVkAxE8i26yZiTQ5Q2MGhLH/J09KgdZf6a JA== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2047.outbound.protection.outlook.com [104.47.56.47]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb66evw4d-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 17:49:54 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HcqEcZHXaZBOQTQxZlLa+vTGMqLazfGANk6R2tvf9uIkv9pfxEeO3DPiOy+AALdW/OJjbtF3B+7SBv8gEUmxIeZhEe9aHCEokFGKbEcf2C3kzfkujwmkh+sJae1iXr+ECTLp3UGwqB/b0XsWzY+8gVpjspTLC0D7TXBMlEtXszZ9Q3DlfBq8XiP1D0/ZTzyVdWpY43vin0yJdgV3bhI3SX9Z9lzMhk+oQqVMoqx0pXj6xRkMxSOGIj7ClgVyezvOIJlfqz+AoNPP/avTyb2yMrwhWeRMuZXyORY7aHC/PQ9fnCBrEu8iiZFV/yubrFHkSgcMGOXgtfDX8QZnbHKR5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jR3UYk3LFNCqnZzGMIu06KF81R1/ARZcfCfpGQXguJQ=; b=biEZxlaq/THUCt8IwdMJ/ZjnbQ+yi5btUHAkkqJR5t/f9iFoWklCDgaqDgurQ6G9P2OyPDG/25y9hwPGUahlfg0+lHamHuR8/dfs6pt2xECLmtwyixX4aK26j+zo/u3Wz/sAaSvxXqcICo97Ety62jzTlFTSeZnoL+z/l27nzuoON2g8orG5r1I2n7+yBehEY+aP/RiOaf+dRUo7bveZNxsEYubcRmAV33wqIG+L4rckAqSpJWSHG5itH8/KWGTvcGA7GloFkUFb41m8+DH6dZPE++jSCKCNtN/ywStqMX2hlyn70/8N3kM80bYKGJV9/1tuxmSJiTkzg4YebY+yKg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by BN6PR1101MB2290.namprd11.prod.outlook.com (2603:10b6:405:4e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.29; Fri, 15 Apr 2022 17:49:51 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 17:49:51 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.10 1/8] ax25: add refcount in ax25_dev to avoid UAF bugs Date: Fri, 15 Apr 2022 20:49:26 +0300 Message-Id: <20220415174933.1076972-1-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 X-ClientProxiedBy: VI1PR08CA0217.eurprd08.prod.outlook.com (2603:10a6:802:15::26) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: dbb37616-e657-4bbe-05ed-08da1f08572b X-MS-TrafficTypeDiagnostic: BN6PR1101MB2290:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /WcLpJ98HkkR+d9mqSOWBA5sBQizs1lC70myiDxMsylpgcEk5yN4H4L7U7SVA/C9XjeMtND1XSWa8Xzno/EEn4GSPDEr2fLGb2EGOSHw6TyzdkrnMU+VaefYp3L1iaia6Of9xPPyk7NNP7RvAO1eIYKMAlp974pDQ2dYD7vMR6wk+nkxHw9UoR3pakaU2jvuczhZLtuv/t9gz7fGhAWiCiRv0GFuuHUl/CpGjratqoWwbkeqeTYtp9Z3gV5LH+iMswKURnChTUHQZkvrKMBNibHl04USg6lcvs9SqTEKbX1qWlJIunF9YzwEedAyFO/lP4FVnmjiwVne+M31TMe46IotCPikYU2El+aWJK/L4bWyVsaY+n96b5lbBJ+oGKxLCQRtE7kCZJt4ZFc4EeGvZpUHNp3xEDncWIRtA3M4H8mxBBNkR7VDNrceUa1Dk4a7pFtx+sD4pfZaOlzJdmk/hJAeh/AkizTlE6/rRI3nYQwAFkN1RBdJnZTR5Tb22KVZOJ97mrhlUbOPmFWU4I2jh9f/VAwpNwrI8CMhbtclHOi/gJZ4vpFmuASA6uUdkPrE0ZQJXADQ7O5FrJRleZoO6BkqfPvQN7BGn85ryqDsYWVRcaD+JGcZ4nIcwOncHjIUJ9BnKXZuyB4I1abFNZOiMC1m6bVxWqQl0e7oRmPN9yL+X5TAE5fCUlo4HftBSkZ9W1oB2d1WYDg5HB+TpBhSnQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(2906002)(38100700002)(6916009)(186003)(5660300002)(83380400001)(1076003)(26005)(66946007)(66556008)(8676002)(38350700002)(66476007)(6506007)(6666004)(52116002)(6512007)(508600001)(316002)(86362001)(2616005)(8936002)(44832011)(6486002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: O60R7om0PKziXrvKf2zRd2KlV2N6q49lBGJj3nDE9UmE3GkeXs6c0wWHvTHG7IpqdXSXQO69nd7MF4o3mzDL2YDuIJPpQMIBd2cIh0BA8wWb8SsGjhLel5AinELiZpw4/7v61EiRzPlCEPhF0cij166jXIKlxmk0eFsBJir+w8CY3BEqmXjogal1O5/B/gdkmzJ2cZK5krBwAgEB/x6c7HN3u6acELYl3Bz6y1V3ZFXIFrNh10anOK9o5FAybcujOTeyTl/EckR8VgIrzDkZbWI7gohlDjZKgWIR2Ggt8SH56SZdGsdnE9hvBH4C/U7Sf/sPQBkmdLwKjkKOM93TeO2hev6983YTmI8quPoEbzsWnz/Ohtjs3cJGWxW7n4c+eo2PRKqsJojJQzjeWqtRERrGfSPEzVLRx1XRtQfgFwHHpKMVoyxnvXpJj7dcvEpSJOnyeWdZrslia1NOB8O9M4lByzk21cFywIghmYx7lRz9flC8vzTdeU3hw3PYkVnNMGOTWbpQG6IF7KoAV43nkaBmwWhM8/L8tg21aWmA8ExfzbG6pdpx6xD70boCpd2mOe92GlIsIqEMop0sZF2oAzTyVsbbrycyjq3GGEr+kK0var10MwoVIqjLCeff4YvZTfbqhUS65vTp5MVgOfiMjuKmWrGul2/s+J+SN81j9CHg+tG+rSHhDrpe3G4/CJU3mmLcLAdyJX1uVXjeckLpUJoT5h1Y8zkbwOrazVeMUe01U5c1sveKeNh4D1Vld4t9FoJZH/iPcJ+dcEEWMcDaNVksDRv6ly298OuEoUiG16As27/q8ahwNtgEe1EtjbRb5X6vKG1gBtBV7Iaa1zsUlFzDZj8lASNgxP/t9b8N5aywrlVX1hoc+7z64kOAok+V0JGzbEL7SNoX0uaN0OZAq0VDz88kyArra0hPFR9CHbKtDvDaHaeWrOqjTrq1L6ZIFq9WBdwv24Z63hj0jU0fhiVQUuEe9nHE9Ts3se/bZ5DzBL/MvLfsbnqt1ztq9+F/bGKzBErRdBV1/t9QaxAVimxXn962y+RVZWf9ZMKJTvs7CM8wtaneyUc3+SwtIzWGdsZM3MSIBkPkuvFHAeItIiaUYp9YYDOtE0jDRRTSEh/1hfBbNwakVQs80KIt5DQzwXYEOnAOhE5dPbW4YaVIdtxNeWbj2EIsyewpI15BoUy11d7s++VuCxgxiXxrVP57KnsRMZYtugVRA3P2aryGXvNHSrW2gbz9ZwkYTABbcorHHSP5c02xcF0baB0SP/KWqaOKAeJRH7P0d2e7mUqAjgg3nemOVPiQQyAAmlbWlMQNz+FHTiZUaFlj0JajZstzxUYcZognWv89YNzNDD/esg8T0WWFOW5clo/8G1hdLZu7zInDiKM4tYo1OB69lrG3h1zJFMb6FnPuiX0ZzpJYigHLZicxviSjCtwrH8TbweYzIqrLH0In1PouT+FocBCQlOyNoZN4ZUKPJ318fupfMdotAzQogNZud9yv16j9TK/3A7Idath61nE+R8a6knADusMGJ0DrMPNjph2I5L0eUJwFfQZj8c8LIie0NmFqZCcpaD51zaGGQbjyAb6E4Vd4faa3SA0aReQJC5nwzZdBQbfkTjrOSCViCeri4rHDYMnPMHtn4KDqZ7we+ZMMfOkA4aZUIWyycng5yi26IP1bdN1rp1qvviu+UbwPl4lkwdlOaOvd8VQkAVOl7Nf5g3f68WlL/FPP834ISLS5knLoRdwc5UwVoDbbxxNXBPX4m/E= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: dbb37616-e657-4bbe-05ed-08da1f08572b X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 17:49:51.0389 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: D8ozvvrYyLMmEc9YdRr2mu7KxtGLCc63VeZWONfMPMLDA1dXaBu7ixUTv5xmbzlJcsYoF8/LpnX3zouV06S6hCecqtYQl0ObqN/qPuU/+XM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2290 X-Proofpoint-GUID: Rs_yUKpEgSu90TINV65UICuuTUwW63df X-Proofpoint-ORIG-GUID: Rs_yUKpEgSu90TINV65UICuuTUwW63df X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1015 suspectscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=786 impostorscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150100 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit d01ffb9eee4af165d83b08dd73ebdf9fe94a519b upstream. If we dereference ax25_dev after we call kfree(ax25_dev) in ax25_dev_device_down(), it will lead to concurrency UAF bugs. There are eight syscall functions suffer from UAF bugs, include ax25_bind(), ax25_release(), ax25_connect(), ax25_ioctl(), ax25_getname(), ax25_sendmsg(), ax25_getsockopt() and ax25_info_show(). One of the concurrency UAF can be shown as below: (USE) | (FREE) | ax25_device_event | ax25_dev_device_down ax25_bind | ... ... | kfree(ax25_dev) ax25_fillin_cb() | ... ax25_fillin_cb_from_dev() | ... | The root cause of UAF bugs is that kfree(ax25_dev) in ax25_dev_device_down() is not protected by any locks. When ax25_dev, which there are still pointers point to, is released, the concurrency UAF bug will happen. This patch introduces refcount into ax25_dev in order to guarantee that there are no pointers point to it when ax25_dev is released. Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.10: adjusted context] Signed-off-by: Ovidiu Panait --- include/net/ax25.h | 10 ++++++++++ net/ax25/af_ax25.c | 2 ++ net/ax25/ax25_dev.c | 12 ++++++++++-- net/ax25/ax25_route.c | 3 +++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index 8b7eb46ad72d..d81bfb674906 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -236,6 +236,7 @@ typedef struct ax25_dev { #if defined(CONFIG_AX25_DAMA_SLAVE) || defined(CONFIG_AX25_DAMA_MASTER) ax25_dama_info dama; #endif + refcount_t refcount; } ax25_dev; typedef struct ax25_cb { @@ -290,6 +291,15 @@ static __inline__ void ax25_cb_put(ax25_cb *ax25) } } +#define ax25_dev_hold(__ax25_dev) \ + refcount_inc(&((__ax25_dev)->refcount)) + +static __inline__ void ax25_dev_put(ax25_dev *ax25_dev) +{ + if (refcount_dec_and_test(&ax25_dev->refcount)) { + kfree(ax25_dev); + } +} static inline __be16 ax25_type_trans(struct sk_buff *skb, struct net_device *dev) { skb->dev = dev; diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 9e0eef7fe9ad..7da36517d4f3 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -98,6 +98,7 @@ static void ax25_kill_by_device(struct net_device *dev) spin_unlock_bh(&ax25_list_lock); lock_sock(sk); s->ax25_dev = NULL; + ax25_dev_put(ax25_dev); release_sock(sk); ax25_disconnect(s, ENETUNREACH); spin_lock_bh(&ax25_list_lock); @@ -446,6 +447,7 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg) } out_put: + ax25_dev_put(ax25_dev); ax25_cb_put(ax25); return ret; diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 4ac2e0847652..2c845ff1d036 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -37,6 +37,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next) if (ax25cmp(addr, (ax25_address *)ax25_dev->dev->dev_addr) == 0) { res = ax25_dev; + ax25_dev_hold(ax25_dev); } spin_unlock_bh(&ax25_dev_lock); @@ -56,6 +57,7 @@ void ax25_dev_device_up(struct net_device *dev) return; } + refcount_set(&ax25_dev->refcount, 1); dev->ax25_ptr = ax25_dev; ax25_dev->dev = dev; dev_hold(dev); @@ -83,6 +85,7 @@ void ax25_dev_device_up(struct net_device *dev) spin_lock_bh(&ax25_dev_lock); ax25_dev->next = ax25_dev_list; ax25_dev_list = ax25_dev; + ax25_dev_hold(ax25_dev); spin_unlock_bh(&ax25_dev_lock); ax25_register_dev_sysctl(ax25_dev); @@ -112,20 +115,22 @@ void ax25_dev_device_down(struct net_device *dev) if ((s = ax25_dev_list) == ax25_dev) { ax25_dev_list = s->next; + ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; dev_put(dev); - kfree(ax25_dev); + ax25_dev_put(ax25_dev); return; } while (s != NULL && s->next != NULL) { if (s->next == ax25_dev) { s->next = ax25_dev->next; + ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; dev_put(dev); - kfree(ax25_dev); + ax25_dev_put(ax25_dev); return; } @@ -133,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + ax25_dev_put(ax25_dev); } int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) @@ -149,6 +155,7 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) if (ax25_dev->forward != NULL) return -EINVAL; ax25_dev->forward = fwd_dev->dev; + ax25_dev_put(fwd_dev); break; case SIOCAX25DELFWD: @@ -161,6 +168,7 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) return -EINVAL; } + ax25_dev_put(ax25_dev); return 0; } diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c index b40e0bce67ea..ed8cf2983f8a 100644 --- a/net/ax25/ax25_route.c +++ b/net/ax25/ax25_route.c @@ -116,6 +116,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->dev = ax25_dev->dev; ax25_rt->digipeat = NULL; ax25_rt->ip_mode = ' '; + ax25_dev_put(ax25_dev); if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); @@ -172,6 +173,7 @@ static int ax25_rt_del(struct ax25_routes_struct *route) } } } + ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); return 0; @@ -214,6 +216,7 @@ static int ax25_rt_opt(struct ax25_route_opt_struct *rt_option) } out: + ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); return err; } From patchwork Fri Apr 15 17:49:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 562178 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58330C433F5 for ; Fri, 15 Apr 2022 17:50:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343622AbiDORws (ORCPT ); Fri, 15 Apr 2022 13:52:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47800 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343707AbiDORwZ (ORCPT ); Fri, 15 Apr 2022 13:52:25 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F483506C0 for ; Fri, 15 Apr 2022 10:49:55 -0700 (PDT) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FHmi5C009434 for ; Fri, 15 Apr 2022 17:49:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=r59l6xMtmKc0sQnNX+Eacm3FpYJTT/wNXyCEk5kNOVc=; b=UZeSb6PsMTaF+jTHdWp3mYsrXhfeZuEWQQXwjAuGlSD+6XGqpGwEwFJDXUOXBVV57hCq +zq2yQ8FjDIzp5KJPWKr2qZfzSxCuiUT1SpsmLt7mTVwnkrKukX6XvKdO4bDNqWTQPct NxEOuLpPzIZPbKgLGAVb8VOLtdGLtlodTDTiosuMrqCuLSREKLz10suvvBFM7H3MFRto HxAlRLZPjmYJ0m0p1QcMKy2gkwNh3DFQIWsXCM0rB/4pkFOaENXZ22X6+0VPLFM3alnS MbCoqXljX6VGThvdeIiURLLcB9bLYmeJRe4bk7zLoH3XDIjAzXMSL9Zg7oTHb9XTy6aP 9A== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2047.outbound.protection.outlook.com [104.47.56.47]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb66evw4d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 17:49:54 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l3wThVzx+eBC7hLsv+9dgUZlR3G0PkN4TAxa83L9wHkcWX7fyl6seBxsu0dl1MqdqvKPTjmsf0yOxruCxfOXRYS5dZ40cTlGn34hxe3KKoEk7CYk9z9A5xzY5bBA/mcdRSWnBofIF6jX8FPOxgQfxQs+cMYQua4YBSHwSCAM0oqzWuTgy1f4TTbhxIWx7LeifagwV6hl2vcCa+19a3sTkZpm50Ai9VwkvC1LyVc+sVTqG60pvxiKxhM2tHT1jYFBcPUQfrTzpQWfGOaPUgYZWqninM1T8lPxu6mjQLZy/HQHkVQWBvVhSvjNE0Muni4Fyjh9evwp0CQbi67bPFuxTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r59l6xMtmKc0sQnNX+Eacm3FpYJTT/wNXyCEk5kNOVc=; b=gEb9vVLZwM90iVagTBUGP0PsULkryuAW5/iMik2hJdNCrfL57Pwvvq+CUqDc1xfvCDqE/hy6coYWssgWJOvkFqejoRmbbLW7IifiMiVTxj6WFkrPzEaOqHM/oJOqrIvjxtlXRg2xbuZa+98Ox0Rf4bvUjDWRR6UWUOa2uzlgdp4nFBE5dDhhxHynfCEyigW5P6cphhXjm9IIOfLNxpZeMebh5R5NyJF8erZOsdMan6D48+NbK3qdVzLUS2/+J3JwcaGcC8lxZeX63lPLz4wDtZGTbyPYaGY1/uZ2uwYjg9ItC+s70fYvS0jX55k4G0PyPKRCfhLQl8ajUE8i6yYAqg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by BN6PR1101MB2290.namprd11.prod.outlook.com (2603:10b6:405:4e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.29; Fri, 15 Apr 2022 17:49:52 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 17:49:51 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.10 2/8] ax25: fix reference count leaks of ax25_dev Date: Fri, 15 Apr 2022 20:49:27 +0300 Message-Id: <20220415174933.1076972-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415174933.1076972-1-ovidiu.panait@windriver.com> References: <20220415174933.1076972-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR08CA0217.eurprd08.prod.outlook.com (2603:10a6:802:15::26) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0d2a8c5d-1b29-42a1-b18b-08da1f0857b0 X-MS-TrafficTypeDiagnostic: BN6PR1101MB2290:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 4YS6QwO59LlK6JuIY1ElAilFLBSlQwCbY/m6UcLiv2Nn083QaYwV33MZBQ5g+An9pVsRnzW03d4CBGx6oeBiRmdEurYiJ0j+enFi0b+yvbjYROHOKmHDppDwsq17K+iUoRj9RQbub5II4V6+fxqEwN06FfQ7YhBTJ+09mC87IQGdPsD+HKTNTVjIV2y8hyfzENKuMFL6dCc8nC1pSrCTlViQuEkKjWcX5SgRtyjr1QeggN6m1X8fwYieZhTZV8XejUWXV91iQjjkzYcPnqqvDXcCU7IsMUjyEBgRIuLGy/dv/mttDge659j4PI1ZGnYSwkhgFFhRJaKkicRKjsMbMdesXf5ancxaTaQqG4N3lrZgeW/MVDWrAnROkxNQauxSCwwHDiScHQ1xdCsEDFnnfx7Z+a665ryKwtRrtvfrPiWJ01lrDMJ7cOtGKUbsFvxz1zq6+8cHEDeKFuBeE+bMn7z0CulrR2X+vhfq+Byw6/sCzNM5RXcJRjg0xUirJXqHUYlu7w1bJBZz5L6naRz+dKLlFih7cj6qC54fQbdBxtYajGsryUYyiSVeKGu9rdwcQ2wZpH4GJmfqnwMsrFZfrMhSmKX8CoRF6fBcmnUisaWVVCj3qPIp/HNMuQ1/hxOptpgBJxffaHWJ9bI7Ca/6ZeR4RdaDN+xxFtT71joQo+qLZwi+2O5H4SN3vRSlQ8SFduDsHek/qqFfCuxyqYtPFgAq8Fscy+51Af4yqiUgtW9qCF/jnP5OdHXCSoGPt2G4uouMlwKnyBOpGf94kVHSQ1gjWtAWVHE2yXxo97G8Gw0= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(2906002)(38100700002)(6916009)(186003)(5660300002)(83380400001)(1076003)(26005)(66946007)(66556008)(8676002)(38350700002)(66476007)(6506007)(6666004)(52116002)(6512007)(508600001)(316002)(86362001)(2616005)(8936002)(44832011)(966005)(6486002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: iZw8W8sf12N318GjPj5W6Pcae+rbUheFvOqCSYbG+D17nahfidaK4Dq0GxcIR6nVpFSP1RA8w4JvGDWpLHjUgC+Iw7g/Dqy0YIUHppzLIqjUeMBkCoxWb5OuFk0jC26yCD3pqeJpcCD4ZsgWnyHX7D1uuRJGKELW40k6mWct8leGimorAhFwK6YnNg1Fxt/sZdVs8HstuN8nCzW3lS1eUxrMO/CdwILINOo8YU2yrNuBXb0f1CrZ9LyYAM+PbxyoazsCPb7Ynr10KaQLqvHyQFyHNw8jJwB8u+b0kpostlzLcUQ3MlijCrPgOHarzf1tQG4EuqQWg8gDU14JvU+77cxYK2h79VO56cnQTXqZ+HPhqA2VIx14W7N66f9BbqSWNOdJF4gjVw+N5W7fRJmkDTEiHtnIN6b/Y/8xJbzyWKc/2Ip9qfjqG5bEuzTJxFltXgyOl4RpCba/tFHsBAg+GdZM8l87rLCOAJ1MaCb107dQjgnYOPB++G/Zpsqpi82h3TyUHZ4k6uCzUaZVmw3Vm/emJ5jse5eHAiHgjNooIcDin1AQfVGu7EZdGfyogVPtPcZmS5an8rrG5BckcADVwgbUIhskH522xgBisUxDjwtg3QvlvucFMfUDNhxImm1cq291cb3zlt0nMKl/WmUgJ9jE2OV0pYtynVOHeqAtQcvBsAH5dyq+vY7m2w2MX5YU8uOiZZpV3JIZyQYi8LjtGlkyduUtOkvRFEfREx8V4oAjSt6Hyu9pg5t1epvFFpNJzSPYNzjX+f/Ft8f/Z5dHe7qdg46yaj8L+unoDRIFH02kjJOUSGSCGFEvnGGSS6NW0hiMWoM0GjYwR92WTQwEmxIb0MUYASSZgN6DSgp7Lq5ujjAAS04K4jEHhRBxBvH9StGzVSp2w5xNAuopY2w6nQq4LOYwS2kHB1AxNqjRMLFWW+pHuobHvXAONLpH6mJ14l1UTpGqjc9AUznzBmACIpJAhDeINh/VfS+SVChhkNlsKRyqQYzJuA49Jxmrh/NK5zY3UvaIjJK5yLaCWcasaukXpTsBNPcVmjN9/qxa2aZMgN77Tm9pOVy5hh2SoHqWxe94RnANFRiSSx/PuQdJsXmE1VDjgPDmk3XYzHrI/qYiIYSq/ll6DfgXjQafJFfxCLTYzWY2kBTmN7/X4KimRx15rQF0bmk9ZM71/7/USwaVRbWdFcfTjGWxe/ekBQyOkwSdADbDIoNKojbSvp35Q5Ts+f3FlgQXfSjzkHgFB2islWSch4IyauIBDmZJRMlg/R7Rk18MxaitW5ORY7nfhdsLvFmjlGLFZCtZaC3lJWyvPiJ4/PjfMxUw3qOjakMR5BaP4tVPc2OPG9PaABTGHevXlup2+4I9G+V6h1jyY1GZHABH+fn37J8lnT1baQNlKiGRnaMR7Mc4twizgUJ03JhDhWMTUSsyPAltFGZ/b7kH/4W1Hnpl1z0ngcwEMne+2Phna7ieqKksqxCmpQvsbtNWPPsM8trRmWWxMCH4zPcrzpLOEm2fGe/EJeo9NoZ9HIQkShWJPF5yIwaAcddpvIksQV4O34lgrEHZaNhAGeGiSXAmfsJF+pchxsPPdltUKQJX1IfuTVjaU4bbUu1Mmz2Q9LV+5xjLwos9UU5ckTJms8D4WonLXoQ1IQi4DFLQfWiaOjP5UupgqdZ0vAPHws19X+/eug3tlUMwX/nVjnnl6ZO/RkNeVHcXPGXSrVy1ckCkBBp7elULLvwVfkoYrTft62BRnwYAcCYS0RG8Q54= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0d2a8c5d-1b29-42a1-b18b-08da1f0857b0 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 17:49:51.9305 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: DQZ+TkGeqYA74QYpC83bpmVAGfCrW4kxcmOahCzMdZwVm4PFFOdnRty8iC+kPz99AlCYfQ5SvH2BoW8z5XpzkyabzOh3Av3hW1XXCbzBGFs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2290 X-Proofpoint-GUID: _4RoYBsDp-Y1v4NQx-JD_MG9PwwMhxEc X-Proofpoint-ORIG-GUID: _4RoYBsDp-Y1v4NQx-JD_MG9PwwMhxEc X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1015 suspectscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=999 impostorscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150100 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 87563a043cef044fed5db7967a75741cc16ad2b1 upstream. The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") introduces refcount into ax25_dev, but there are reference leak paths in ax25_ctl_ioctl(), ax25_fwd_ioctl(), ax25_rt_add(), ax25_rt_del() and ax25_rt_opt(). This patch uses ax25_dev_put() and adjusts the position of ax25_addr_ax25dev() to fix reference cout leaks of ax25_dev. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Signed-off-by: Duoming Zhou Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20220203150811.42256-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski [OP: backport to 5.10: adjust context] Signed-off-by: Ovidiu Panait --- include/net/ax25.h | 8 +++++--- net/ax25/af_ax25.c | 12 ++++++++---- net/ax25/ax25_dev.c | 24 +++++++++++++++++------- net/ax25/ax25_route.c | 16 +++++++++++----- 4 files changed, 41 insertions(+), 19 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index d81bfb674906..aadff553e4b7 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -291,10 +291,12 @@ static __inline__ void ax25_cb_put(ax25_cb *ax25) } } -#define ax25_dev_hold(__ax25_dev) \ - refcount_inc(&((__ax25_dev)->refcount)) +static inline void ax25_dev_hold(ax25_dev *ax25_dev) +{ + refcount_inc(&ax25_dev->refcount); +} -static __inline__ void ax25_dev_put(ax25_dev *ax25_dev) +static inline void ax25_dev_put(ax25_dev *ax25_dev) { if (refcount_dec_and_test(&ax25_dev->refcount)) { kfree(ax25_dev); diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 7da36517d4f3..c1ea187f56e8 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -366,21 +366,25 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg) if (copy_from_user(&ax25_ctl, arg, sizeof(ax25_ctl))) return -EFAULT; - if ((ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr)) == NULL) - return -ENODEV; - if (ax25_ctl.digi_count > AX25_MAX_DIGIS) return -EINVAL; if (ax25_ctl.arg > ULONG_MAX / HZ && ax25_ctl.cmd != AX25_KILL) return -EINVAL; + ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr); + if (!ax25_dev) + return -ENODEV; + digi.ndigi = ax25_ctl.digi_count; for (k = 0; k < digi.ndigi; k++) digi.calls[k] = ax25_ctl.digi_addr[k]; - if ((ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev)) == NULL) + ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev); + if (!ax25) { + ax25_dev_put(ax25_dev); return -ENOTCONN; + } switch (ax25_ctl.cmd) { case AX25_KILL: diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 2c845ff1d036..d2e0cc67d91a 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -85,8 +85,8 @@ void ax25_dev_device_up(struct net_device *dev) spin_lock_bh(&ax25_dev_lock); ax25_dev->next = ax25_dev_list; ax25_dev_list = ax25_dev; - ax25_dev_hold(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_hold(ax25_dev); ax25_register_dev_sysctl(ax25_dev); } @@ -115,8 +115,8 @@ void ax25_dev_device_down(struct net_device *dev) if ((s = ax25_dev_list) == ax25_dev) { ax25_dev_list = s->next; - ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); dev->ax25_ptr = NULL; dev_put(dev); ax25_dev_put(ax25_dev); @@ -126,8 +126,8 @@ void ax25_dev_device_down(struct net_device *dev) while (s != NULL && s->next != NULL) { if (s->next == ax25_dev) { s->next = ax25_dev->next; - ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); dev->ax25_ptr = NULL; dev_put(dev); ax25_dev_put(ax25_dev); @@ -150,25 +150,35 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) switch (cmd) { case SIOCAX25ADDFWD: - if ((fwd_dev = ax25_addr_ax25dev(&fwd->port_to)) == NULL) + fwd_dev = ax25_addr_ax25dev(&fwd->port_to); + if (!fwd_dev) { + ax25_dev_put(ax25_dev); return -EINVAL; - if (ax25_dev->forward != NULL) + } + if (ax25_dev->forward) { + ax25_dev_put(fwd_dev); + ax25_dev_put(ax25_dev); return -EINVAL; + } ax25_dev->forward = fwd_dev->dev; ax25_dev_put(fwd_dev); + ax25_dev_put(ax25_dev); break; case SIOCAX25DELFWD: - if (ax25_dev->forward == NULL) + if (!ax25_dev->forward) { + ax25_dev_put(ax25_dev); return -EINVAL; + } ax25_dev->forward = NULL; + ax25_dev_put(ax25_dev); break; default: + ax25_dev_put(ax25_dev); return -EINVAL; } - ax25_dev_put(ax25_dev); return 0; } diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c index ed8cf2983f8a..dc2168d2a32a 100644 --- a/net/ax25/ax25_route.c +++ b/net/ax25/ax25_route.c @@ -75,11 +75,13 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_dev *ax25_dev; int i; - if ((ax25_dev = ax25_addr_ax25dev(&route->port_addr)) == NULL) - return -EINVAL; if (route->digi_count > AX25_MAX_DIGIS) return -EINVAL; + ax25_dev = ax25_addr_ax25dev(&route->port_addr); + if (!ax25_dev) + return -EINVAL; + write_lock_bh(&ax25_route_lock); ax25_rt = ax25_route_list; @@ -91,6 +93,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return -ENOMEM; } ax25_rt->digipeat->lastrepeat = -1; @@ -101,6 +104,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) } } write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } ax25_rt = ax25_rt->next; @@ -108,6 +112,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) if ((ax25_rt = kmalloc(sizeof(ax25_route), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return -ENOMEM; } @@ -116,11 +121,11 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->dev = ax25_dev->dev; ax25_rt->digipeat = NULL; ax25_rt->ip_mode = ' '; - ax25_dev_put(ax25_dev); if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); kfree(ax25_rt); + ax25_dev_put(ax25_dev); return -ENOMEM; } ax25_rt->digipeat->lastrepeat = -1; @@ -133,6 +138,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->next = ax25_route_list; ax25_route_list = ax25_rt; write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } @@ -173,8 +179,8 @@ static int ax25_rt_del(struct ax25_routes_struct *route) } } } - ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } @@ -216,8 +222,8 @@ static int ax25_rt_opt(struct ax25_route_opt_struct *rt_option) } out: - ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return err; } From patchwork Fri Apr 15 17:49:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 562177 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10F6CC4332F for ; Fri, 15 Apr 2022 17:50:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343707AbiDORwt (ORCPT ); Fri, 15 Apr 2022 13:52:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343970AbiDORwZ (ORCPT ); Fri, 15 Apr 2022 13:52:25 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C8F857150 for ; Fri, 15 Apr 2022 10:49:56 -0700 (PDT) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FHmi5E009434 for ; Fri, 15 Apr 2022 17:49:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=rvl1PV5RZMGN2YOBDHkM2/1hg0HvvN42RhgluyCBtTk=; b=rVpvfAOWWYLq4gJjGIrLUQ3IJfH2QFUZBqojgqARvUNfLORiXDFtet6zIA7KTUH9AGao h2goBmFJCt3Uiqyp8B6xyt1y+HQYo+8IUIoZ3dXAnrQRuXNORLomrbGfAKMMo3zjd2K/ 2FX90qx0APsS/64obdAatPD4mER0lQKWjiRobI1TyP7ofGQRElMttFgJCMphKE9Wbv7e Te/BEVRFdKocJOjG1lZT29KBDjHYeuRBL+aLe0c/QWSvmMXZ8w0GqTsPcU1CY+X3RdPp UHLCC3eYp0MIH2vkdwVEopqiTZ41kBm5K7IdjlEiy/UUmEmsKkcIa4F1aJUzNqtNvQfw /g== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2047.outbound.protection.outlook.com [104.47.56.47]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb66evw4d-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 17:49:55 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eSdy7lQ3tV47sJkmKKwgOw89o5CtRFiSGUclI7smouSKEejiVCN5Xtydhhgc6apkYST3BcSqOrNuYprHEA3OZojcgPUYU2PzgCSNyX+EYU4OD+KvuydvYnML2tUXDvDKQojf95SIW3iEDyvIbLsgHE8Dhb8xzFr+kElT52cmS/BYGGmFGZYVaW9dva2irCEzWeY7Jk5v9hei4If2RXDCwgYJskk3MUKJXifAxg50vLvfJj6K08g2wtRfxtDYoWG6AFHETKpEzNcaj35khG0MJrWZMR9oA2g4zJNVcZ8p4ZqrRV/SUwQ8jriAW9K7RwXmDFRRA3DFN8gowOjXk7HDuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rvl1PV5RZMGN2YOBDHkM2/1hg0HvvN42RhgluyCBtTk=; b=Q3TkVj7CrtG4gmzGaCQkY4Soh1JpoaHSbCVqY2/vSVW8lNucrbd6//J/MvKZJMuqqOVGE7bYqpojGx4SqczmiVt+PKASrk27qbxaaDsXN4Y+usoBsJ6/hgeP59N44t+CSYJ6XhXEyygqJ79G6U5wl1a2FAlI28u/R8okw5z+jftCrG9NEhnWBu273p6yo5R730htM0X8XUQfoSTjiTRX/y+v0V6D3jalSNX9o4Buwar4/delltioyjrjPkhqRW9R0dS9dLubGO/qPaOqQEs4PwNLnb1RPZvNZICHUnIFoD1K0D+fJKRCIcue3v1ejTpo7qctY0LuvQRTdYhpJNSwOQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by BN6PR1101MB2290.namprd11.prod.outlook.com (2603:10b6:405:4e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.29; Fri, 15 Apr 2022 17:49:52 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 17:49:52 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.10 3/8] ax25: fix UAF bugs of net_device caused by rebinding operation Date: Fri, 15 Apr 2022 20:49:28 +0300 Message-Id: <20220415174933.1076972-3-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415174933.1076972-1-ovidiu.panait@windriver.com> References: <20220415174933.1076972-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR08CA0217.eurprd08.prod.outlook.com (2603:10a6:802:15::26) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: db30d1a3-0032-405f-3e9d-08da1f085831 X-MS-TrafficTypeDiagnostic: BN6PR1101MB2290:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0Z4tVbobwvL0kpx3EtdWzAQOQ/9ZmNND/U9EExkLxAmAKioqO1QRN+hICIuJYBIQFlDvnD/BfFbtxd1uAMaxmtthKc7/FwzL5bExbtTdXCjewFUSED9MlBS+FHWVyeIEX8IPw2Qw3NZlOnHhQ+OqcBCf9Vstq0FbuDta9tRKul4zgRZl/3DzT1v5rhX0A2Bs+WBM5BkhdrWVvrXi3iyW7qUcsQnfMwX6YK3wOclVq34kK/OgAYrC0Puve4Zd8vlsxFvyMMyzhNUb7PauEQLYMX2Jk2hGSLEjdbs7AL0qVLFB+WWcl6CA4OZJlMsNrRW/A4fdzHmHJ0/IoomLXW3mhIVFq9sPw+ucZEqxbdL2bJGUujVOAthY4UqaNkV0nejy7AmJ/jI7iUUR5jgsi/dDiEU9blD0wPGVVXBXyVBaABe0qnIC4tYWjCvd+1oZ6ewI7PEWYuFhOhKr9sFjkg2NQ1A+anWhXi+DweZAtlSHRRKYVvfCbpF7FDf81AS+NtAHPEL7j6iTy/L+IpzDG1RBw9BXBl2zzYMKJPWBzMpNPhNbQitmo2vqp2VatJYTXAZK1YQ6PYJggtd9h3ofOQc8qmCDXYq4eYzWHovFmfB4fpxLiebwmhlldW2+duasYnkLVBb7YM4Y0unfQxVROBpT+ezwui0FDUebbtR0925MGf+TQiLBcV27YmOMS2QLQUn8i8bkBhIWExNrEmCDBi3TCg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(2906002)(38100700002)(6916009)(186003)(5660300002)(83380400001)(1076003)(26005)(66946007)(66556008)(8676002)(38350700002)(66476007)(6506007)(6666004)(52116002)(6512007)(508600001)(316002)(86362001)(2616005)(8936002)(44832011)(6486002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: PAjqfHU+RFB0EztdabpmvMktSSkHkmt+2N7v3z6G6/WbnZQUER1t7BH/pXJWDn8toQ8UhD4VSuNOAvt8ks4M2565IsnKiUoaH7omgERxUYVKfX8kxEfn0SJVjZlPBrnSY01Xo2bKP53iiVRYsCAXRTXLUz21F40TokqWVcTVfWQjHvXZdCwXAT3BEGX2nRLgvFxWMfiiXS2W93mM5UnFm7I8S4HYpsBAruAwlKjH2dA/nNNzwP1DH+baSDVxcwGPOkZ02NRdT/1ney0eq13xFSbRW+potRIvmDB7jdezrmoxb74Np7VPKwXNVBDzQuvlCjuQMMOII97Q1OEc9amqZXjmItjyr+BFmqzJ0WdnAu3cvLi9aaLf3oFTzvTFl769auOwqa1OJu5WLBrlE84KjnRcbptz993M/ipvpv8JAh5fouR5M41H7kQqCVkJs9vtmb41l7A0WpXbX1y1CTlCx4jBXBk1nZcRCDkNY3m14d8xPXncJbvPhZDGPFouP94E/JmauWSGsgbiZtmsR1FrXedZ+tqPe5rofs6Hqqi1P8PVZr4IvqQT2NuSaeVWyJHBwQmxyRVxktnPhzJFxIjLFJTVHqfOzYPABk0V8XfLb2sVzSAWQaU35cJqK+r5v/FU0hsXesV0m+Y/18sOa1yj4Ns71GbTyeD3R8q1a4aVw1Lup5C9Q0JaxXPBnAJCcwR26TSh5OeFnRJeSj9l4IqHL1kxWvaKJFR5CnovBLdv9BEqlL5MpzLiAt2ZBK3kj8jq591VHP9XW5Jkn0/0CtW2L0e44GNJWoSlV+5wjcswH/TBk/NeGAZXdIQc4q+yA9Lbuwhta/+Ixz5V5+TW/N5XNS/oe6ka+oQUJpXhNdK6STphyHjh3CTVpzJK/yhhP9ydiVsRoMS274syYooVqJnL8cMEaHMcTmBovBm+CpQbVwgDFtym9g/CuwOsr6uoOqzwG0mOI4bUmQeGQEqxfK3ZrdhaXn3HypLPCfeJwKtsdeoNPqBbReTevjb84/wee60zT9xz43ogDVL1AYEKyTjqLPADfkQgg1mA/VKeew/DbYkiKICotZB3virsHEcoPVGOTCvnSV3B1Q5oV7h0VuSwrS6Nt5Lt/qYiF4rRpXdwavgEapsA3ZUiRoGNTxJYhug2tVO9HIOK7A71KXkzOfYOZP+UIeU+34v59h8lQyaxk08pnnLFMRpoiDX2xTl55GhxVpk9kJb2C4zmXIGDKygc1WexYMxT/co1URdszCWFSBLuRkx5fk2O5VnLDCGXu2/4OWqkFUME736B4zJAxERhHzi/5TWvQ/orm8ZLMZnABA8mrMJCMbFuwrHRLgwtDvctrb2dkilAuEJ0NUUyQg0mNtb5QWMiqVKVEQl1pNSa9xE3o6qMgpFpx/jXjkbv3jezGtP3oocEl2308QMMihqzPg56wc6jzss52TZYREePzDgV2mRfS+JNMDVH1fUQSmzs+teoGVIcW/fpwJHQuJBqFeZMTk7ZnYTWGXzU4QFSPFZqBnbrzU5+1Dqsa4i5J9B87qczgi+3NGiVAvAHsQD+MieEpNAdB+wjgGNgqmEy6pPjQsKOCCOOdbGpOYrKxJaWQ1ODoImqVjC57HRuSkHSoxaWj8f/mOuM8ESPMa3e6zugiqAr4655ZUwUk59Z7hP7sfkd67L3bc1FcokJ47/Oe3IhuJ7CYnRD/712R/VGhyUp/ehvfP3thBdx55L57yM5WxhKOlVb2ryF/vnyaB0KThNL+QSDuxx+I06884pUPRo= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: db30d1a3-0032-405f-3e9d-08da1f085831 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 17:49:52.7730 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: pvy5elqvz+QBHHmMmR5nHqlDuytfAvUPUmWP0MZs/3YFO5HEVu3xBLf+rqXGvLfSBcUyMTwCCFkiTZbkL7U/ApBXxtCeASLflq8eOZZn3Fk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2290 X-Proofpoint-GUID: 8CckNggcoiyQ0kq7Ka5h64R27tyo5s8G X-Proofpoint-ORIG-GUID: 8CckNggcoiyQ0kq7Ka5h64R27tyo5s8G X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1015 suspectscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=596 impostorscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150100 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit feef318c855a361a1eccd880f33e88c460eb63b4 upstream. The ax25_kill_by_device() will set s->ax25_dev = NULL and call ax25_disconnect() to change states of ax25_cb and sock, if we call ax25_bind() before ax25_kill_by_device(). However, if we call ax25_bind() again between the window of ax25_kill_by_device() and ax25_dev_device_down(), the values and states changed by ax25_kill_by_device() will be reassigned. Finally, ax25_dev_device_down() will deallocate net_device. If we dereference net_device in syscall functions such as ax25_release(), ax25_sendmsg(), ax25_getsockopt(), ax25_getname() and ax25_info_show(), a UAF bug will occur. One of the possible race conditions is shown below: (USE) | (FREE) ax25_bind() | | ax25_kill_by_device() ax25_bind() | ax25_connect() | ... | ax25_dev_device_down() | ... | dev_put_track(dev, ...) //FREE ax25_release() | ... ax25_send_control() | alloc_skb() //USE | the corresponding fail log is shown below: =============================================================== BUG: KASAN: use-after-free in ax25_send_control+0x43/0x210 ... Call Trace: ... ax25_send_control+0x43/0x210 ax25_release+0x2db/0x3b0 __sock_release+0x6d/0x120 sock_close+0xf/0x20 __fput+0x11f/0x420 ... Allocated by task 1283: ... __kasan_kmalloc+0x81/0xa0 alloc_netdev_mqs+0x5a/0x680 mkiss_open+0x6c/0x380 tty_ldisc_open+0x55/0x90 ... Freed by task 1969: ... kfree+0xa3/0x2c0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 tty_ldisc_kill+0x3e/0x80 ... In order to fix these UAF bugs caused by rebinding operation, this patch adds dev_hold_track() into ax25_bind() and corresponding dev_put_track() into ax25_kill_by_device(). Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.10: adjust dev_put_track()->dev_put() and dev_hold_track()->dev_hold()] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index c1ea187f56e8..de80989d672a 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -98,6 +98,7 @@ static void ax25_kill_by_device(struct net_device *dev) spin_unlock_bh(&ax25_list_lock); lock_sock(sk); s->ax25_dev = NULL; + dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); release_sock(sk); ax25_disconnect(s, ENETUNREACH); @@ -1122,8 +1123,10 @@ static int ax25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) } } - if (ax25_dev != NULL) + if (ax25_dev) { ax25_fillin_cb(ax25, ax25_dev); + dev_hold(ax25_dev->dev); + } done: ax25_cb_add(ax25); From patchwork Fri Apr 15 17:49:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 563091 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9941CC433FE for ; Fri, 15 Apr 2022 17:50:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343900AbiDORwu (ORCPT ); Fri, 15 Apr 2022 13:52:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343748AbiDORwZ (ORCPT ); Fri, 15 Apr 2022 13:52:25 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 846AA57B0A for ; Fri, 15 Apr 2022 10:49:56 -0700 (PDT) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FHmi5F009434 for ; Fri, 15 Apr 2022 17:49:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=rCqjqAN3rtQTRvUl8c8JQ5OiBXQj9289S1l+pBQUhxo=; b=mEWZpcEyjz05EosbmHQ08vHWKOls+e4MCmbNEww7BsJke1AkOo2/fXVnkgAiMqQeTf8t MMdcG6lCgpIsjw+p6qf/+fzI1+I2hsiVP0zdYadheoKzFHZ61bh+AD6IV+5v2pyOVz0/ FzwmdQbmd5Rrl8m/Kj5TZrjfOc05NAviUO7B7PKlYB5GQ1D6XNgEepxd4OcIQGHUffTk I8Box+LfYxD1476eE4As25d5v3Rcfjt6ACKpBtWNLZmwJ1maCiGw4ZoicZC059Khm5cT UN0nuenPmFnwTqlAu9b1U4Wud7KdtVjeBMATZPRxTAQRZfR7mdMO9RvtpkkusBLE052e /Q== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2047.outbound.protection.outlook.com [104.47.56.47]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb66evw4d-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 17:49:55 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KdOPvQZvx49eajW5s1KzUs39E3G+KzJyGqGvfP6sRfELWsFPyTaxlMLdBmR5Zvb/qfty+11kdqZ64+b3Wi2Rxidcob/BsnO/sCghAmfyop7IFULZY5RTa3PL9PQrgSOr3F8qq1j9P+hJ17vXWqlB5mFAUUIzwg5Kg0KjdulPrwveHM6p5GtIqR0/jbE1gGJNo7Ua+rLSWT1I4z80WrnnzqvJKLIUt+WMDwly8kSq3WLauEi3YcPKJWf0KtoTcZ7cHdxZ+aPMSGT8obr4rwKYELwiJnXl8K8mn6mdNXrXUdeV3X3/2HKt3F3EjASX+aF/s9Vz3UkNQ4F0dsrf/a7Ehg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rCqjqAN3rtQTRvUl8c8JQ5OiBXQj9289S1l+pBQUhxo=; b=Ia2H9d8IAYsESELjQuhekix5qNxDi2l0uIBu73Fc/oTvgE8NWQNYvtZIa47NhsjIFiYqkjwyhecbVv/g3kziADy+FtnZjSDSbI2dkjXqtwwjgc//4sykALN25oU2h2xqH1TVsfNJfmYRRrrYjZFnYS6UFb6rL7O5B/AfoW1cwGuu6tK6sU9slfXxfR2XbAyP/k+jRreqpRQ9WcJI2XLRlsfsRoFP10cIjoVAXVjRnIQlQiSNang01sTR7AFQj1pSWc/X6ChpBcZodY9sCj+MITFv9bNPr8g830I+bLiPQL3E6ef9kGU+vWoEFjHxlOFyjQiK+s0w+uAMtncdC37GzQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by BN6PR1101MB2290.namprd11.prod.outlook.com (2603:10b6:405:4e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.29; Fri, 15 Apr 2022 17:49:53 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 17:49:53 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.10 4/8] ax25: Fix refcount leaks caused by ax25_cb_del() Date: Fri, 15 Apr 2022 20:49:29 +0300 Message-Id: <20220415174933.1076972-4-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415174933.1076972-1-ovidiu.panait@windriver.com> References: <20220415174933.1076972-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR08CA0217.eurprd08.prod.outlook.com (2603:10a6:802:15::26) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ad998358-968b-40a3-c633-08da1f0858af X-MS-TrafficTypeDiagnostic: BN6PR1101MB2290:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: yygWSbP68JgjI06NhUpYogBwoDdJ8pqMHFHqBSzvJASklO07bf8yAGjkOjxb7nfj+aaLejvF/s5HKZMm/OUqcpoNlun+raHaAA0T13e8ig/UoboyY/kU2gv1mnFGAvkoyNy2XjGbOi2awlCIl1XpyGfeIJyYgoS+JT4pD7F2TJRA69+4UDk6AL4Cu0UMZolkkPuUOYc5Z23HPXK3A1Yc1g7hY1CzGStmjTzcuBUPV+MHz5AyET2zW0jTTi+nMu404zUj2u52pwycTEMy3WnpetcoLjQyR6wlNWeNVd+ElmFebQ9qNY4Ko21QicnkysDU0hodJaRHXKqlMwfbaiVucUgL3eJjDYqgCmCxpAtRJ6UDOpdUEbQiejFHMZh735SMgQi4/CLcw4WFrHMz0sw2A6bFAxutlxxWI9P/3HYgiNfaeqmc0kmHUzrZD3qwmvHhurMP1oC7vIBfeb1emH+nNHeUtruh/5P4i7j+/cc2XpZQrdcyhLT9Nto0acjMNJi91NibxGczjaxy3J4aveA2INBo5xV1B1viWDnvivQ9naXcr6vt/s6L2HOBKfd8cDg7Fv573s+zsboPvgzqqgQQTX1EYeXzo/iWgA0/PRDGRwvWPsnZyJmXTGXnpnTevookVlMS7LpdXgCclcFBlSAiXHxAi6rGyVIk9dy1q3j1idWLcjHgR1vfPecvN65O2/nGGhnIPewCDX5Jnqd26Y+zWQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(2906002)(38100700002)(6916009)(186003)(5660300002)(83380400001)(1076003)(26005)(66946007)(66556008)(8676002)(38350700002)(66476007)(6506007)(6666004)(52116002)(6512007)(508600001)(316002)(86362001)(2616005)(8936002)(44832011)(6486002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: dw9kpLNeekqTsa6nYm0JtpluPlqhttbi76ur9p9p0zezCyhqrZHhqfHY1P4cYxA1jL/wmLe/v0fmEAWpaKd2cq/ZYIzxT0l09jM/L3qN8DCPfMPO5OGm5A2aRmwuVFIVzJKINiiHC7HP6u/D412JtNejmwZu8wN87wqSk+dpJzEULKK6G70U/8UtHW2bmt5pksiQ+mw/IPhz1/Qtkr71hqtn2JsdWjTPJmwaxbahpsIQyOxln0BQzslLBzFafuSp89A2NBCzKgBCfoRF7tzpatNTgkps2BBHd8neUHwZKRpKpsl35QZUqXw1qKlHco4q6e9X1I5dzuAxHe1dLn1NYdOnbMwyWof4iXJpv+VRkga82IXjlhzpRn+SKDVFljJhdHoTqN2lsezgl7MP1z3aStY79Tb25oikNz76uUY+qnf4ewXLhBU/EIOvMMUBxgdGP5GmeW5tvA0F3mixtfiZfxG0SxWOJ2gDV0giClM0YUkPXWztvaImYY2mDITliti4VV/1AvvJ4aDJc1P5m9Mi4XIBGNGqyDpOxuReEEjMVGOgMJiZVqrUjMvWb2VDMK9EBpLdSp6YZUCgDIC20hwNy7qTzR3kS5coJrdB1owu4xxI6cOCtDN31cxG4NKwhKCs6rc1lTwZQX8I8D9PEJ4Q9UKVdbRvJoRuFH3X7S8o/33ACBAMrKZK/ed13wi+1LOGCa7JyjaC37yzBKYojoyx+Au3f06PZdgE3XbSsckkUxdGEZXrADcI3tpoXz2SiIlKtuDcTIDjO9zVYfNgn1Kw+TbeDvH4+crnp9JTVbbDIa4zijZ1mSGl/5LAf+MkGAJ9ZUhtvBdW+wBOrzQ8ScMAxq7aKJs7uxxnlgOCg07AnBhKuxjtNAEUYsXb0YnslVpaEjOQEDbfGtC88Vm3hWQuolnLU1cVTCTPKxtoHBKcgaMyW+MgXnMNJqJXVOpuaSe/D/S8xS8TQnFNNtMuvAkgb0i8KkW22kndazWkGFNEtVasraNmmpq9FxmAS2WA+EEnpOMcyvIS/iqPAXoMD7B69uiVSn3uo01zOCeda3Lzxv+rjuNLoX7aAF2rUEw4KI3GQuxYEcOs+3jUhu+Z0jRlEcIGs/BZw7jxgUjMqPhn5BLnrvsSmm2Cu3qk2xsDFb1nkcMvR/O2Btn0NqIFySdluSMCaGuKdMJC7oRyGb7yS/aHeTbx0FAWkqCp0v9gMEWDBtbvyukVO6OEE0BAODuQycymgkVkXgFze8htKXvGvj06E/Ln7TPs3XgvUgP5V9qWyRUrmPChj0JjyhmVKBhaHP6cy9eLiN3XH8uOnv1bt0r8CRL47N1AQYroGKIB2XoNB24oNN0M/Gm79jam55TpR6vjzmxMGRMog0mDna5q8JMPC4SpyUxAltodnjeW/sqOvplQPTH/B4BLNpYla+Lja+FHhYPGrq++e5+167UosWs+QnyfYahg+m1PWk/9Sy8uSNxBbkE1j8hJJZgbCiYA495XPKSVEOkgYL69lxAmF8vcGQ0cQt62WTaA+tEidclew6SqOrOHS27ucOpY9Q0NMjqXp8BfoT9icTP2HRA9sBLi7Ysy+cBZ6h6TfR6tb0/KakpSnNE42+txhSWoqjSqqd4q9osloX8qezRjQP8zecRfkPgCF4EJqP4rptHKDxWrkeYZRbtgp1WVt0DIoZU1Ck4YYgt1cMeswGxAp+HlJtOdoBZ8+hezNErAWUV/vNZrOt/74FvV35jVTCN74dBUaqk76pb/zEUX1lVM6qf3nY0= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: ad998358-968b-40a3-c633-08da1f0858af X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 17:49:53.6022 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CXt1KpYTrsNvKX09lVc7sS9+3Gm5Tu1O/bHt5nCO2Aj3cs3sJqrDo58RfI1svTa7ThidjIObAzxn+bPLHsY9cUt/HoR5dqdHZ+ICqOdv84k= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2290 X-Proofpoint-GUID: LBrgNmltN6wfZSzw2kIbnUt57Gc7LjDL X-Proofpoint-ORIG-GUID: LBrgNmltN6wfZSzw2kIbnUt57Gc7LjDL X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1015 suspectscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=945 impostorscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150100 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 9fd75b66b8f68498454d685dc4ba13192ae069b0 upstream. The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") and commit feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation") increase the refcounts of ax25_dev and net_device in ax25_bind() and decrease the matching refcounts in ax25_kill_by_device() in order to prevent UAF bugs, but there are reference count leaks. The root cause of refcount leaks is shown below: (Thread 1) | (Thread 2) ax25_bind() | ... | ax25_addr_ax25dev() | ax25_dev_hold() //(1) | ... | dev_hold_track() //(2) | ... | ax25_destroy_socket() | ax25_cb_del() | ... | hlist_del_init() //(3) | | (Thread 3) | ax25_kill_by_device() | ... | ax25_for_each(s, &ax25_list) { | if (s->ax25_dev == ax25_dev) //(4) | ... | Firstly, we use ax25_bind() to increase the refcount of ax25_dev in position (1) and increase the refcount of net_device in position (2). Then, we use ax25_cb_del() invoked by ax25_destroy_socket() to delete ax25_cb in hlist in position (3) before calling ax25_kill_by_device(). Finally, the decrements of refcounts in ax25_kill_by_device() will not be executed, because no s->ax25_dev equals to ax25_dev in position (4). This patch adds decrements of refcounts in ax25_release() and use lock_sock() to do synchronization. If refcounts decrease in ax25_release(), the decrements of refcounts in ax25_kill_by_device() will not be executed and vice versa. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Fixes: 87563a043cef ("ax25: fix reference count leaks of ax25_dev") Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation") Reported-by: Thomas Osterried Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.10: adjust dev_put_track()->dev_put()] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index de80989d672a..c2ac5a43c641 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -98,8 +98,10 @@ static void ax25_kill_by_device(struct net_device *dev) spin_unlock_bh(&ax25_list_lock); lock_sock(sk); s->ax25_dev = NULL; - dev_put(ax25_dev->dev); - ax25_dev_put(ax25_dev); + if (sk->sk_socket) { + dev_put(ax25_dev->dev); + ax25_dev_put(ax25_dev); + } release_sock(sk); ax25_disconnect(s, ENETUNREACH); spin_lock_bh(&ax25_list_lock); @@ -978,14 +980,20 @@ static int ax25_release(struct socket *sock) { struct sock *sk = sock->sk; ax25_cb *ax25; + ax25_dev *ax25_dev; if (sk == NULL) return 0; sock_hold(sk); - sock_orphan(sk); lock_sock(sk); + sock_orphan(sk); ax25 = sk_to_ax25(sk); + ax25_dev = ax25->ax25_dev; + if (ax25_dev) { + dev_put(ax25_dev->dev); + ax25_dev_put(ax25_dev); + } if (sk->sk_type == SOCK_SEQPACKET) { switch (ax25->state) { From patchwork Fri Apr 15 17:49:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 563090 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32DFAC433F5 for ; Fri, 15 Apr 2022 17:50:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344030AbiDORww (ORCPT ); Fri, 15 Apr 2022 13:52:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344184AbiDORw1 (ORCPT ); Fri, 15 Apr 2022 13:52:27 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD18759A6E for ; Fri, 15 Apr 2022 10:49:57 -0700 (PDT) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FHjqLK031109 for ; Fri, 15 Apr 2022 10:49:57 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=RCk1BBwkc2IJSQ6yb3h2PQhM/r+57uwyNOSc9X870io=; b=dJWLpY9YXhx/frYXy/znF1MTtWq6/2qtj7hXvaq3OfpCQ32mfTbW5vzBH7P8aCWt2DIx Ooh7HAqQ8lJ0kmAv7/20i6f/yils+2CGPKV7sYMV8APr2LcELAXnKmJqhrPb3VnbIUz6 CrvO9ducb8kIWlAA1hov5Qb0bk7nu//Hlx1m5Hb2ZIVpo+34rVQWEBcYSdrXYmxZn3Ud zN5ada53EFXC+waJIt0yHzG9V92RCrJlFWFhjt5i2JG+5w+Tu1c+XVyf/9SvD44NQ7Vn 7tYKSlu0WlyaiNU9d5K+E34pwcrjF/CHfC++wBJfyG3sgvszF7/p33MCLzWdV0s0DX3u JQ== Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2171.outbound.protection.outlook.com [104.47.56.171]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb9nfvu71-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 10:49:56 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ROTJGLIXZSGARIQc5izWR8BYJ5yYLhzWRnjA1Dz0xQHyoEmGW7kgjYzR2t7syIcmVvSx5hACTkN/rTtoFSdsU9qF+P7fsPedJaFCOZBK6+swtiyAy9lEQSMnJODE8Tv1q5zMO7zmpuImk60RknkkZNmHn5i4h4mC7OK0rCTzvqhjeyT705jkU6JJfn80uIOUYsXwp52WMcmUbH96LCeJOFz6ZE2XcVERyev9fEDuSGqJRuJUFfShljMh3KpoEOvKUHrLFQvNrymVKEVqCqa89qqlGqAc0HlelfABRCsFOPcVYwNuGyyAg/3gCwP2QIv7a/97k/1Inf4j9QMdTJr0Gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RCk1BBwkc2IJSQ6yb3h2PQhM/r+57uwyNOSc9X870io=; b=ePd006CTLlnU1i708GfXL9qG5wMiH7p5Uef/4oPkzB0q72HViF6/X/RMMz6kfl550CQdXMtn22LLX1/SpCO75zozBw2UxC+9b9s6E7iBLwO2LskFt5OLSY2ZR/lWdCmakM9tSsKr94kaTGzz5Brx6PRjIMNiYjRW57XrAqrmgpnwsQ83L4+/m8Hh4eXQKN2icc5PK/MD/3g1dQOVPx3RXLVQkhfAm+QNsMMTC6RAddtOyTYSDkcGBi+C+4hHpQbaXvPgaS2qbaLMceWaPY31gDSYeUSdVV9QdtnFE/6ZIKtOZoo2+gdKcKp3UtjwyxjsnDbr8LPzTHnQFqJX28V04Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB2697.namprd11.prod.outlook.com (2603:10b6:5:c3::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 17:49:54 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 17:49:54 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.10 5/8] ax25: fix UAF bug in ax25_send_control() Date: Fri, 15 Apr 2022 20:49:30 +0300 Message-Id: <20220415174933.1076972-5-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415174933.1076972-1-ovidiu.panait@windriver.com> References: <20220415174933.1076972-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR08CA0217.eurprd08.prod.outlook.com (2603:10a6:802:15::26) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 74ebf112-6410-4fa2-1ce1-08da1f08592e X-MS-TrafficTypeDiagnostic: DM6PR11MB2697:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: MMZbYsr0gUAB2rOvC4hM4hmYHT2BN4e49maMeIYVsBfnAJNZ7ypBnp5FZB86RAYeAv7mclSql9F2eszUcpTZkequJV/oxLFCZWHV0UZOnYdf4QR1OyQXvVnyFTlqU18B/UZQk0vaAtfKMeXSviH6sYgrooGxEDFpikJ39znlqXtlo4vX4RWbS1KEkkhTZUZMSIj+pn0m/O/Wzpl8kzgTg0dSlb2YR8FFn3rcYgAs8C87bQURMLFtVVlcVyShN9Qr+uuQ0aaHEIiU9HRcLyYWTX0qWx1hp3/76hblmYFkej0pr7yME5f+nrbah5nAyzaQo6rgnTOqN8oG0sj2j87fk75EQltN9YiFFsCqgYQGhW5cvhklVaU8kFXAhaF7EmpKKQ6ckvO5Vkomp0u2nu+rdEzLRI/OtEvnZovAnmugZjmmf+dh1vVzzj0hAjyt8lRKTXrN5VH7Jzh5UR89KTRY4SKXKOKpHurZ/LnE6O7hVwj7I1Y7zMQpkKkhdfMc2pTAK9LVE+S4LN8DnOMWPoY5CgnOMF4IqE6QUzdGKr8i0IWCqOSJsoVSwr7nxtIbEH1QxWgiZFDCk2+bU0EvCjr9+4KaSaEvb5/YnWPjVpF5SPHRJCSg1sR5fuoTLqmy4B9yp9JFA0Fsp+NEvXH95viOHMvgxnlg433+L5KXJeHGd8gK3f6G9DKbhmnOVYmgUIj38jqgOU28B8jrL2LlolCJkg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6666004)(6512007)(52116002)(6506007)(36756003)(6916009)(316002)(6486002)(86362001)(66946007)(508600001)(8676002)(66476007)(26005)(2906002)(5660300002)(66556008)(38350700002)(38100700002)(8936002)(44832011)(1076003)(186003)(2616005)(83380400001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 2Mj1Yp7E7DinOOe0vZVFm5QR9B7DBIP5xzaWL0udLg3I4U+TwSWDZ4rADJ1ejzbmwRUJrLUZgXYa2cpkRda63wMOEJKzMNn1u+1KUX+gPnS8z3Rqf8H4eWy/HJHJxpC8VundcIRE85o2O91vv2k8cuHQIriohzgbBBhjcC8NDmKwLL2/8Jql5hnLBq2OjjOAoTWiQgARifmFfegXqrlD5q+NkQn/X4eICbEC8gL3fwyhAVUq4+C8Ew1NVHmn3ftDlY41C/V/TinQz0K1Posh2rUHrhabgC9klzugiVkk3IefRhYqCWcYYJaiYuvmk8vxDoaOuKYYykYpazCdnzHlnA1gkSYK9XoCY+kk5RCbOpCRck9LRG1pa96UTr1eDHL0Y0ywZoIvYwnZv4JRSgUumy4665zKVr86obLgcXUE1Q1JJBxGpQElKUHAbsZZir33NX9dHijp+MPCamGwwTt8obWWdB8bh99JlhAX11YCr5SBIJjhyOMwcM5z8uoH30bRui0bbZrxrJWynkNb+thNpY8TzJirLHaoc9u4hR9KjhevtFjcwdQokO2M3ICu+RYDiPuRd8XFMt1k9Wji6Cf/UH9VwEFywi8kEywkwuVaJ3RrgLxANbtgcaoWjUksbA0N8YNAanrqrQaiqhn7SqoRSkyo3IUVoYLp3lkyfJl3H9JP00UbzlZ0ODtrPB+rnTAkTNscYX2+ZoEl33oPRywwVAVVu1q02VdIw0593wDRI2YAuqqguFRUAeg0INLS1sWtqshlNHy3HwCk3HLuI63qCEjLw1Dl9iziH651AjbFoNKrKiGVd/gbVYceRcpJKTlGkwX9BRYnz3wH2mplh9AiomBPWZxmGCEOLZ2AOoOB1fY+ouRzPci/5xnmqPkMKRN0/s5SZ9bprzD15lPfyaHhQDUO0LxPT1/d1awgm3VwcR3QT9UQ9KgevPLQZY/4KzQ7jnFHdw5wuRm5bXn+YPwRmgYSAEQDOtMQe+aanAMnYlrJUcsVxOE69lw/72xaf16cQwTFlc/qYmu8PcrlkPZz2qfC/F+s54NbOkjPdyqOaGLnI1boxSSbGw1cZTd47sJGBv2ChX8hFCqG76DXKVk49JrPEUYTsEp3xn/IxkusHLd4JtdP0GK5trmOtEI5aQYrTaBZq9lcvytL8v0Lg109TbO4xbSaEXMfGcUwTr4EO67rAyKXYFl7CmUw51QdXdIPTJegxSPQvKwyGfjD+Z2K/frePCwAjdbIGuad/KlmryP5wLDDlocqjH/mJazYtRjVdKpqfpkVjYNtpbjc01a1rLNaw3bU3P99hJNce+02c39mLfbKfh++y6GZsGUV2EFvGHYsnDCyRqo9/88SUTs/b10KkzH7mY/Os7mAB61l9wOfT0WtWCkoz2q428O57Y5Zjv7jfSUhUSAyDXw88CgnmEPLdHJFpBZ9dAWwyP7EHlU1iUHWdXgsxuokD+/mRU/3Og/v19UYFQMWoYB2AnPvAPibP17hP3BPCeXzlHg6JziXuzREFBnz2pTTRu6cwP9xAXHHCIzFyvDlUp7timtMrsqAeSygd7Y7W76mNofuWH+vaiAX1sLid0UCkaOymHA12nlRk4HKOH6Axzl83WEFSW8Ddt+JIKIDzoFPwDrg2CW3M1n1jrBdJiqkqHq0dYYJ1So/HgTj6sM7ZUtW/DWW3/iNZJYmXBRTAg8iP6vy7K5QpifgAOjHxnE7rHPS+H2+lq9Cmgn9kPG+45k6FnyzrhYdK+zlTQzbSU1aO9exb7o= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 74ebf112-6410-4fa2-1ce1-08da1f08592e X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 17:49:54.4302 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: eeSFUpNiR8iclWLjqqdB9znKkATF/EUbdgygUuv2zVJKy9uKDyd/zft+QuGGNVKvLD7u2CuyqsXW8mVvGAYFbG8xNz7l+98NPKGJJhWuS/o= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2697 X-Proofpoint-ORIG-GUID: zz1qTYJLb2_m9zFIMtjTNNzexAU6YDiC X-Proofpoint-GUID: zz1qTYJLb2_m9zFIMtjTNNzexAU6YDiC X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=721 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 clxscore=1015 phishscore=0 priorityscore=1501 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150100 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 5352a761308397a0e6250fdc629bb3f615b94747 upstream. There are UAF bugs in ax25_send_control(), when we call ax25_release() to deallocate ax25_dev. The possible race condition is shown below: (Thread 1) | (Thread 2) ax25_dev_device_up() //(1) | | ax25_kill_by_device() ax25_bind() //(2) | ax25_connect() | ... ax25->state = AX25_STATE_1 | ... | ax25_dev_device_down() //(3) (Thread 3) ax25_release() | ax25_dev_put() //(4) FREE | case AX25_STATE_1: | ax25_send_control() | alloc_skb() //USE | The refcount of ax25_dev increases in position (1) and (2), and decreases in position (3) and (4). The ax25_dev will be freed before dereference sites in ax25_send_control(). The following is part of the report: [ 102.297448] BUG: KASAN: use-after-free in ax25_send_control+0x33/0x210 [ 102.297448] Read of size 8 at addr ffff888009e6e408 by task ax25_close/602 [ 102.297448] Call Trace: [ 102.303751] ax25_send_control+0x33/0x210 [ 102.303751] ax25_release+0x356/0x450 [ 102.305431] __sock_release+0x6d/0x120 [ 102.305431] sock_close+0xf/0x20 [ 102.305431] __fput+0x11f/0x420 [ 102.305431] task_work_run+0x86/0xd0 [ 102.307130] get_signal+0x1075/0x1220 [ 102.308253] arch_do_signal_or_restart+0x1df/0xc00 [ 102.308253] exit_to_user_mode_prepare+0x150/0x1e0 [ 102.308253] syscall_exit_to_user_mode+0x19/0x50 [ 102.308253] do_syscall_64+0x48/0x90 [ 102.308253] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 102.308253] RIP: 0033:0x405ae7 This patch defers the free operation of ax25_dev and net_device after all corresponding dereference sites in ax25_release() to avoid UAF. Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") Signed-off-by: Duoming Zhou Signed-off-by: Paolo Abeni [OP: backport to 5.10: adjust dev_put_track()->dev_put()] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index c2ac5a43c641..f6594dcd36a2 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -990,10 +990,6 @@ static int ax25_release(struct socket *sock) sock_orphan(sk); ax25 = sk_to_ax25(sk); ax25_dev = ax25->ax25_dev; - if (ax25_dev) { - dev_put(ax25_dev->dev); - ax25_dev_put(ax25_dev); - } if (sk->sk_type == SOCK_SEQPACKET) { switch (ax25->state) { @@ -1055,6 +1051,10 @@ static int ax25_release(struct socket *sock) sk->sk_state_change(sk); ax25_destroy_socket(ax25); } + if (ax25_dev) { + dev_put(ax25_dev->dev); + ax25_dev_put(ax25_dev); + } sock->sk = NULL; release_sock(sk); From patchwork Fri Apr 15 17:49:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 562176 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39C12C433EF for ; Fri, 15 Apr 2022 17:50:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343748AbiDORwv (ORCPT ); Fri, 15 Apr 2022 13:52:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344030AbiDORw0 (ORCPT ); Fri, 15 Apr 2022 13:52:26 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD46159A7D for ; Fri, 15 Apr 2022 10:49:57 -0700 (PDT) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FHjqLL031109 for ; Fri, 15 Apr 2022 10:49:57 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=GSg9W/Dtc2IbowLx+AulMJ+8gEu6iQjY4YGv0pGM0Aw=; b=VgBCMOZUT/NJ12nihVhx3RJRnrHbZ/Dbx9fjtx7qHvYe/ZuXJDtJl0axEP5pjiPY0MVG wmpbO1H5o2ihAzhmt0n6258LUx/H3Ac2HgvKXuTVAkN4obPcZS1G9tg4wNfiGXxgpPi0 KzOWOqinJ0ygp0afg8D05VunmDmZJZl4wMGDTuVvznv6wNzDlO4eV7FRvayEvIGu4gOs pZMQytHgyJQ3qyZydAkl2tJrzRduyTuoE1UC+OLuppRhjiTXTUqrzl6JHS90GuZFLFqu Ssef9YoXH9ehNIE01T+btSTDyZDHouGr6d97Pqx268Dlg/Rq5MQyTOfMrBlEsxwbCpLz 3g== Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2171.outbound.protection.outlook.com [104.47.56.171]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb9nfvu71-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 10:49:57 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IOtGszhdFSKXrUyGnF1Zao6eAUnsddY/qOXv2ARaEfOcDo/uGqy4J1Kh3AFhlvdGGoJdfQmdVComoUrT4Vn2R4sIMtlOHjjTM37zwYO8b1J/9B4aANUAHgeTT8ctMa7s3z6NDUxmVtbRG2tDjr1dMLqG50SCB72l86o/KGtpDNSFzBf2gPe+RrSNWGVdiB9+Ah7C2QhZjrS3u9yAGC45lvHF0CpHfpSAMmeAJUyCy0dcjgFewp7ybVIgdHoovzHOy6wLHNHMdgYXCV4vwqegw01uzN98Brus/sbqBMTLEtlPee5pBT2aE1VKGfUNUNbORTHR1YmgUohZct/Fq+513w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GSg9W/Dtc2IbowLx+AulMJ+8gEu6iQjY4YGv0pGM0Aw=; b=CTO8nGog8Gfm0YPc7EVKf91tAxvTuz/+r2S/uMPTv2L9ICWni1mseeaMdGM+5qb4BT0ibVzX48RV8ZLHgQBSw/9o8c9k29lSNB817K41n1c9n1UvOgKDLgjeyOZqfBT4RSc3Q1daP9q8ekLhhIaTgPlzyruLTNSMfw90GhB+chYL4gEGtLI3bHfBudzFFIEgipEs2bgqPd+BlaAo0BldqLdVyDsorZJ21F98V8s8uk4z1retdfm7PuYH3jdHn3J01VOHKfZswvqZblq2c34znTJObGMn9B3c5KjAAR/EbOiffQLxL8nwxc2znJTopril5sLaV4GSwVYWzN05VA4Jdw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB2697.namprd11.prod.outlook.com (2603:10b6:5:c3::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 17:49:55 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 17:49:55 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.10 6/8] ax25: fix NPD bug in ax25_disconnect Date: Fri, 15 Apr 2022 20:49:31 +0300 Message-Id: <20220415174933.1076972-6-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415174933.1076972-1-ovidiu.panait@windriver.com> References: <20220415174933.1076972-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR08CA0217.eurprd08.prod.outlook.com (2603:10a6:802:15::26) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e24aea74-fcf8-4661-d5b2-08da1f0859ae X-MS-TrafficTypeDiagnostic: DM6PR11MB2697:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: xx9hOmGSXHWlYn3XyywStjKYYguOxiaKLfAgRLyLLX5bfetdaTwBBjNa3fWoZo/Ow6KtaOqhx6Z6sYHBPd1cIasKOJ1aKcc6/xZjVyK+WdkMYwb88h9/Olc6Mi0TETiTxLiw25GQBKhHDwEC0H8DCF2Q7oDybfMs0og2HLMJ97UcouAt8pbrLM3XywBmPhhbwNqJy9uZuBpYVu6gvLdAooiXMqWABzdkKmz9TSjt/3QVUdt0cRqp8Mb+vXnhKRtdUY3zpKzMLIrJhlpyudxxkS84NK/ZVlX/XzWMFIWm2lHuwiEXVD5CDWx+HZ4G00ZS3fiusZoICTWf/Z2AnxFtfSSqobU63/qr5fzAszcgrUyoVpITvozuiTW7y4LH9kthPUAwGJh7IsGbN7/dZwzEPEPYWhA9TntcPjyFQXFfsmwIxOK3iRJUiRNtRWZv14KOnzCqZkEFPsj4pTmjq3/CJ8thbm47hmW++wsQtUsh3Xk6u8uG7qRvp+awAHKPnrSXuzi510nQOM02bmUxvKnrA/QU1PFZ9Bdr5TE7gDBIdypOkfzY7qKS/eCbFUhAWn/qYM/FXuvV21Q0LM0YjrWM9X4jY6K9+3Ghr9e2HhO+t0NoTM/d7/6BG/H0r1FN21zckBuLqnKtimJbbDBtPgapTA7BbTNKqKfCING02y4SNV6B6U48UPMXf4Z4WhW/Mdk7poYjRMdWcuvma7rwPkIX9A== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6666004)(6512007)(52116002)(6506007)(36756003)(6916009)(316002)(6486002)(86362001)(66946007)(508600001)(8676002)(66476007)(26005)(2906002)(5660300002)(66556008)(38350700002)(38100700002)(8936002)(44832011)(1076003)(186003)(2616005)(83380400001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: BxJ0yWI6rzdl63OBl+ZomI8jyZdNYPEV2KUe9lj9MODqF2INMYMCq35TgoK6u18iwrSS4va8lp0q+yEl6g+oAUn3mtjHMJQUGsd9ia7V+5kNm+hmaBrjxOR03FfPMzfVV82wfAwBq+vf+xMO6xu7/+pFr35ZW/SkGWax0M7rUixYG6jZ3BEQqURyvZlWs8201q4OpT/vx+u7sXMQQ1Ov8JiLQoRYL3OYsaWGdS5TrbxnSRH3EyLZ0hLPO1nm4JU4JoiXOm1HfhcLKXkgX7d2Y4fHfBEamFewRqPI/tJFmoS4Ga5Z7L4bWpLYthhtQhToOjrzDGLS7+f+wlJh2q0cKknTirnxi4A+y9pKh603NQhH3uWG9D0EK/hfoFS7y2SAYZSUsf8FCfK357jLYhyuNH38wlhealRVomuouAVeqBe8e6SoBovxAzd4LIDtI60jidOnNM2etx5HpD71p17mdEBGWs8oO1hPLoyHKQfp8vH9vLQDynIhg9JUd4woVrHsQaEhm2FEVbH+/+6JwFTUG3OJNLd4BE0WlClUSZFyTFbIbpihWf92GkhJI0HBuOtOkFimdtwYnpk2DBoGO+/EzJOXF+y76jo9T5JkyXiBBDB5HI8s5kc/PNmolZgCIDehrFHg96ZTC7aKX4yZdw3/vtCnFc8i6zlpwZ6eqBK7svxdLlZk/621RyZl/rSh5ZXfbt0fKsnEmFWzoS2Tkl8lz/HYtwvKxaOL/VZIiAn8ulUKcYBWB1G/EmnB3dmNAYW7Br/03ZTRsbYYUTswlAt+RLHJ2NQBJTQKiwIFR4F7bVwT18PvXQJNm0GTwl8aSmCQc7yBQoJDEDDUWWIBu2CodT/iKa3qijvZSuq9FZd8YCFUFP/2tbDgiE03cTRJ6TmONOlLvK+bwYbxS6/QXxxugie3Ox08PYBBy2a41q87YJN272afDaW+2CfADZ1mxHBnPrnkmrRpgsH9Q0zvHyzZJI41pYu9QBjJJEXJlXvI4Rda6Sdk/Uxi44uGm6o6xuFzGikHJMDklmyTDeRoOdXjPoEopbCXNEZdldvUtrREqyze2YgGhhl5LodDRL0J/e6Vph0kkk7THp44XvJB1iD9Nyd/Gk+1+13L3TXe/UPOskKH+fhyWKIF35F+mBj5740dclcv++j+qhxIN4Ziy/TEFGUN7sQfkQ/5kmJDZ8o8pPNG8meN3GrgozUVp+kbRmJbWE3P1F3F9Uomr+ffAM/g7V13Qlei4u8NOInZ5LW/ozLo4ybhPfix6s7oh4yGmJhDzklNeQCB4/E4CDK86gXYEnapn+kHToHUCva9/Cs3IXSnHmd8xKcfOm6JlTVthytXdlmbOGCCNfFxaf3ZdYsLx8jSM48ToYY02+ISDgq8mLuEqRUoaOU92/B9KEMqH+6cpXhgxV9SAgL/onLKVbSXnDLhjVOrEZ43wqVbppsXAfTLAkvll9zzSKWEETbA14GdSSUT6YLk8iiiOWIqem0DQdVhfwVfiCBaC7rqo9h59jtq94hu86UPB0P7EcTsfLWS0eHSj2xl6m+P1vQ8/VMEMJ/8eNjg6gf2n93WrkUwurJpA5nM/BkCYZapxBplJgRkQ2vzkir4Rv961fTGDm/aSPqRRn2oIhGW5swe/Wj1M3H6N79/fGKsY287dm04oDvQe9PFbKtPrvPXmYj0FUr4vhqQV/iZEyw/9ilEoJVtv6aXk6QV+URO3tBli/Q9w+ceKvbDXq/EyBlqOI8v2SOkAE1jWzWsAKCgQJKKnmQzxEs= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: e24aea74-fcf8-4661-d5b2-08da1f0859ae X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 17:49:55.4625 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: T+LZdrnVLQYzXK0e3brH2S0guHXAHIHI8mq5FwoBf00HEaMPmYW1gP6VXjABHWdT+PJaWGbFvAFzZx5RG7tpE4OrnO4ba/8mG9fkDe6aK+Q= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2697 X-Proofpoint-ORIG-GUID: MYu3Bt2QxnHxNeeNQ1km7CuQmKHPqHqc X-Proofpoint-GUID: MYu3Bt2QxnHxNeeNQ1km7CuQmKHPqHqc X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=883 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 clxscore=1015 phishscore=0 priorityscore=1501 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150100 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10 upstream. The ax25_disconnect() in ax25_kill_by_device() is not protected by any locks, thus there is a race condition between ax25_disconnect() and ax25_destroy_socket(). when ax25->sk is assigned as NULL by ax25_destroy_socket(), a NULL pointer dereference bug will occur if site (1) or (2) dereferences ax25->sk. ax25_kill_by_device() | ax25_release() ax25_disconnect() | ax25_destroy_socket() ... | if(ax25->sk != NULL) | ... ... | ax25->sk = NULL; bh_lock_sock(ax25->sk); //(1) | ... ... | bh_unlock_sock(ax25->sk); //(2)| This patch moves ax25_disconnect() into lock_sock(), which can synchronize with ax25_destroy_socket() in ax25_release(). Fail log: =============================================================== BUG: kernel NULL pointer dereference, address: 0000000000000088 ... RIP: 0010:_raw_spin_lock+0x7e/0xd0 ... Call Trace: ax25_disconnect+0xf6/0x220 ax25_device_event+0x187/0x250 raw_notifier_call_chain+0x5e/0x70 dev_close_many+0x17d/0x230 rollback_registered_many+0x1f1/0x950 unregister_netdevice_queue+0x133/0x200 unregister_netdev+0x13/0x20 ... Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.10: adjust context] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index f6594dcd36a2..b1e36d48b07c 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -102,8 +102,8 @@ static void ax25_kill_by_device(struct net_device *dev) dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); } - release_sock(sk); ax25_disconnect(s, ENETUNREACH); + release_sock(sk); spin_lock_bh(&ax25_list_lock); sock_put(sk); /* The entry could have been deleted from the From patchwork Fri Apr 15 17:49:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 562175 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61584C433EF for ; Fri, 15 Apr 2022 17:50:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344051AbiDORww (ORCPT ); Fri, 15 Apr 2022 13:52:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47922 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344245AbiDORw3 (ORCPT ); Fri, 15 Apr 2022 13:52:29 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B6AE59A7D for ; Fri, 15 Apr 2022 10:50:00 -0700 (PDT) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FHURXe009386 for ; Fri, 15 Apr 2022 17:49:59 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=cjkHAb1ElmUrpgyr0tX8csIZ+PLDpPfyyzFLs+fMl+k=; b=o9t9WuRKqlusKVUOsgqAAbdelCgRglJ5aJOTIDueldkeTXJC+ikM8bMjqqOlwmM2zssU +vRHWN/lIVD1aiWiZRY9FvXhG5/ju1gnsUlxVIJS/lohgtinP0Tquir2DDmeeFIFes3F 2VpAyxXJ0BaPYWfvQcx4CeSKyxqLESBapICDbuGozgVF5MxANnqY9ZIKbtXVIHBovhmY dyYj3OPzJs5NVcaKmQUhCEV/otBWQDYpM+1/ta86QDbR7Ba35kRD2GJfkbvpVmGSQqcl zLqCk71fd/MW9M4YyDl1Fh/J2bMNaOmqkb5ELDzyAGMqJgzXQxruZCnEKBEnh+sok9YT kg== Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2172.outbound.protection.outlook.com [104.47.56.172]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb6fwcvuj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 17:49:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CHRRQYxMR600y3hN3Z+TauHCgUU5b/f1mu7eFsI47dfx5couMBhieG1DED9Y8nfoknwT0MOWgqhwj8Y4+ZJU+R4ccWyBhTnXmzyGelpqwR8iO+TKxBJhvyZ02j7wvayyW+PEx56Lpjc62CF/6sEwiAaVj46QDBCNjDzUgEab5WlzgGLCmnj1tzPIMsv4+a1c/ZcisDMzYUGD9mbl+o6GlYqN4zfbu6xvlh7cvTvkWNqYv9ok4ySGUSS925WlYLu2kpJdBhNhnwgZWSLY3535dVBzTYyI75TnQmkM+jEavQ5L+BooxdCCWSkM8Nfw7mkra47ZZHikHBqNxNTlpjneqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cjkHAb1ElmUrpgyr0tX8csIZ+PLDpPfyyzFLs+fMl+k=; b=W3vFjQqRkJl1xgfbd7a0a+gy8tDkufIlhkPLZDFvM4urbFnBYUlV95z+K96h6pqH5HE+RTuL+dZgZ197Nj/9QX8C0pVMU9vfoXCLUXZwofHebJNhtgPrahagsqCusyc6FciiRQIZNoVtrqG7cB2mqBXS3pbf893jLUzMZ5x8/LugbUmxQ9KRQlXZAh+nbeTB3awezUABa+Q9xm+teuRt38Hh11OeNXLpqc5FmWFDiFP9YjuFPfIQ/xtyz4xQNqp+sWR/ceBWqQH/+Q7BmCSLPZ0hb484Oj/QdNXzThH3uUZxbBVbfvSZjdQ0Nkd2lqpKI6L7m/3JnxHClIxe8gn+Xg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB2697.namprd11.prod.outlook.com (2603:10b6:5:c3::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 17:49:56 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 17:49:56 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.10 7/8] ax25: Fix NULL pointer dereferences in ax25 timers Date: Fri, 15 Apr 2022 20:49:32 +0300 Message-Id: <20220415174933.1076972-7-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415174933.1076972-1-ovidiu.panait@windriver.com> References: <20220415174933.1076972-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR08CA0217.eurprd08.prod.outlook.com (2603:10a6:802:15::26) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: bffc9544-70e2-46d7-a81c-08da1f085a5a X-MS-TrafficTypeDiagnostic: DM6PR11MB2697:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KlH0aklKAQCWw404sNDQYtLWJCBo7QnHLR7wjrfkk4RBphe+92iQQ1e3YkGdu7nk6orVrDC9yuJAe7ycEz+Mftl3DY834eQCl1ypzNmG2yY8hZ6FyleBqn7dGzXa46M8Y4utzRduJZeTlUk4dmAxWveE5P4iEHqsJsJEvjmzLeHmdq9j8SBi8fgMJKnaCWZeNwlyNba90qpI/cmcRB6His19EpOq6Mhj3Ox7o+veB0Ox5tj5n7y+l8AykLaWYumc/l4YYiFyALm2uSm0rQ0VaTLCExAr7rKDiQniT7uiOov2aYs1hyBzauXatBQvO8YViOj7QlFHKuyiOgAZHF8G7cq/md+ZVUDGplRpOlGdT3HvGuur3+EjuqSIXkTjeonElPfBXvl9IwOhlo+7sZkMirI+0/eiwgGjfrix2aS5lQXxS+drk9D+HBnzXssXvDu9gPfh4ZsrDEaon3S5iTQBS5lO04Rb+I0ARRT27J1i40j3cTta00+GF+nOXVzL2QQ+Y2RTre7AapT7clxdfuxf2UNre6t7gjR/TffglFrwT1eKDGDCzJyy9h57x+XDbMs3oJlUtwMxBVJJmVlUpDitgPRlPqsFxr0X53MNoV58dBOU6aryzkBJfv2tjV0uG0Tt3tnvPE+7ziYhdaVeLigBwqasIMLv84SuS9RGorxzMBZiqO1xhOi2vwy/kilF/iAYZwhodu+DrN2g38D6pUomlg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6666004)(6512007)(52116002)(6506007)(36756003)(6916009)(316002)(6486002)(86362001)(66946007)(508600001)(8676002)(66476007)(26005)(2906002)(5660300002)(66556008)(38350700002)(38100700002)(8936002)(44832011)(1076003)(186003)(2616005)(83380400001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: vdfBbGqGdXe/BbsdludSlRDbjd7g4/YDhCszRyoEbQfB0i0ZZALm8r1gcTdwfaYrvrfWF+w9RhsvT5mH6ZqMZxVJDERN3VKlaL61mnMIAr6xU2l8MUPFhnud/wC65uMUzzbrOkDrxo4qjoc7DlF2lL38iC2SKMHaLLeo8SmcnqJzka23jBiFCshPdwgs+D3frDPDURyNVqVsS8lJQwYX/auDN73wKIoI0trwNd0ZP837jdCXJK8oujBre4oNTcwrirs31Na//27qwaMEUnoAq8n9qtKdhCSz3C0/spsDYXfGC6jVCJnrRF5ZE/yN8+83gkqjZvow9YDoZPr+JgKlnZ2/5L0rS/QWwxgAdz9rOj9RLKH7Z04ecYCUNu5/324VbNMOMvuHgDBWCBs69eOZJK93CP4D4mDxd+Ox+LV3F6/QP0LGM8SLJ76s6MxbSPsZw9SepDCHiHITof96bwC078+BuSiCnsYO84KSGR6oVatJkdk71lRk53CScYAEsiuHlRBJeq/wkiEWSy2dKVRDLMuOqsKaip5p+klqiSI9TmqZXTdf5TldjieYMkUps24XKRXA0KnnNyfMgR8eQ+N7o8ZR/W/32PfFEpWABOqhmdeKHCX3zv4JA2GqWlxc4acsw409e4+2LfqBHaGE/u1J2ClJVpK38tWbFZc98k7RD3yzcbr/Flc3AszxcOeKXasuJCb0CaRtE+kRcmzmqvwr6ZNPLpkSLaPNRGL2U+k1fHUuU8qmJXDDyJgiGyICLATqWVBBqkaw6Npwv6oxw5FYDJ8TLiTg+uCmXt/EHrGdOZNE8aGnbmHrgg6gnZAKi1WWHxyjfS1gsakihYuK7qOixfhFMdgG8qUblWOk8aqzjpvrDCr8nZ3xi2NxB+rHwv+iAXZGkU9QekvHszKDElYuII+ii9akAoXrzf+Om/FZGFGdX2pSI/I/92JNEaCndYj5IRUrUvFTucDyJtqbjQcznPT6F1HTv/hAAgi0lD02FT00MGJ45wCgnvk/XMOENMrRQ5sbZ+Cb9TXTFcP5+rkIaPAP38wGsF3cHuRr04ptLvOCGqPouOrsmpN1bFqj4oemtefdEqLDXZJ6LmHn/GimGQsXdDCrbdX9N/UrTmtlBdjYEd4mOQMbhDqSXeYa4IRYkwVGd+r147UoPE44Rsfpp5tGffPx7mM0UPoJGxLM9189xBFtlDtj+IkxkZcyR8w7KexDdfecNdrAhckISurQDsBLNjCIWqoRb5CuA4r8ve+eVEWAzHeoNHftPLMCqSgfKpHiZF78N1L6BgR8xVJJ4DAfn/eDl4PG/UeYYCV0keilXnMMRYgQW4MA5HT5DbtZ3E7AK7VozdAXYmTNAi/gLUO/byyu89djlWBZWfQKDgz03U1rWmdMOLwYPLmouu3LRDHYf5GnnDu2I07T5QHjifbzJ1nhFgSx5rr5PuzQ/uzMjxqU+3pwig0o1177S/PmrPd69JivRmPdTKPzye6x+Rr6lgzZ9k7hQw6qFQ1qyjvAYrwvP2PFrJmJJV2zCxFuwryAZS8jIwi6Tklz+BudiJWth5LizwlYHYVEDRG8gfwppSIbdGyEKE9/vCgYVOo+Oce+VgaS651b9xGYS3KBMI9wyOPbfQBXPCWQhpQH5Sgoy4JKv7aSan8zTzOtve6y1FtL5D1I0NBbpg/L7WgFe/QMnECUa3v9/Y6h9ExCLAGIjkh5YHQla4quwGJTGm/BOl67WWfjg+6gE5NCKgnvNscMoil6KCbXImFtdigAO8Y= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: bffc9544-70e2-46d7-a81c-08da1f085a5a X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 17:49:56.3842 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rOzNVRc9suZTRo9j+wbJ9GuwGjl9ZIjOuB/P6e8B2BSGFF6UFpXk9QhO2ZbzMAKh0JUOmQ5sQxf5K9Gz0JqHUWNaK7i5WhiopHrV0y/p5iQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2697 X-Proofpoint-ORIG-GUID: -fOFRsJnLWiR3Ff12XgWIou1d4j6sVTh X-Proofpoint-GUID: -fOFRsJnLWiR3Ff12XgWIou1d4j6sVTh X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=752 malwarescore=0 spamscore=0 impostorscore=0 adultscore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 mlxscore=0 phishscore=0 clxscore=1015 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150100 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009 upstream. The previous commit 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") move ax25_disconnect into lock_sock() in order to prevent NPD bugs. But there are race conditions that may lead to null pointer dereferences in ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(), ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we use ax25_kill_by_device() to detach the ax25 device. One of the race conditions that cause null pointer dereferences can be shown as below: (Thread 1) | (Thread 2) ax25_connect() | ax25_std_establish_data_link() | ax25_start_t1timer() | mod_timer(&ax25->t1timer,..) | | ax25_kill_by_device() (wait a time) | ... | s->ax25_dev = NULL; //(1) ax25_t1timer_expiry() | ax25->ax25_dev->values[..] //(2)| ... ... | We set null to ax25_cb->ax25_dev in position (1) and dereference the null pointer in position (2). The corresponding fail log is shown below: =============================================================== BUG: kernel NULL pointer dereference, address: 0000000000000050 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc6-00794-g45690b7d0 RIP: 0010:ax25_t1timer_expiry+0x12/0x40 ... Call Trace: call_timer_fn+0x21/0x120 __run_timers.part.0+0x1ca/0x250 run_timer_softirq+0x2c/0x60 __do_softirq+0xef/0x2f3 irq_exit_rcu+0xb6/0x100 sysvec_apic_timer_interrupt+0xa2/0xd0 ... This patch moves ax25_disconnect() before s->ax25_dev = NULL and uses del_timer_sync() to delete timers in ax25_disconnect(). If ax25_disconnect() is called by ax25_kill_by_device() or ax25->ax25_dev is NULL, the reason in ax25_disconnect() will be equal to ENETUNREACH, it will wait all timers to stop before we set null to s->ax25_dev in ax25_kill_by_device(). Fixes: 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.10: adjust context] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 4 ++-- net/ax25/ax25_subr.c | 20 ++++++++++++++------ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index b1e36d48b07c..a665454d6770 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -89,20 +89,20 @@ static void ax25_kill_by_device(struct net_device *dev) sk = s->sk; if (!sk) { spin_unlock_bh(&ax25_list_lock); - s->ax25_dev = NULL; ax25_disconnect(s, ENETUNREACH); + s->ax25_dev = NULL; spin_lock_bh(&ax25_list_lock); goto again; } sock_hold(sk); spin_unlock_bh(&ax25_list_lock); lock_sock(sk); + ax25_disconnect(s, ENETUNREACH); s->ax25_dev = NULL; if (sk->sk_socket) { dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); } - ax25_disconnect(s, ENETUNREACH); release_sock(sk); spin_lock_bh(&ax25_list_lock); sock_put(sk); diff --git a/net/ax25/ax25_subr.c b/net/ax25/ax25_subr.c index 15ab812c4fe4..3a476e4f6cd0 100644 --- a/net/ax25/ax25_subr.c +++ b/net/ax25/ax25_subr.c @@ -261,12 +261,20 @@ void ax25_disconnect(ax25_cb *ax25, int reason) { ax25_clear_queues(ax25); - if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY)) - ax25_stop_heartbeat(ax25); - ax25_stop_t1timer(ax25); - ax25_stop_t2timer(ax25); - ax25_stop_t3timer(ax25); - ax25_stop_idletimer(ax25); + if (reason == ENETUNREACH) { + del_timer_sync(&ax25->timer); + del_timer_sync(&ax25->t1timer); + del_timer_sync(&ax25->t2timer); + del_timer_sync(&ax25->t3timer); + del_timer_sync(&ax25->idletimer); + } else { + if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY)) + ax25_stop_heartbeat(ax25); + ax25_stop_t1timer(ax25); + ax25_stop_t2timer(ax25); + ax25_stop_t3timer(ax25); + ax25_stop_idletimer(ax25); + } ax25->state = AX25_STATE_0; From patchwork Fri Apr 15 17:49:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 563089 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C24E1C4332F for ; Fri, 15 Apr 2022 17:50:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344214AbiDORwx (ORCPT ); Fri, 15 Apr 2022 13:52:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344444AbiDORwb (ORCPT ); Fri, 15 Apr 2022 13:52:31 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F4985C678 for ; Fri, 15 Apr 2022 10:50:01 -0700 (PDT) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FGu3HH011441 for ; Fri, 15 Apr 2022 10:50:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=/uyqyqGZYOS+dGaSz2ay4GlgI/lmeg9d8Ihj35x/KG0=; b=eQWhTJFVqyf5d/1MvFj6gqP/fmhn/nySYUbi04enFvXckgp2bZlkOuuJtVRrtJS/vOs8 UNjUOtX7qojeCUFTsIgjLBa5PluuiWTUcyklZzqtThqAKLpbxql6CJ2PXLAmp/YIOwQn IDv1GAX0jVvjOh7I+I2rJXpdQYHx0yTEdRqnz8TdFki5DvWh3Va4W1EXjS07I1lGq9f8 LOJZOlW5oZIjxH+ykp/NA7yhjJJJ/+Ge0RquybN9YelnoZFV7WvbwfrN/5Avep14wntH 1iZPBTNKCDfQ49lVIZeN9VzauFuAOqyQMF96vWSSL3iphSGb4KuARCw7nppj8lPETsJe cQ== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2045.outbound.protection.outlook.com [104.47.56.45]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb9nfvu74-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 10:50:00 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lkuqA6PUJ4yuj1PVCTLrZkPClJO5rYKEpxn9Y6s2nFcDgiDSa/MvEI8nAK8URrps3SzsBa8d4XjcZI9EWoJhrW2Jsr3ZobU4TvwWzbaOmmK9Nn8WHsJyaFAzeSRg2UMgeRfHM9l569XyAquanst7n/K0tiaoiOiZE7AHykocRyKGyVVqPmZEEOeFuYnQUPenOmm+6n4ilhG3nphOm0mAikjx4umvmdCPE8EjEnTLEWJykWZSLkf3L0vqIrHPv7hjAPBCws3RAYToiCFhrZ+0eMfg1WdM2tajNgKzvg3VgOkMMyvpOCqzfkPMMev404IdOuOYKvMLKtbY7jN+VjFQzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/uyqyqGZYOS+dGaSz2ay4GlgI/lmeg9d8Ihj35x/KG0=; b=FT/MZn6zkjC4oRiJ0iMi40M6n9Zx7WAmfNcW3AETINaUv0Ywf8N0vQKiqM+bWTpQcJu2wH7W6jaq9poRVAxRSblAtlaJiESHJgrJsmFxX/PQpFlpyXGTypLU/fQefG/hjQnyPIVidBqHPPWkxvbuI3fGoWbs099wyUVALsv+0Vn14FQ9cg3YVq3NUcKjm+qhrcLj5nfD2++iDCK4bHQolyTuZ1flQWsTG35bCnx3ryNE7OvVKKdbb+BiADQ1BxT1xDEsYGGTSltZyu55Fqhw8Lhneivyu9nRmuEhIkS5jRngbSa4lcbX7iHCsOrmAe2TdauymsJJt90Uq2U1VHyPhQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB2697.namprd11.prod.outlook.com (2603:10b6:5:c3::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 17:49:57 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 17:49:57 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.10 8/8] ax25: Fix UAF bugs in ax25 timers Date: Fri, 15 Apr 2022 20:49:33 +0300 Message-Id: <20220415174933.1076972-8-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415174933.1076972-1-ovidiu.panait@windriver.com> References: <20220415174933.1076972-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR08CA0217.eurprd08.prod.outlook.com (2603:10a6:802:15::26) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0ce6e1ef-3f4b-4cb7-feaf-08da1f085ad8 X-MS-TrafficTypeDiagnostic: DM6PR11MB2697:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: N79auO2vCTvhfQ17gE42MIVxttiBiBN/ogoPPiOt2m7YBMKccn/9wGPJPoeyLcjFCHbhnnZ6xkSMe1khw0n0zAgZNw9Om9cTMXdpYo+aU+kRz4yr+MKrlgjc6UEUwp/T4CZDNMhpuKzeIPk+80rmgpJ7NX91IkJqwUMHFCtn0KUaqKzMR5QMqFxLHKFcvgtHEBXMhUAJKZ/KeARxI/RkclWzkcVopFk7/72htq4SU7rCWiI2h3OM6xXjSi00XtVf//2hsQH+IfVxYV8NcY/WgJmrLvWQ4UiU7jG6ZRPB1zlGeGSgU5VfF2nR5FtDmT2bSY46bZLua9ftoSGzLxPM4JHQY2JOp1QoEm6mxDA8LMCfNs6dYXN08NodqRIoUsNp0o/ArP50weUCcfieuaHJ6RTu8hHz35wLKid6nuUIaNrC4qc1hVAee1Rb9L7YAMYiq8EXIZUCrFkf7cPh0xECsD5SPI/Nx9O9SJDiD0aQAqPwqLFCrP2TTHFtGCuT9PFYPLEq04aKfq6MQSFxwfV2mu+ufbFzsqAdvqXxb1WJceLhMPYeOb0mpSlSvy9aPxa4mW6C/GDk7yQ1x0tKdukP7LklPurDO2aKn6OwSO9Dispxxd0ym8idl4w3atD7CqbyYQGUzYkNPSBLXjIfN7yDO+oAQ36n5UULaIknFvoPeL6ObbYmzuLxgPlWYT/4PL+8TxONHvGHwQ9n2v+7MiuUZQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6666004)(6512007)(52116002)(6506007)(36756003)(6916009)(316002)(6486002)(86362001)(66946007)(508600001)(8676002)(66476007)(26005)(2906002)(5660300002)(66556008)(38350700002)(38100700002)(8936002)(44832011)(1076003)(186003)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: DbsXBhIjZx65Hcg3l5wl8BDlIrOdBvGTZUazT4xEhEkElVsYYiET2KJhGFDaf7lM/fibUxP/Y2CTMt2Edxo2jsceXpVo54hSY8SOzDM+shMiXN8ZyUOo3ErO28Qx1UpN1y0XkTxFGiioGhAcd5rr2YeUdzH0PKC0NiKBQJMKvpXhrQMitqv2pWwHmusvlrxQgn6r3Bt+K7KoJZ0SdusDmF0RhoS6FmMxah4LiJ2e4qpo4YiKVpaSYkEwpNioNFOjk/DpZC6dRwXxrzSBdsjPgCKJCpyI5XDu23QNNp53HbUnovxdDXnfCFpifQVqugTefns3S5/qjcXbVUGmzE4jpov+5hsoWeYamf0vKUozoi3evrHX+MlAZALE8Wvp+3t40n+cD6HKC6q5cfpNoTPQLGNXUUTZPersAPDMo5T1SruqDCYyevrJnQDS41wjbL087IWOLttCfYzVkKFGQ71sbjldu5n/Ae/158VNbkqkiIVccv9oBPRBQ/p0FSQZWvLku62/yqZj9ZLqKK/A3W/i9FQXFuYzeP1MLolAtAmB+LfRFNt2uUk+THqZgTHOxNN4du7N2K8ye9uZ4TC+1LbBZaztzhYAy5yYAsTKkO+sf7mksrrEUQ0zOjWi4xcZ/RH3bI0nFTNylli0ELLnNe07yXKzYNkcj1yJAPHYt0v5wiHoTbHcYqV9V9WfNr69Cx37Vg7dQHOYSMEfAC+v1vUDbgdbyi6T/wgGtfUtk3j9vszwSqKuBT6Aqlob4LC8cxX2O4flQJJo/8/42eRVyfIo+qkqGgb/ccIX3uEF6AQvPAIjwLgFVsT6qyTO6bnH2FzqbOzfT6O1xQgdWDmkVNn0poYFlvISRCJuzcBdEDotS3d1W39vDw9JKFKRLh6/EhuCgOpVMabXsryfwVir4XwvaWoSbgu4DAu+KyeRaLxDsm9CuqPUTDwh1jLr2fT0hhYryaHGPflKHWwPJCAO45zLOzFZ2UgI/QWxm3N5il+jOINBwt+IpcXTDJ8Ik8mXUVXSevUkpfrc5RR2ogCelvi6VChdaJiZZHY5yOe6zpwYxfh9IoX8NOffXvKvpxA8mmhWLircKcAq/WftBaahLUDV5ps+p5GyIJSjgPQR65aJC4Bdgig9yAqLfN8M9HY3j+L7BPFdmUYjWqNeBMWJpG2V0bsWFUCqCLrBUrQw1g2cNPp9t6CotTVXh2J9AB8V9dM/3I+dsEJhH3Lg7zx3ULOCEgn2KYjOivLhbGfgEkfNdSccQ/umU5rUexcK4bWwKDZrts+iyVW4+bQLoVrEGGqdzFMv4i9SliqyOLsiZn24miHDAu0ePtH+UhC8TjnM2I5/kIQbb58GjXDx+w+CwtNjq3a62TqoOkPQXJyRRaUxl5xah+xyXmJH61ht1ykJoufyANrKycjpbgqDrdMuZn71HSll9vm+Q9QkoJGgPGWFpPk2JY4iaptBHevXTvWNqdjYKuxmSbWO0odLx9aK9kTS6pIadhM+LEu340lXHybkFkM5RD24gGVUTtbBAGVqnVWHCSrJLuUwy/vU5MrGim4FUdQXzdQ9wcTc+rOvEHZT/dqwan6I/4Y0WAe5RJcQrLtlIbrslx+DRzJEj4/OdXYs7hvx/XDmV4waujbqZ5IRG0s0IUJ/VqBXpj6XJUEjl9eD/bMGdzHJvycBL0LX3UMwXnVUxmq3z9n9fgmIZ0LnKI+PFpahiiYDbn7lpmD16f3eK7RsmvLKOC8r9I1l56zofdJZiliW/NLtbHowCXmrFaQ= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0ce6e1ef-3f4b-4cb7-feaf-08da1f085ad8 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 17:49:57.2122 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: J2/m8ey8Hm6vwZFS6vgNlgw5o0Vv4o4HCQD2RpofBpG1Lgu7ZnVWJI2nc5PbUgLvwBvr4/mFD0Z1HDe0+Jrs0roDbKBcRObaG4PNMDZol5U= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2697 X-Proofpoint-ORIG-GUID: QU600z_z-W11FjwvEKZYX5UJdPCQU2Lz X-Proofpoint-GUID: QU600z_z-W11FjwvEKZYX5UJdPCQU2Lz X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=631 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 clxscore=1015 phishscore=0 priorityscore=1501 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150100 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 82e31755e55fbcea6a9dfaae5fe4860ade17cbc0 upstream. There are race conditions that may lead to UAF bugs in ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(), ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we call ax25_release() to deallocate ax25_dev. One of the UAF bugs caused by ax25_release() is shown below: (Thread 1) | (Thread 2) ax25_dev_device_up() //(1) | ... | ax25_kill_by_device() ax25_bind() //(2) | ax25_connect() | ... ax25_std_establish_data_link() | ax25_start_t1timer() | ax25_dev_device_down() //(3) mod_timer(&ax25->t1timer,..) | | ax25_release() (wait a time) | ... | ax25_dev_put(ax25_dev) //(4)FREE ax25_t1timer_expiry() | ax25->ax25_dev->values[..] //USE| ... ... | We increase the refcount of ax25_dev in position (1) and (2), and decrease the refcount of ax25_dev in position (3) and (4). The ax25_dev will be freed in position (4) and be used in ax25_t1timer_expiry(). The fail log is shown below: ============================================================== [ 106.116942] BUG: KASAN: use-after-free in ax25_t1timer_expiry+0x1c/0x60 [ 106.116942] Read of size 8 at addr ffff88800bda9028 by task swapper/0/0 [ 106.116942] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-06123-g0905eec574 [ 106.116942] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-14 [ 106.116942] Call Trace: ... [ 106.116942] ax25_t1timer_expiry+0x1c/0x60 [ 106.116942] call_timer_fn+0x122/0x3d0 [ 106.116942] __run_timers.part.0+0x3f6/0x520 [ 106.116942] run_timer_softirq+0x4f/0xb0 [ 106.116942] __do_softirq+0x1c2/0x651 ... This patch adds del_timer_sync() in ax25_release(), which could ensure that all timers stop before we deallocate ax25_dev. Signed-off-by: Duoming Zhou Signed-off-by: Paolo Abeni [OP: backport to 5.10: adjust context] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index a665454d6770..5fff027f25fa 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1052,6 +1052,11 @@ static int ax25_release(struct socket *sock) ax25_destroy_socket(ax25); } if (ax25_dev) { + del_timer_sync(&ax25->timer); + del_timer_sync(&ax25->t1timer); + del_timer_sync(&ax25->t2timer); + del_timer_sync(&ax25->t3timer); + del_timer_sync(&ax25->idletimer); dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); }