From patchwork Fri Apr 15 16:14:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 562182 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AAC8FC433EF for ; Fri, 15 Apr 2022 16:14:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355750AbiDOQRO (ORCPT ); Fri, 15 Apr 2022 12:17:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54214 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355280AbiDOQRM (ORCPT ); Fri, 15 Apr 2022 12:17:12 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF7E11D0C2 for ; Fri, 15 Apr 2022 09:14:40 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FG1FUT001455 for ; Fri, 15 Apr 2022 09:14:40 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=uRwaQwG9qlNg8RN3AkVhX+YzVm7u7NzPtTnE3gmHicI=; b=VUM6ISrVe2d6/q3QplP4w0DqcLmQ9UJo3vW66iVcBxormpVzPsyvmxunQEbyZ6UEMdtV aFs2roGNyIwJwHa2yFVWO7SpFsjpzmBVIuEH2DlLQxh7s/cTO4bWtn2RRfe5gcMHkCmU BZRcCaFYWU7Xqmw3tCg/DpeNQdJDP1nQukqoO9II7RR9kpeBNs4TIiXzcetFP61bLGta PxbVqwAlKh7BA/9VdD9OrENV8+41S8yGpXuiwuDaPbxk8YRJjkzWNkX2nev8txvq60LT DkNaXP2Ae0arX9jEP25iT7wLP7KyO+ulEhocZsrfg95Bi5ZylTPHtrJpT2TGjLd0iJ9M rw== Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2102.outbound.protection.outlook.com [104.47.55.102]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fc0jec5h6-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 09:14:39 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jq4Dvs7lkQfTZbTYAB9HY3OQA3MjXsE+JBt1RXdjvrBf+v9iIaHEq+uOHmeepi4MsJ5aMwPmMnc7fn/n+dVqUV6AEoLD1drv0ESXOkA3Z9WpTy9AwxL1aM8EK9B1HDtay/1dzu8CTWTJh0xloPxI7CSYCa99KTb5dMYzOOzBzJDi8pPsAIOhs43W9Av8h76G/Ah9EwXvoRj60nZGCLVUpFttcIQ5aaL32/7QCTtghZxxhH8FlpSfw0/hxAdutCwleF6HlYZsJNUHLnR8lb1RHT2UBbF3OQ89TN1chqXlh20lkr44+FaLssKXdmlIvW3nUWmEfT6Gt2sEcvllaCBRVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uRwaQwG9qlNg8RN3AkVhX+YzVm7u7NzPtTnE3gmHicI=; b=CLawfcVo/q9zV1qVWyj4sLP7Jmxvrk3keSgnlvxGwiTa4Clv66Kxwum/pHGZ9vK057MSdDCd/im5/T6DzCz6fGafuPcdeaBtBmqAkyfnwNzmJDXlH5C6z1vxw+TWH/g9xfz+6mSIDB4VQ5dDSL9I87ZPdNHwgRIhEBYVz0B8Vi3BEe4VvilUq165hPHhFOGtYbQ14MRuzBXnPQQSCIM0nT7qVc+x0nSsxRt5pGfvebKg87HAyI8Dw7bBKIl87BFNFFYlGPA0q3BKWCcaixmWHfGdQBF6cCBo3vQQZZiKHSY69DM9JuOdALA/6fZwDXCx12SCNjmcf8o3mT98ts+5kg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB3626.namprd11.prod.outlook.com (2603:10b6:5:146::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 16:14:38 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 16:14:38 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.15 1/8] ax25: add refcount in ax25_dev to avoid UAF bugs Date: Fri, 15 Apr 2022 19:14:15 +0300 Message-Id: <20220415161422.1016735-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415161422.1016735-1-ovidiu.panait@windriver.com> References: <20220415161422.1016735-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0202CA0009.eurprd02.prod.outlook.com (2603:10a6:803:14::22) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 30f8966a-6e4d-4ee8-679e-08da1efb09ff X-MS-TrafficTypeDiagnostic: DM6PR11MB3626:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9ekiMXol2/OnLF/kldrcBFZXCk7TEZuDWx0Wows9jLD6PElTFMQ5G36kFcg3pYoXjvwGZ4F6RVbyrb+ghyg9FDg+rd5EzTuYGAA0s4/zvDVRylz8FHo/jmCb2iLgNRMotpZCQu2b5rql1Y8ierfJHEnjsUDPgW8KjPiFud2BYidXqWdH4KM0GwiuNyQJZ8cAaidUo3u5PxsSvYlMPb5CKizlN0zcalSxzpzo2ZC5j3DlbEty4IuKBFlovIp3wwtJaPxUMO6sTyujwHi6TEA+3WiMoWCmKJ8r668aAWKJIiRDzhkEADDc137g2rWmrjuN64gEHLQt5N862SxfQNWLNCkDZIHRfJ+IzU+NpTCC36nxajqcgYkrN7pVZlzYmmsKLosGfoCt9c198+fPIe3mplh7dZSFqLjLEgN7OdTFA6cre3WP6m4q3gdzq5vtx/lMmc0MYpqLdSCd4XhcZyWzoRDUMfg+fbx+qlKVr/8f2O18z+MdMnPhHD8M2CQyQq+5GnNZV7hNNu8wX1VBc438sraNDTwrE8AEprYYp9K+JUMPQ3JRXNLdSyDovGFcER1cEhXw6iQBJ9DvtXFc9D78yK3J9BcP6n/YNU1g5a+HkWTuGyymv6IYQPjFEvDozdAO9tpNrtmmW2WSs68Hr/UOpb0DDE3O5oucMxpvbJ1flAsEN5Krbh+q7gyAr2efsb0RB4sTR+eFOnE1Ej5zExnotg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(38100700002)(8936002)(38350700002)(1076003)(6506007)(26005)(186003)(2616005)(6916009)(52116002)(6666004)(508600001)(6486002)(6512007)(316002)(66556008)(66476007)(66946007)(8676002)(83380400001)(36756003)(2906002)(44832011)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: V9HZwkXL4gKbHigJ4XI7+zwhrCVFM2vuCsM+kVLFDqmK5KoHge3pW7/vByRBIJJTDwLKEqNY3mEgd48n0TUP8LAO2fMeChNdYLOQdMiuU4WrFN1pzd7sq+x31shRm1JU42cW6fDB/2K0OrNXoXIfG5BMKact277e02oCM/Hj8NsfU6akBZPkPIfvAf1+liHN2HVWs+PwbIXxDCF3Xz2tDea+3gzgD52FbCaoZ6Ot5+A2MWs/6bRvoHyOn3gxZagyYBvdJmTFKcKQ2Ob9+qD+GSEHS5Dd0ykQi748LoN/P8BD2osS1KVe6d4bqahc1QCCocMrgDyg9RCkV3kMqx63U12+fFZxYbuA2xJn9hd2XdfhO6zctfwS7pYBWes0X/bQ3yAx2MClrOj/3MvUulAujCXVRXfpd4Lbh4JClKyK6T41bB3Wu7htqPi+XIncqlR9OWkEoeSDnE1GRlbrSyI74+mvPZyQoQXue1mTkZw836dwQUwj0nhXMB90LtM1oxI8cvLoKhipd1lKT0x54mIfEPQD9/QmJmZcN2eoIEovEZ/CZpLEqeuoO/xbLqZ+mmaHcEZrpp7gu+DEexmFbVQQs+2jCXmNOh48aux5uE5jlZ63PK6RHI50NGMxlQWHkUOdiYF3OvW0x+eANF2NgvcH6bKZSWeIdD95EZ7M/UUvdxtRWDSn+9Uzo1WlY3BJNDE0JpTBRQivYxdi6yP69FFLar/MgCfdXMGVUbaEYJZGgAKZI7J5NPSnFY6Z5hPlGzN2Zjp9R45cZmcsKA8OCSW6UojmoFngieFILiuTZHwX7mGMOnsm3YZBtFKlOBNUQywzOSymY7MrvwD1QR/0P4QWAHkYPLSh+1VmLIRHn2QdlBLu7pK+oFFChEyzrCkZ1SqXletJHCZhdHJ04Fs7cpJTdFsZdEwC7e6Yq1k2kjHNdKB7dDhv7qTVRghoS7lXbOwt1Lzuc/aX3V1f8P1m0f3Sfcdlw1Ihk2WAJ6dm/80YcAlia6gKO/2Xm2fAUpoxR/Pp0Kd6J/SJQC3M+3ZK7tALgeKG4kc7xeyecXo2XIQ602XjCndp6eVZ+JvpKfp9BNqiEyRXV4lJIJUuf6Pakbb3IU3YGxL5UAkXn9TtkamXgo0FeLCdPRLB9Nm6wrk2XAvWNv6YLv8pVUZiPZC/n+0aGFnqpYHPo/09nlZ++AaqZRGrvxsBZp3DAnkk8ra+YL9MT+G6krFTjEPL1jtodFLiZxrl8VsHwbMCY19nBVjADlYWUEPzyjTz8BZvKcNZluv5A9sbyGRxfWfoIxKMf6xGDlnUzFNn+Q1XuvuecGqVxglrcKy2jlkThm2Xt0IdgML34ShYuouSpPh6NUob7I0na/poUUTV1n/hc5iObLzRFPwGjQPWMeoY5S8NrfDSeeanaWTIuhs8DrHp+/eO9rFvgjkOJPhahPd2EbWhPA0js8/Bz5gbVqsl/0tysOSJEdqyATf8+Nut2sepAzP1sYyaZWAgg/j6y8944ugZKZzNvP/AALANFq44P306qQpLZREm7VU0jDIH+NbzDdGt6ptwQpNfQWJVdzfKggGVLxPmdz+V3xVK5BMZvei/V9b8xc7XMYDHp4JXMYPhI9XaebpRZTa9lL6g4wBa4klLROdFvJqo/eLTxm3NHjrEtDbMGaH08+xTfCN9mGcbcEHmeqG6c0zzEhUqzd+9gB0t4+RjRrDNhVWohV0vMgdmOmkJQRbhzec2gdqFU4DqnRurzf14w1G8BoKQP3YRRnHEacZrsfY= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 30f8966a-6e4d-4ee8-679e-08da1efb09ff X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 16:14:38.0798 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: xhwOYhQRLjhSxZWhSENajem/0bt8H1jdXFOjJcXPIEDD7jEfIvWUw3lkUsRF/2qZbVJ16JdS1lx4jV9GXAJXX4131wOr/6f7feXXfjS/u6s= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3626 X-Proofpoint-ORIG-GUID: mipDCClUDE7DNlhu_JAC4UK6ryYgysbz X-Proofpoint-GUID: mipDCClUDE7DNlhu_JAC4UK6ryYgysbz X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=812 priorityscore=1501 lowpriorityscore=0 adultscore=0 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 spamscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150092 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit d01ffb9eee4af165d83b08dd73ebdf9fe94a519b upstream. If we dereference ax25_dev after we call kfree(ax25_dev) in ax25_dev_device_down(), it will lead to concurrency UAF bugs. There are eight syscall functions suffer from UAF bugs, include ax25_bind(), ax25_release(), ax25_connect(), ax25_ioctl(), ax25_getname(), ax25_sendmsg(), ax25_getsockopt() and ax25_info_show(). One of the concurrency UAF can be shown as below: (USE) | (FREE) | ax25_device_event | ax25_dev_device_down ax25_bind | ... ... | kfree(ax25_dev) ax25_fillin_cb() | ... ax25_fillin_cb_from_dev() | ... | The root cause of UAF bugs is that kfree(ax25_dev) in ax25_dev_device_down() is not protected by any locks. When ax25_dev, which there are still pointers point to, is released, the concurrency UAF bug will happen. This patch introduces refcount into ax25_dev in order to guarantee that there are no pointers point to it when ax25_dev is released. Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.15: adjusted context] Signed-off-by: Ovidiu Panait --- include/net/ax25.h | 10 ++++++++++ net/ax25/af_ax25.c | 2 ++ net/ax25/ax25_dev.c | 12 ++++++++++-- net/ax25/ax25_route.c | 3 +++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index 8b7eb46ad72d..d81bfb674906 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -236,6 +236,7 @@ typedef struct ax25_dev { #if defined(CONFIG_AX25_DAMA_SLAVE) || defined(CONFIG_AX25_DAMA_MASTER) ax25_dama_info dama; #endif + refcount_t refcount; } ax25_dev; typedef struct ax25_cb { @@ -290,6 +291,15 @@ static __inline__ void ax25_cb_put(ax25_cb *ax25) } } +#define ax25_dev_hold(__ax25_dev) \ + refcount_inc(&((__ax25_dev)->refcount)) + +static __inline__ void ax25_dev_put(ax25_dev *ax25_dev) +{ + if (refcount_dec_and_test(&ax25_dev->refcount)) { + kfree(ax25_dev); + } +} static inline __be16 ax25_type_trans(struct sk_buff *skb, struct net_device *dev) { skb->dev = dev; diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 735f29512163..954196ef7788 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -98,6 +98,7 @@ static void ax25_kill_by_device(struct net_device *dev) spin_unlock_bh(&ax25_list_lock); lock_sock(sk); s->ax25_dev = NULL; + ax25_dev_put(ax25_dev); release_sock(sk); ax25_disconnect(s, ENETUNREACH); spin_lock_bh(&ax25_list_lock); @@ -446,6 +447,7 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg) } out_put: + ax25_dev_put(ax25_dev); ax25_cb_put(ax25); return ret; diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 4ac2e0847652..2c845ff1d036 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -37,6 +37,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next) if (ax25cmp(addr, (ax25_address *)ax25_dev->dev->dev_addr) == 0) { res = ax25_dev; + ax25_dev_hold(ax25_dev); } spin_unlock_bh(&ax25_dev_lock); @@ -56,6 +57,7 @@ void ax25_dev_device_up(struct net_device *dev) return; } + refcount_set(&ax25_dev->refcount, 1); dev->ax25_ptr = ax25_dev; ax25_dev->dev = dev; dev_hold(dev); @@ -83,6 +85,7 @@ void ax25_dev_device_up(struct net_device *dev) spin_lock_bh(&ax25_dev_lock); ax25_dev->next = ax25_dev_list; ax25_dev_list = ax25_dev; + ax25_dev_hold(ax25_dev); spin_unlock_bh(&ax25_dev_lock); ax25_register_dev_sysctl(ax25_dev); @@ -112,20 +115,22 @@ void ax25_dev_device_down(struct net_device *dev) if ((s = ax25_dev_list) == ax25_dev) { ax25_dev_list = s->next; + ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; dev_put(dev); - kfree(ax25_dev); + ax25_dev_put(ax25_dev); return; } while (s != NULL && s->next != NULL) { if (s->next == ax25_dev) { s->next = ax25_dev->next; + ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; dev_put(dev); - kfree(ax25_dev); + ax25_dev_put(ax25_dev); return; } @@ -133,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + ax25_dev_put(ax25_dev); } int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) @@ -149,6 +155,7 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) if (ax25_dev->forward != NULL) return -EINVAL; ax25_dev->forward = fwd_dev->dev; + ax25_dev_put(fwd_dev); break; case SIOCAX25DELFWD: @@ -161,6 +168,7 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) return -EINVAL; } + ax25_dev_put(ax25_dev); return 0; } diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c index d0b2e094bd55..1e32693833e5 100644 --- a/net/ax25/ax25_route.c +++ b/net/ax25/ax25_route.c @@ -116,6 +116,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->dev = ax25_dev->dev; ax25_rt->digipeat = NULL; ax25_rt->ip_mode = ' '; + ax25_dev_put(ax25_dev); if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); @@ -172,6 +173,7 @@ static int ax25_rt_del(struct ax25_routes_struct *route) } } } + ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); return 0; @@ -214,6 +216,7 @@ static int ax25_rt_opt(struct ax25_route_opt_struct *rt_option) } out: + ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); return err; } From patchwork Fri Apr 15 16:14:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 563096 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6065C433FE for ; Fri, 15 Apr 2022 16:14:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355752AbiDOQRR (ORCPT ); Fri, 15 Apr 2022 12:17:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54348 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355756AbiDOQRQ (ORCPT ); Fri, 15 Apr 2022 12:17:16 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7AAF1D327 for ; Fri, 15 Apr 2022 09:14:47 -0700 (PDT) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FG0fep007781 for ; Fri, 15 Apr 2022 16:14:47 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=f+Izoyzeb9FMfBCMipzOKF1SnqIgBUSXeM0IJM2Ltj0=; b=RYTG3NzDGBwCApdTG63uFYYHp34UcYpwBrpRrP81DUCDUReH85CfnN1HQO3hGxCPTM/t Lch6GwJXzI+C95JR9AxJYyLPXj64iU6sFcZuC1H3lPEViENCrsDBXeHHjp2BZiZWasJT z3KK9sfG4ub2Epw/EK/Wft+q5E496i3dgZUxSsVDcpQV0roSmpz/NI1gfV/pRJ13V64G jc8rXzhoFa7WPxNWeNXe12db0b0BIP8S0vFju0u38I3wA14MfPUhKd5rzXD/f7ooYBZp kHGLOGqR5qYHfjpGgTwCl60h/GhGAczMsqcWQpG2aEoB+4pCUnM5gRzCRHzCSEdCwSmD uQ== Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2107.outbound.protection.outlook.com [104.47.55.107]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb66evugx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 16:14:42 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Prqx2f9yaO5eT58PliUO6YcH/pzZPb6fuk3GOxXZN6o78T7MfVonqFQr3WIHxkCDYlVv01Fr6/35W5zWwPxiF+GkljIy+E8q+E7zEK/aqYFuP6E150JvD2WcvEthD/j6T+OFt+PYTwYpzmGbhkamLm1OX8mFv/DLWNzw3T5om51MF36w7c8hGt9RTEXSYmZcSf7BxcOboSCBvZ/dvFtwkF+FqfeYTEe5KjIDp8kfF57GR8/otNn8xh5cma/cHhAEGX9Y+24EodJeVU1j0UclirZg/EOp1KS+jHq3sVyFbA5ApQhraY5ZeFNT0e2zaMaoD4T/bbvuXI0Xb+WuSK5P1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=f+Izoyzeb9FMfBCMipzOKF1SnqIgBUSXeM0IJM2Ltj0=; b=U82iBzN0t4ueXHWpNuTi3q5trwbERPi6acIggxOoEQOaUcHTU4lCsLpzKkM+EJOfSjgcku+pPgBkbGFDsb5FEQorsodSzld8QkL6eTX9rOm1v5y01sRo7iRuZ9U/mhnyRuO85cfl4ZEcyZGb0LPYrPrK1vwemk8aBw33ip6RDSPZ535PjFTHOYJJKTRlhIxxPLuDBhFM4GnVLVnXsfOJnW3GdAjnwcTqODFTUd86GeHWnXFcha3V28zssG+S+HEgqNdQd3oltwunudfsLTPXdQDRaudlNrOtYVx/lTMtfdpXLcvDhZ+yaMeGh0ujEzrpUbsZSIWM18/svTOYlGDuNA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by CY4PR11MB1768.namprd11.prod.outlook.com (2603:10b6:903:11b::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.18; Fri, 15 Apr 2022 16:14:39 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 16:14:38 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.15 2/8] ax25: fix reference count leaks of ax25_dev Date: Fri, 15 Apr 2022 19:14:16 +0300 Message-Id: <20220415161422.1016735-3-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415161422.1016735-1-ovidiu.panait@windriver.com> References: <20220415161422.1016735-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0202CA0009.eurprd02.prod.outlook.com (2603:10a6:803:14::22) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 62da20fa-1ca4-4c7e-46d4-08da1efb0a76 X-MS-TrafficTypeDiagnostic: CY4PR11MB1768:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 7FwoLPZ4cxTQwoTd4ZatzUblDhFlccTjL87ATW8MnfmXEjSjRe5+ZfTntIg4gRrUgc72op3Fh1CaqINHuVwZe6WY7J62ARA5DtqSe8ZG6NzSToQt2CnFHO+Qm81wd5TOrGP/W4akefvpk+1uzSqMHRcLoh5ImRUfXgT5geG/5IZjLfOLq/NJ1EBKDglSNyRF/0c0SnJbuar3Y3o+0vEiErsy1n7PQzDz6s2ABbWiwyYyEjNT5F8E2wlG5wfbN6BmJzW6enq0tFKuXVJXceEkO8lC0QhbnsxgYGINUyGODXPDFM8jGunVYyurDqhdhja36vdPWacC+Jrht6875CMKPuAFdyqFmlXX4ofpBsKbLfxeFgk1rHMNE+mrOjr2JPbmz2yX6E7pJLvcWsyiIFU7Jl4Qsxo/bO6JykFeclieSiTKgfxrg50tJFcRkg/Sh1LlyZZmp8EmuC3gpGMyjk10JsuceVjC/GZ7neZ5zh/2rkqDVEkg2RsbusRd9x+JQe+k5w6Pk1q2gfh3j8P/L7RqphGYBNHSBNwpOYR6G5wAzZNd97D10Pk1HEwAzP/r+kySGNumyCz8NHGmub2FaAo+/dz/JdrJDylcw5HG69isC+Fl0qjHAqbmc0lpEEy9uZjsXkDfFtCgVrrVN4ze1xQqIiRn1DCqMFXzPNQJgXFsdgKyGdtt4ZhHJ9WTZ4meHaBEN7sPOaIT/P+8cKEFHY0U+zWqa9rvwKuynwLiOZQ7pGSkVydkLAxtKRpKwpjUeq+ool+srKN+oYddQwNDU2kTCKbLr+PgnhjWnG/kAeNsP40= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(36756003)(44832011)(2616005)(66476007)(1076003)(508600001)(186003)(86362001)(8676002)(966005)(2906002)(6666004)(6486002)(8936002)(52116002)(26005)(66946007)(6512007)(83380400001)(66556008)(6506007)(38350700002)(38100700002)(316002)(6916009)(5660300002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 1HivgFJuYMrQAdUjrO5/PwnJwaVWxR9UuWMirztJv3gJ2yqZTwK9tbyGhm7COf8lb9RxX1ILVLO5wEY5DuEDyFHnEOpM3DBfjskoBsgkMBMMkJ/znWEYnjKx+ksX9iMClJ0Ps7XBLYLOeG9X7wCaBp17cfUHLyE0gmncQuTYyN3FfxP5+NxDhTs000gjpSGZ8oUAoBdq8q7GB/oi2Ibem2OBHNku84CUbSbwp1XsjPWQ0lhjmwZSVte6ALOF+kYxy7DE9R+ZBdG8NhWS7XxrGUFuM57sjh9v+hszQvjTEaY57AOtPXO8qrdtG1bfNf3OtgeT+cUfjbA2XO9aptvKHxMBzqHV62iAqCs/2MwXsYLosHLegVh+s9JRRKXnwdfbT7awSVNuKnH+n0IxeaqyQXkD3A0pCGjwIbJS0+S3cZkQQni8a7mHidV3DmQitmST0g+KmO0e5DkVNSMwPx381u54culpMsQ7T/fDmJiEe1S6NuMozqOrRFXYrDmF39S2zBRhPfxzWzotaHcZ0akHsohXSYJqfAE3vPQDisTKY6bDcoJy0wEB/DV75F55+erC0BwjhK3SkitaQDX9BbZyW/JrrJr2qhDiKdrP05Zubcj232SU58SqDrVPeeR9N2sgMqqiWJUsq9XfEks++f5P0X8N+3GeM/Z48Wwhxu25Uta+S/U1nGliDGPCJs35l322Ys4cZcb/Mts8KSUlk+H2l2o3DJsmxl8kaNDkBYVhHmOznlbd8l5eHbe0iAAYZCVouw+pdmbxw73OMgZKjGursltm69O0+GxFDooKiB7nRmM1WGiUQUB/DXrhivC7INpMofBLDBJvi9ryZpst6d2uavoymjsKE2n1gZqMZy6LWnSd4yUhtp07zQUkdmlTKnmT0fKdz2n5G9NdKOmEkbDu0PWDGLu6qeS2uvowx9glxBd/tXofD/QoP2wUddFnZRNJJ+tCgBL2AvpLVbquRYS3ncpVgy+bAIO3NXWZRo/5XBdvvW/N9EKvC8n4NIGRD62COY+ev6o86bHjLUL9FMLJiXE+THQZHyd9AxRV7vfsGWugzFZcwSWUO3c7I1/nOG6UJ2Az4f2rKKtB7qrJQd6al6cS7XCyNtwq5O8EKvggqfjyaxtuhYESdQd6kUrGgfEyXXHjXgpHd39g/uQGKXTi6AcljReFizVIzcx/0Cd2IZcsEnh28TJYPBT1/ar+5X5Rra1H7pmDf0Q/HFtt/RzEWkuVg4BuAZc9FasIxzAGSxn/HJnI/kwQNTeZF3nMRCaGwZ3rYOE78kGQXCiFv4eJTGhKK1VnasZDnhqK8m0zR6+eEsr6aKBCiTbJeQgmDK5P2Y6H03RUIM1+Uljm/9w0Oku6dDy5g5sTM9Xn5ZqDbWMxvOP3p6/AkKQD+9xIu3WDye8lHa0iUMvQs0bEL1+8OnAa4ID/BYndxbRIXa8c2BmiRCGJr1p/79Mmq4j1sbyJlcJiXQkfSp+nXKFTiwCoOP4sV9tMP+siZaQeQlJ2HvGLCPPWStl/TStxjJ9wENHS+aolg3AzsVz96qU8o0ReqDgDKOT/jSumjhsCAhOOLaESb6fOBVjLBW3ElEdLo/weELnKlmN4yw/RfexnkU9EUU+E4Kv7agR/BqeRIBNY4uofeN26Z4xlDmkuY75dXXikJXyaQWL8z4mRE8kFqCrhqrVycBUrdKgMCXijSZkKBoV0177k6lr9Qr8fcvc0MdsfX35KTGcLPJLONmmKSk5fdb7RtMIgybUettjRi7OLFQ8= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 62da20fa-1ca4-4c7e-46d4-08da1efb0a76 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 16:14:38.8900 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ZajXe8LPSw9hy43Spj8b3W8WwX4P/Ip1URjzKGHArQafveoicgeKXsWrnx3yv48J3TNDgoLVKQUhi9kgrW7heXXhpUCbZyD81oroO1ZBATc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB1768 X-Proofpoint-GUID: mtYkU2HGHYDxWpS_JpKOs31AMkApr0U7 X-Proofpoint-ORIG-GUID: mtYkU2HGHYDxWpS_JpKOs31AMkApr0U7 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1015 suspectscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=999 impostorscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150092 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 87563a043cef044fed5db7967a75741cc16ad2b1 upstream. The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") introduces refcount into ax25_dev, but there are reference leak paths in ax25_ctl_ioctl(), ax25_fwd_ioctl(), ax25_rt_add(), ax25_rt_del() and ax25_rt_opt(). This patch uses ax25_dev_put() and adjusts the position of ax25_addr_ax25dev() to fix reference cout leaks of ax25_dev. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Signed-off-by: Duoming Zhou Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20220203150811.42256-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski [OP: backport to 5.15: adjust context] Signed-off-by: Ovidiu Panait --- include/net/ax25.h | 8 +++++--- net/ax25/af_ax25.c | 12 ++++++++---- net/ax25/ax25_dev.c | 24 +++++++++++++++++------- net/ax25/ax25_route.c | 16 +++++++++++----- 4 files changed, 41 insertions(+), 19 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index d81bfb674906..aadff553e4b7 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -291,10 +291,12 @@ static __inline__ void ax25_cb_put(ax25_cb *ax25) } } -#define ax25_dev_hold(__ax25_dev) \ - refcount_inc(&((__ax25_dev)->refcount)) +static inline void ax25_dev_hold(ax25_dev *ax25_dev) +{ + refcount_inc(&ax25_dev->refcount); +} -static __inline__ void ax25_dev_put(ax25_dev *ax25_dev) +static inline void ax25_dev_put(ax25_dev *ax25_dev) { if (refcount_dec_and_test(&ax25_dev->refcount)) { kfree(ax25_dev); diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 954196ef7788..f8c39ccd03bb 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -366,21 +366,25 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg) if (copy_from_user(&ax25_ctl, arg, sizeof(ax25_ctl))) return -EFAULT; - if ((ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr)) == NULL) - return -ENODEV; - if (ax25_ctl.digi_count > AX25_MAX_DIGIS) return -EINVAL; if (ax25_ctl.arg > ULONG_MAX / HZ && ax25_ctl.cmd != AX25_KILL) return -EINVAL; + ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr); + if (!ax25_dev) + return -ENODEV; + digi.ndigi = ax25_ctl.digi_count; for (k = 0; k < digi.ndigi; k++) digi.calls[k] = ax25_ctl.digi_addr[k]; - if ((ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev)) == NULL) + ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev); + if (!ax25) { + ax25_dev_put(ax25_dev); return -ENOTCONN; + } switch (ax25_ctl.cmd) { case AX25_KILL: diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 2c845ff1d036..d2e0cc67d91a 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -85,8 +85,8 @@ void ax25_dev_device_up(struct net_device *dev) spin_lock_bh(&ax25_dev_lock); ax25_dev->next = ax25_dev_list; ax25_dev_list = ax25_dev; - ax25_dev_hold(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_hold(ax25_dev); ax25_register_dev_sysctl(ax25_dev); } @@ -115,8 +115,8 @@ void ax25_dev_device_down(struct net_device *dev) if ((s = ax25_dev_list) == ax25_dev) { ax25_dev_list = s->next; - ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); dev->ax25_ptr = NULL; dev_put(dev); ax25_dev_put(ax25_dev); @@ -126,8 +126,8 @@ void ax25_dev_device_down(struct net_device *dev) while (s != NULL && s->next != NULL) { if (s->next == ax25_dev) { s->next = ax25_dev->next; - ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); dev->ax25_ptr = NULL; dev_put(dev); ax25_dev_put(ax25_dev); @@ -150,25 +150,35 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) switch (cmd) { case SIOCAX25ADDFWD: - if ((fwd_dev = ax25_addr_ax25dev(&fwd->port_to)) == NULL) + fwd_dev = ax25_addr_ax25dev(&fwd->port_to); + if (!fwd_dev) { + ax25_dev_put(ax25_dev); return -EINVAL; - if (ax25_dev->forward != NULL) + } + if (ax25_dev->forward) { + ax25_dev_put(fwd_dev); + ax25_dev_put(ax25_dev); return -EINVAL; + } ax25_dev->forward = fwd_dev->dev; ax25_dev_put(fwd_dev); + ax25_dev_put(ax25_dev); break; case SIOCAX25DELFWD: - if (ax25_dev->forward == NULL) + if (!ax25_dev->forward) { + ax25_dev_put(ax25_dev); return -EINVAL; + } ax25_dev->forward = NULL; + ax25_dev_put(ax25_dev); break; default: + ax25_dev_put(ax25_dev); return -EINVAL; } - ax25_dev_put(ax25_dev); return 0; } diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c index 1e32693833e5..9751207f7757 100644 --- a/net/ax25/ax25_route.c +++ b/net/ax25/ax25_route.c @@ -75,11 +75,13 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_dev *ax25_dev; int i; - if ((ax25_dev = ax25_addr_ax25dev(&route->port_addr)) == NULL) - return -EINVAL; if (route->digi_count > AX25_MAX_DIGIS) return -EINVAL; + ax25_dev = ax25_addr_ax25dev(&route->port_addr); + if (!ax25_dev) + return -EINVAL; + write_lock_bh(&ax25_route_lock); ax25_rt = ax25_route_list; @@ -91,6 +93,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return -ENOMEM; } ax25_rt->digipeat->lastrepeat = -1; @@ -101,6 +104,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) } } write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } ax25_rt = ax25_rt->next; @@ -108,6 +112,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) if ((ax25_rt = kmalloc(sizeof(ax25_route), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return -ENOMEM; } @@ -116,11 +121,11 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->dev = ax25_dev->dev; ax25_rt->digipeat = NULL; ax25_rt->ip_mode = ' '; - ax25_dev_put(ax25_dev); if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); kfree(ax25_rt); + ax25_dev_put(ax25_dev); return -ENOMEM; } ax25_rt->digipeat->lastrepeat = -1; @@ -133,6 +138,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->next = ax25_route_list; ax25_route_list = ax25_rt; write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } @@ -173,8 +179,8 @@ static int ax25_rt_del(struct ax25_routes_struct *route) } } } - ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } @@ -216,8 +222,8 @@ static int ax25_rt_opt(struct ax25_route_opt_struct *rt_option) } out: - ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return err; } From patchwork Fri Apr 15 16:14:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 563097 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E5CE4C433FE for ; Fri, 15 Apr 2022 16:14:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355751AbiDOQRP (ORCPT ); Fri, 15 Apr 2022 12:17:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355760AbiDOQRM (ORCPT ); Fri, 15 Apr 2022 12:17:12 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 206351D0E5 for ; Fri, 15 Apr 2022 09:14:41 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FFwNBG025644 for ; Fri, 15 Apr 2022 09:14:41 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=TMeFXh4swRAo0AkCXnyNFqKLfvIuezw4vSjpEZi/vDk=; b=aJqCsQCXedjVAvZBof4vaoy2q/17O0N0wE0HGFdQ74m4PgwHaSXxPXv+668oR4pU75i9 HfX6e0st3vZGIPsF1a6nAiLm+po8otQz9V6Etf5oVMh+Ao2LR8GU9AWQ/kpIOgAjysur PbfhtZ8bdDDo6omHSTlBUMqWSsi/M13FS8glSUg3C9Z8CX25zdaUK/LAw0qaQ1NCVRN6 vFBbndOKE+N3vI7jBX/OuB3Hq5rTdWaUYsgUKbelrZ1SPF2G2rh+BPiB0elGEQiR9/AY XL09s9dr21xUbNFLDGEwLl0HPL7UINgSuYwyEwE5OY9kogNsRRjpL8ktkwu/fP+z8/Wy 6Q== Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2102.outbound.protection.outlook.com [104.47.55.102]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fc0jec5h7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 09:14:40 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dJMdo0XmqHwLDMsHqXb25Wm9woD2TwTwXi2h62khEo9jsv+nGqwg3EMQdHULwkuek8t//mUUajOyw7eAXL1pI3jwNPN9t0xEa//2YAusUgvwtrEUdR4Fw5r+U95eN/Tn5b52UU0WDiRHcxtJdIkPHO6e4Xy9b6mJ/m2ILrOt0A561eBYAEg0NJIDPMgzNZ4hYV57QMaQ9dhRofVSJOrgBCe27gFhvz5yvknqhILmhZjBaiMiIhrgFyepy7F9gKdVpJzqcDBFgR+Llw2JHmadsyfPmoBJFg8isOzzxOu/p183mtPYphowW7+mz7T2d8hPFqkIQdHEAP6k42nWO6uSbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TMeFXh4swRAo0AkCXnyNFqKLfvIuezw4vSjpEZi/vDk=; b=F12KpwdTPEWvFCEpBOsTjApNF5P6Q94sN3LkyhmGq+yKU2VeAf/6zerB2z2oNLPNTn4C7yGRlGklYdtiZJxglA/1WGkmP9iR0STQkkJmpKs/6UaqikIqv/braf4QGyz5ZUFy3aerCyzbDctXsWKSx3pqPjxOiHNK78v9F9gd77Oky2uR950l7SImFYUORwFlDcLbclQyXwSIxCYlXeeazre9g9UVF9d84+jX3mqxaGU+OPxZvd2VffcquVS83HxWhPGMhStZxh96qW23rE3P45YojKO0mRNLzPBwCHHiQBX2SlR2Lj/CjUgWkSHEzziX6sJZw3jTr4a9a2luo24Oog== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB3626.namprd11.prod.outlook.com (2603:10b6:5:146::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 16:14:39 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 16:14:39 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.15 3/8] ax25: fix UAF bugs of net_device caused by rebinding operation Date: Fri, 15 Apr 2022 19:14:17 +0300 Message-Id: <20220415161422.1016735-4-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415161422.1016735-1-ovidiu.panait@windriver.com> References: <20220415161422.1016735-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0202CA0009.eurprd02.prod.outlook.com (2603:10a6:803:14::22) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ec3cf394-45cb-4a62-b687-08da1efb0af3 X-MS-TrafficTypeDiagnostic: DM6PR11MB3626:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: exQPSLrcBQJJC4D6H5DTJEthf3vHN+9KIWbFK+O864eX1sOkhYXMlbzF/+z2aRYmhza/44lVHUlyd+Tu/9ceQmDQDGBAiDAJfdS08C7uWxIy/KkCBs13FaE27ptlPk2/M8Yv8AGn0wVKcbFH6LrzGYqh9ZZJQ8QC2UbPlYfodzQ/BC+qJf62BkiUzM96w2ClEsajl/VuORCGuDxfVloRCXBYUIjKrie2jQSk2xoWx5METDz0xgsGHirnNN4V9h0qgaAW8z+RufniYy9TyDx9d/dfP+yIWHjnW8BzfwE+3mZhPP01Rl3dX42yAoLTdM0R6dsf9iPGKRwoYQbQCOgDeBjev/VIbEUAj/wPTha95jfqrX0MmMWi5p7DlcYTxz2evA4VmyJFbxzg1pgDMH8BbtR/YDvesWAdr7dm3o7L0uVojmE5oJa3HDn95TpPN6DoLEjgwLwlAlQESNkQW0758brHkB3Nvc55JLiASNtIC8GCpj1n7a0QXdfpeRH7iTTagKMNVlU6oc+kcZh1wh2jGzCF2yH05Su5urKlN1RR7Oj5OIDlkvNSqyfOBDXMakQgvd7i+Czn1oBLu0vExUCaMSEL+1MyKHL4l3tdJ6ieQrIwJkQRofYALetAgD7RGkbwCnHG4PsiSoJVZHYbTPsfCFgl2dkG/Wrubk/GzDafKgawnIFdk7Sd9ax9qhgoGvFa3jKQ7ki+42dnBzj1W8euHA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(38100700002)(8936002)(38350700002)(1076003)(6506007)(26005)(186003)(2616005)(6916009)(52116002)(6666004)(508600001)(6486002)(6512007)(316002)(66556008)(66476007)(66946007)(8676002)(83380400001)(36756003)(2906002)(44832011)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: zIYHqrKB9AirIv3wvD08ttaSov8ciNGN/pAXvBWyzLulWfRcq85/t68ZfrwvffcsW49dcTJ3dzsNrNHuVUvB/u2ZAZLjoPzQM8Wmpx+2NjTKDVAQkBafK4wCKcvBMgbMInKKOteRsngh1SDY1SHowx7BQDhOmzdEeATY//SaBAMW+7HnMiWIqh4fLzpGqq9lbohMQQimDSS/1dp6ZvxU7IN2iqpHiV+O5ijA5HmstV2iyOaPaX7bqhJUarYIgg8gD5w7d3p9mTvvrseBYXqbPLEH2NmmW04C+hODnf1YD5NTv1I2dXLhX+dQDE9nLnlA5WVo0dZjAkpmETOCfobtr0TMKdbABd2FXUmXghcV1g7Jl2Jt1FDIyguZabOWepZPEohlYM0NY44pjzCvY7/Lz0r8hxELrMmVlDtBKoxp3QVsesAooOuorpJ9pUssqgL1P2tjtjNWHWtK+7YhOMPwZ6Uq9xlwyIA5NcoIwjWaxs88bOI3k8fAiXSGowckvCKmcIOkRvK1PdkSb3CKwcDpsQyd5JRDKoOlP4SfO1UaLKhrX6h+6DPf+sPszlN4yh3a+v0Lb7m6adE6Rg6jiBCqBAnbDCa8zRJHzpzSYbFVR+rg1mC4evRLE3l534NsEbaGarDkCz72xfO3Ziy8OFDyQPdrrKgAU0353+tfRctd59/fW/27CY1rUISy01PoMO+lWVyd6iLEVpCJdzHzDuStK++rs7rtlLA2yDQVknWRniOvPMrAHwjKVmxr93vre+5LgvaNKnnowXyCQDt5zFeuWjZYrPDBbjPGB0PDNLzzCMbv0k8GNF1DaywNJsXzoYEJkfSBKAkAPemu7cb64Xo2W6QIBki1EYXojVVQjxyu/JaQEhHsjZuisFGm7eWdxYfEkmV3JtbFyzUk69+jbes/wH8hDMUlXHyI8weYo4IYaGpzbWHdg6IixLht4uXNptGlRZ7vFiK+RH9Ii3QsATWKECj2EDGwEeebmZ17hnOhNGUT/Ek9CF2X8CtDbQ1QfKSUt+sI/itGnCBlQ+y968CeL6Q6uz0nC4Z6sH5+mJ7EyqwuPS1dOcLRvXKmTsht+xX6rbtOGGIazZk3voWMbHtksEqOE84NA0k8VoSS8TsrgP0h4945wE12GHxuRftPRchmyFZR8v5uqPs+E6I4O1xVoEcKhk6M58ALMA0E7UWt1jgbQlggemrp+URfi2EY62wIc3G4HqDHs0ug7q1hTXMxdR7H2/xq5KcSdhVYTjcg0SWNRVHQzd/BD/nzGNbnDs4XePGd2k0qNxDNi7WKqhrvtxc/sEcp3KxN//eI9lkw6SQVOjIHmraKkOyupJ0yNnqOcvGqIJWHOh7ocbIZ5QULUxq5QzOXTPw5Lz51ETGuEPP0oF5ukShfntZFwDs+hGUy14lWlfm2wM3aIM7e8WOM56E62FEYLSu8pA08Ql/KS9aZRANn128dP6YK4xf78NM1gH2dNVZsUpchV9Nt0F8zYoAylsXBAe3A1wQcHHck3dqbq676WCbsYpXKFADr4GDMuYnvx6FqJPKbkpmqGsV6oLLpSCSwiY2ZIksWUxll0mqd4bxevoUbprjJHr/e/OMM3HVqyF0B9FuuZfJBgdRIUa3RovDSLmTICqp9kQrekD+wLW+MmOH5aE3clE7Ul9UOSeqCu4jHs7cdzMtAGrZX49MU+PoYBetM1Vt9eR6jBiPMCWYPbSHoU7FQyRmaZ9QJ/pMreRY+dzw1WoyW/OMmR5AXGve0S+Woj0q+jF7aLQA= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: ec3cf394-45cb-4a62-b687-08da1efb0af3 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 16:14:39.6652 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: s81Pb/8l9ef4h4C4jZuPk+0rS7DqfXIxyUPulTypDEjDsbJvyNo4/sb6LbHmFVYb7pgdh8WGD+hJjDV1+2xB5V+aMUE+1N0KYYnfroGDnvU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3626 X-Proofpoint-ORIG-GUID: Zq5h00MxIQ2MSnP2UbRux5zt1-pCxJnI X-Proofpoint-GUID: Zq5h00MxIQ2MSnP2UbRux5zt1-pCxJnI X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=596 priorityscore=1501 lowpriorityscore=0 adultscore=0 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 spamscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150092 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit feef318c855a361a1eccd880f33e88c460eb63b4 upstream. The ax25_kill_by_device() will set s->ax25_dev = NULL and call ax25_disconnect() to change states of ax25_cb and sock, if we call ax25_bind() before ax25_kill_by_device(). However, if we call ax25_bind() again between the window of ax25_kill_by_device() and ax25_dev_device_down(), the values and states changed by ax25_kill_by_device() will be reassigned. Finally, ax25_dev_device_down() will deallocate net_device. If we dereference net_device in syscall functions such as ax25_release(), ax25_sendmsg(), ax25_getsockopt(), ax25_getname() and ax25_info_show(), a UAF bug will occur. One of the possible race conditions is shown below: (USE) | (FREE) ax25_bind() | | ax25_kill_by_device() ax25_bind() | ax25_connect() | ... | ax25_dev_device_down() | ... | dev_put_track(dev, ...) //FREE ax25_release() | ... ax25_send_control() | alloc_skb() //USE | the corresponding fail log is shown below: =============================================================== BUG: KASAN: use-after-free in ax25_send_control+0x43/0x210 ... Call Trace: ... ax25_send_control+0x43/0x210 ax25_release+0x2db/0x3b0 __sock_release+0x6d/0x120 sock_close+0xf/0x20 __fput+0x11f/0x420 ... Allocated by task 1283: ... __kasan_kmalloc+0x81/0xa0 alloc_netdev_mqs+0x5a/0x680 mkiss_open+0x6c/0x380 tty_ldisc_open+0x55/0x90 ... Freed by task 1969: ... kfree+0xa3/0x2c0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 tty_ldisc_kill+0x3e/0x80 ... In order to fix these UAF bugs caused by rebinding operation, this patch adds dev_hold_track() into ax25_bind() and corresponding dev_put_track() into ax25_kill_by_device(). Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.15: adjust dev_put_track()->dev_put() and dev_hold_track()->dev_hold()] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index f8c39ccd03bb..1235bbcc7953 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -98,6 +98,7 @@ static void ax25_kill_by_device(struct net_device *dev) spin_unlock_bh(&ax25_list_lock); lock_sock(sk); s->ax25_dev = NULL; + dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); release_sock(sk); ax25_disconnect(s, ENETUNREACH); @@ -1123,8 +1124,10 @@ static int ax25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) } } - if (ax25_dev != NULL) + if (ax25_dev) { ax25_fillin_cb(ax25, ax25_dev); + dev_hold(ax25_dev->dev); + } done: ax25_cb_add(ax25); From patchwork Fri Apr 15 16:14:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 562181 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9316AC433F5 for ; Fri, 15 Apr 2022 16:14:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355280AbiDOQRQ (ORCPT ); Fri, 15 Apr 2022 12:17:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54234 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355763AbiDOQRM (ORCPT ); Fri, 15 Apr 2022 12:17:12 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4AAD71D326 for ; Fri, 15 Apr 2022 09:14:42 -0700 (PDT) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FFQIe2014393 for ; Fri, 15 Apr 2022 09:14:42 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=7Qv2z94CXNgn+dmn6Zg5YE+WbYUZP3D3dxz7F9XUboY=; b=Vy1LJ0358+Us5LJTdcCPuHyaP2kjVVc1de9YgZvwgckFJcu4ST36A+wfVl4HvPcBMS/m FXq37mcMq1yI+UkWlFdw9X78/vFgAkecnjD/gmFB44+3Q83gnco69xMvX0CoPRs88pOS JCJltyr6wDVk6Z8Z8X3YGcbg++Sza/T/fnfta0KEI7zsjg12gVOfyX4jKOw81/+l1qzl e1wj388PyvP7ZPc3e58EGLWORi1UCtmZdGVfAKgvqDIJoQEmQTB9a0+ZslKfZj+w2OWZ kOhjA6icPb2xJqKzmE5xXNTCKtYgIA92xzVK73LHHSe6OYTntYS9rzo1fgvCBZCy6K6B dA== Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb9nfvsk3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 09:14:41 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FKAgBfW3LcZrbfFO6bSDyrPxpJOxA+rDxymgDDcCNb+u6HLeFraUI06QgubQilwVzbeZBp5wkGK8o81dViLf074whfLK5u0bnID3gSJ20cO2S8uIOHr9r5WxynArYBcnyybDZiX6tHar1fLJH9bbggJO3+LvYHqJPLlpiSQkIyHGuMQlUZhOsbXc2Wqrg3CdKTU3N1DGavLCJCE2StTgPMjsXh/MRe8RZRbOC4Dp5qc8yKe+JUJuYx2hqIzZTwKHYVBnu4V8Yz2fcDLVGlaNsbIJkFqE3H4dQa0Vv4NgUKAwzSEJ9yd/VpE7fhIjEd3MIXXBV1tY3jDRNYtR+o3gHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7Qv2z94CXNgn+dmn6Zg5YE+WbYUZP3D3dxz7F9XUboY=; b=mmaf2vvK6VU2fmSehSQuFnbU1Pa+6gUS8a76Slw1IqhzKSMM1IZ82OgK6iGIWsO1KRHM1VcuDKrD6CPb2yuqCKwSCni5enokowdgFlijBMgAZR4G+CJUBgqSNE4iT1phgNGFU9GENPR3nEVM1En02PLyYOF8bM5a290D3pS6Zqe0YsWQx/NAOsfGeZGzWE7Byo1aIynjr/7gzu3z4jbBWErVB53bqx2Sz/ZzwUn4PCDeoL/zD7DpyYASzadGItxvYgNmi1juiqHeiyutTT7beMIRy/z1g/kS4faRMhxbbC98BYpUo9kV8X9+KhtH6NraT2+c5+Iu3TO6qEbvQp6GBg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB3626.namprd11.prod.outlook.com (2603:10b6:5:146::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 16:14:40 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 16:14:40 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.15 4/8] ax25: Fix refcount leaks caused by ax25_cb_del() Date: Fri, 15 Apr 2022 19:14:18 +0300 Message-Id: <20220415161422.1016735-5-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415161422.1016735-1-ovidiu.panait@windriver.com> References: <20220415161422.1016735-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0202CA0009.eurprd02.prod.outlook.com (2603:10a6:803:14::22) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ec743d6e-ddda-4f55-aaf7-08da1efb0b6f X-MS-TrafficTypeDiagnostic: DM6PR11MB3626:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: HO6gZzxL5V9TI76cMyc0GRQKy3/W4KvrHTbM2gfp8LkmPjVgKbj1y3ZEbZsytFNPO2bozEbuDKzB6frBPgMk3PHVY7gK/Ry2iHNHWN0W2tcBi1RKe/eUaCI44D48hzIHnEB+zSkAA8jI5TsagK1UZdlpcmhMIht1aHXIEnyIHYwucotl1xIatBra+5PN1n6dyBIL1Qh67XqXVmQH+z5c7SY7RUlYjqOY7zf49wAbhhNpkGQOlZOEX71Kn6edzZsCp3fYvmLLhEqhEPwNpZ9pH0PXxSqtAaXiMcqemQuPmq61QX3rb0sn40OXM88hmoty6N/rXQij8pcCXS8HP6lLx3EfHBGULI84eM/GN5gkDm3yavf5itcnVk7bsbpXw7kYfjcSarv+gGDkZG2MKbtjA/UhA6pwerrOYyKyzZsD+4bEaCJYL9EBa9y2E8yvDxA4LpIvWWg2MAXGDRZSDmHg5QrRrpmzgJxdqhiM9GjzFUC2HEQfmD8WYqA7ZQ3u8C/Cy4Js5rMOyMOUSfPvVj23wv4AJfR5M2XEphJ3Q6+1YZvZvJ8KZo6N+RF2M4pAHpEHPEdkAs7fEa7hYMwEG+Fvl8g26QgL1rvRiBn8jqB3Di5JvG3yey8C76+nuCH9+nwc3FTAHjJYrYJjDTWbd6B5AIljLfMov4c9ZMA5WNF1rS7M1HUTqCic68Mvc7nE6Exknpzxn1kBwE0eZd2L0aqWNg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(38100700002)(8936002)(38350700002)(1076003)(6506007)(26005)(186003)(2616005)(6916009)(52116002)(6666004)(508600001)(6486002)(6512007)(316002)(66556008)(66476007)(66946007)(8676002)(83380400001)(36756003)(2906002)(44832011)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: aAONGUgCh4nHJrcUeG8tL8GBkUsrln+iSRIS8BzzzeibYXbV+jk5BSR/x3qjkldozzGn9O1K1ubBplc7a24O4OVAFcFwETpKCCg1VESwSEXoeY2lnIgSPsDXA2hIRJKkWk+gGCmD87VXq/9jCeDngX2rR+Mu3FR/SkQxDTVfwylHXACTrM5Z2VjrkF1/3fx2AvWE55zxAXirhi8MFnAfVD0RIt0DdgoPtCgTXjRHOWmWxo1AoSJ0Zf4gMJsjiaX1O5VSSX/LfJrDpjGAfZQRGjV/UVif1B21VMireJy4YCNZnrhb7o3E8XIRstceLynwzIahLg7Z3DRPg4gpCFiCTvLdCXWrhJz7SOiCBEpsVPMHus0IexQb2zFNLLUMs8e+EF6Ds3FqxfHVJhzLIZTpk4t8/KLY4OIhFw73CqZS/Rd576VdSHKbS8CWE2XHV/nBMUd0uNPoduivPrpj4t8kF/XdsS/m/86SkkC8K+mKAabPHjIw6v9ST/08py9FcM1D7sYPCSaRuifQAgaLWfQtv/oe4h3KiJlU1MRLm0DBE9jUgbpVyge3iYvAasoKAqlxu26TiQ6jTH6Ip/Pb0kf/Y+mSbSyx1MXto+XQGxmI8lR0jHRSZbSA/aWoFEV/up2Yo/ZxDkxNUL5rTlIp/8Cn4LLhUhZDmN8oc6+fvq8uCkg6BEvrLAqoyVwOmwyLlKwF7UrMoB/aaDufyp1n1HJZwQUfAEmTHLfdB6OnM6O3lzOshWpXDLkCyl+Lg/jYOdQXD5D1wLdLfZeiYHNjZpmCRzDkozXRQ6K6AnawHjexTNbsNksYEXgtNsBI/0e+ps7xHfJvXVdqvcJR0FWEJDX9lt8VdWyeUThESgCbdDlnTnTAiB9shFq8PcFcy4zVyvjlqdIFTRH90kiVlPniBBum108/UkMsazRi3FBvHuqZvQMAQkYmpQ9ofRgMW8JkelAG2ieiVEqBOEmnKA/SQT0DvlQnYi5lVBfYYZ3Gl+bk0xrfc3/nZNkJW3rbzZG49bDUGTfHRZciQFBGlxTYPeL1iMaXK2e2zpTv6/3s/prwhRGMh/yb93jiHDysXi0NTy8dJp9GM+Bqkr2ittYFVTwwVKR5juBzh64NbLQhZV/AFE/wTD/0yHaHNaWzvOeM15N/QG7Z4bAa6sL6fenMEGYYMZ5DSBplzYsEaGIEpm1iDi/gHy1c8IZrnduVKE+nTIbDsZf/hbMXA4XMeXOh4jnYv/BOMHoLYuMZRmDK6gx7Ix8BHJwz1zobFindCmNRT8ZMbB6wxoRYOZL6YOnW1O5ViGk7O8+NHWZh8kWEZJHGEOdQrYVMojJbUSKnyZxd8DR4DaUtLoXIo7J4TTBzR0a1hiy7Xjsohq2zuoW5PcH24PBzgz9rJEFvu/kAeyv9cHAfQZs8LaVwo7lv80yZV2YzWqAVr5obvAaN9XX3WT6S2A4Dpl2oXRZnhhfHysFoQ615t3rIL/OrDv1nxfs4JABca047NTlewr3HuvQ0+l0DXs39gO94vpOjw/6qylkxCHQj4M9NiJY+0dsnB09UGkhm6OUh1Ah/BTZziITxmIX5oA8NzKzxkjZBtYIUupsnFu/wQfx6PxBd48NeTt5Q5Jtl5upzopHl2HmTP5t/lpDvuBAHAVKPXUWx5moTkraaWgG2ko3tGa1A8DaSIL7nqokhFl6hZ2G0aZ8fVmJBNPMPMmkOb7BooonvBN4PoUZK+unYS68v2lu7nVnhvAdLdPi4OBB2Rs5B7EUpV34YY90IJk0= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: ec743d6e-ddda-4f55-aaf7-08da1efb0b6f X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 16:14:40.4932 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: wKarfHSlTaS34g42ra6u2cOWMjYmkWcPISXeUCcwanK5spfJszpbOcJdxranyq1XGuAKv6KbCAY4/dzREBw/B9i6TfncQLzKEduU7MCTlos= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3626 X-Proofpoint-ORIG-GUID: FyL8xy-FB2gEY9eoSfA-Oz9WMIgxRSln X-Proofpoint-GUID: FyL8xy-FB2gEY9eoSfA-Oz9WMIgxRSln X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=945 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 clxscore=1015 phishscore=0 priorityscore=1501 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150092 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 9fd75b66b8f68498454d685dc4ba13192ae069b0 upstream. The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") and commit feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation") increase the refcounts of ax25_dev and net_device in ax25_bind() and decrease the matching refcounts in ax25_kill_by_device() in order to prevent UAF bugs, but there are reference count leaks. The root cause of refcount leaks is shown below: (Thread 1) | (Thread 2) ax25_bind() | ... | ax25_addr_ax25dev() | ax25_dev_hold() //(1) | ... | dev_hold_track() //(2) | ... | ax25_destroy_socket() | ax25_cb_del() | ... | hlist_del_init() //(3) | | (Thread 3) | ax25_kill_by_device() | ... | ax25_for_each(s, &ax25_list) { | if (s->ax25_dev == ax25_dev) //(4) | ... | Firstly, we use ax25_bind() to increase the refcount of ax25_dev in position (1) and increase the refcount of net_device in position (2). Then, we use ax25_cb_del() invoked by ax25_destroy_socket() to delete ax25_cb in hlist in position (3) before calling ax25_kill_by_device(). Finally, the decrements of refcounts in ax25_kill_by_device() will not be executed, because no s->ax25_dev equals to ax25_dev in position (4). This patch adds decrements of refcounts in ax25_release() and use lock_sock() to do synchronization. If refcounts decrease in ax25_release(), the decrements of refcounts in ax25_kill_by_device() will not be executed and vice versa. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Fixes: 87563a043cef ("ax25: fix reference count leaks of ax25_dev") Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation") Reported-by: Thomas Osterried Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.15: adjust dev_put_track()->dev_put()] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 1235bbcc7953..13e8c9a0cf4f 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -98,8 +98,10 @@ static void ax25_kill_by_device(struct net_device *dev) spin_unlock_bh(&ax25_list_lock); lock_sock(sk); s->ax25_dev = NULL; - dev_put(ax25_dev->dev); - ax25_dev_put(ax25_dev); + if (sk->sk_socket) { + dev_put(ax25_dev->dev); + ax25_dev_put(ax25_dev); + } release_sock(sk); ax25_disconnect(s, ENETUNREACH); spin_lock_bh(&ax25_list_lock); @@ -979,14 +981,20 @@ static int ax25_release(struct socket *sock) { struct sock *sk = sock->sk; ax25_cb *ax25; + ax25_dev *ax25_dev; if (sk == NULL) return 0; sock_hold(sk); - sock_orphan(sk); lock_sock(sk); + sock_orphan(sk); ax25 = sk_to_ax25(sk); + ax25_dev = ax25->ax25_dev; + if (ax25_dev) { + dev_put(ax25_dev->dev); + ax25_dev_put(ax25_dev); + } if (sk->sk_type == SOCK_SEQPACKET) { switch (ax25->state) { From patchwork Fri Apr 15 16:14:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 562179 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BE9BC433F5 for ; Fri, 15 Apr 2022 16:15:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355786AbiDOQRy (ORCPT ); Fri, 15 Apr 2022 12:17:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355837AbiDOQRs (ORCPT ); Fri, 15 Apr 2022 12:17:48 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA2AB2A73D for ; Fri, 15 Apr 2022 09:15:19 -0700 (PDT) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FFQIe3014393 for ; Fri, 15 Apr 2022 09:15:19 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=Ss9Z9wnqaJz4zS/Qna87oCWMAvPq/5WbHpZd1yAVUYU=; b=VguAxFA8aajGpaUbfoS9S4bWOWOvwhAxvbHL435HE1ITWQA6c9Wa78Vd5jLz15zUc8oO k1L6ecdp+EksJL76QCLUFfoCshDSqlS+pi56VnLQPCeDhztTop0lDPptzA2m9zeDKurM bnokiSh4UYICmyMoUjKS5iiJxMJOd2IYLXcFB/hsN3bs7OyErvQmqKBnYAzisofGvPMl FChftgF7baQ+iINBmqcWMeLx0R88l7PbbvHXIoejWu2NzuqK5ogR5x4SuCDcHNWGItU6 EvVhmrJ6Yvm7NHbuSoil0W91MejhSjuVuq/EVcg9L+WcXkD675DApG9E/jloqk0HxScT +Q== Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fb9nfvsk3-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 09:14:42 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=es5N84VuA5ugGhm/Yx7UqVfeYKGEUBnjMly/bQOo0Sh6A9ii4oS929aBfxenPnAZB4v307JVvjk2JBlnOFWIA31/HkT7UMJjlrj3AO2hu/GAKflKhgcODjAV+bIQ1vWYOoWe/oHhJvw2zeZhk2/UauLkuELeQgKVAHpyz69CJ2PJ6tahF4+o4/FP5v6YDwXjyedtiLW/zvaWUauM05G5pphwIOJho0M5667qrqP1XfBK8QiuAhZtuMxJLwbnxyfqF7kLCIJu0XOxvipHfjO9OP/ypolvVca4ysw5ZVFIqRNxxDR7OO4UX7xUbGJwheovu8Aoa+6rs6lbrnBeQ2cmDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ss9Z9wnqaJz4zS/Qna87oCWMAvPq/5WbHpZd1yAVUYU=; b=ClWmpXLeA1sN7XW7ho8p4ekB5uvyNjJnnX80H8wpLOqIZLgFdcnwvni+WKB7MSl4R3VXS5giWWURfe7NvM+/aRfzeNwcFZck9ZvYBm7/vX4L43n2N9lWiOTh7Ca7kIZ9MsayAK2szhEhHRQu9AGLqZaq5b+yirjs/TXL/kMisVFsGDi61vE62hmecUgo5lfBlcoz3NaUVJBF+bc5mGEBf18cm7ugAh+E/oDNl024i3WxROt3dcP9h5GlNokuQiYAsgKW90ohvHisCyhkIdnrGiYMiD9NW/XyvDCGN/tZ3E0VqFo0iI92IoNMQnrjp8K/6psYpnDB3sSzLgUmdg2cHg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB3626.namprd11.prod.outlook.com (2603:10b6:5:146::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 16:14:41 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 16:14:41 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.15 5/8] ax25: fix UAF bug in ax25_send_control() Date: Fri, 15 Apr 2022 19:14:19 +0300 Message-Id: <20220415161422.1016735-6-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415161422.1016735-1-ovidiu.panait@windriver.com> References: <20220415161422.1016735-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0202CA0009.eurprd02.prod.outlook.com (2603:10a6:803:14::22) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0876bf0b-08b8-4cc0-0d03-08da1efb0bec X-MS-TrafficTypeDiagnostic: DM6PR11MB3626:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: tlpdT1qSSc6v0/slrXZD71jnD6DdOnuH6qLflD8hNXpcATFiHc4W2Ct28r6jnRZC4GyDyzfsLu9UzU2rrXkUBDeSBGR6CiOx2B6zNewWHWpDQNFC4YrPDj9PYhrEd1belY3bA9nYqSsssAGeOgJkVZhiFrCuAddgoAZXfHG6LQaujkNGFfp4Ejnb0J6LOKAJw/qoSrN6UhtcYGcMKysewY9s14L2KEb7UCxxYvur3uwmzgJBqHFIbKWZeehh4LAxHwkoWMLQ/ZZJzfI+l1LEiUXzTuJk8FEKDRff3KsQbIunFlB0T3WVdMyNNNAahLBLuLVGjXSHJFG8W9NGFhlA1rV47dd6MTZkOfgcrhzvflOX7EY5mZE6NVM2jGEjHAQLIWqDPFu/bOhUyNi9kPUvAxuXBJVibDFARuEIp7hq5weF+zCCwb4dwtKUfvjusa889xJbpyUTe+ZGNU6e2epixR+faLwtkIPMNlXZUsNGOcg0q0r0wIhhJQNeD5Dk5+ObISJEBybrre2GD05/Hs2BalxR3eraFIZnlKMMtRxbaieYV9HuuEF3cgamkbe1fIDIbNT7DIeBAruJhDBjATeMRFIxrBX+Bd/WZ8PwuGny5vAaFwj2pbzUcVO2SxSkTwpOQzCAxplrC4RkNy9CRo4tG05CcqAs8s7DxS9zGmO69kcptHHdTII+VKbOHoss/1m2ZWlglMh7EFJJuT8iUhVmWQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(38100700002)(8936002)(38350700002)(1076003)(6506007)(26005)(186003)(2616005)(6916009)(52116002)(6666004)(508600001)(6486002)(6512007)(316002)(66556008)(66476007)(66946007)(8676002)(83380400001)(36756003)(2906002)(44832011)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: tiFJQfR11Jyip7FPPRn7QzkrSzY4wagV7a1oJj+rrBySM+EvK9+l2X3Ycrp33aHLwzO4zA27nI2yTEAN1VnjytdLMiQEg1uT0Veyc+vRIFfLPwTSais0PWvCPaTUGSGWbQ8SX0Yc2K4Sa7Q4aZyV3uN90ALZzoAa5sV0n5JjMN4UsE1gc1sKnQ9Pq8L9/nj3QoN8QpgZ2sT3OGe9ssSfS7lwPPnoF9YvpvTNo+FLhOjoxZBKEwic1N/13+KrD33f3+qrHvjxfKYfJK/x8ERvKle19JUaoBOd/vei6z8wmO3r/Jl/4/TNZUY99Iu8Y1TagjyZRmbu0ET31qDF+tUTQ4AMeS9DpNxaW2qU/6lH3IPBFLhwEqZFlIj2qlk9971rCSL05QAWU1/SbUegWtFPsLP/ZgFnqeI9XbCHDBSlEGAoyJJxhnLmo/e/j9K5MYbXugaP01BoRwWx4ovJVsXfPIuMfMx7SLfJ09Lz5J7lCDAtRWqbWxMe3pbmamQdeN/BVTzwQ+L4SMRM+hurIHsxElLtxO3alRBB62Zp1EFUKsQ1AyN/Pyi6PCPRDsxL6cRtb+qhVimG/I/GMQ8fek8olZov4xwE0RN8+MRg2ujGXzeOoNa7kjegxTVfMxwnwSk+5k0RP686P5531aMrEYpghbsQsiVL4COlJjLJL7Wnm1b/lXK5vVrvZJrcXTz6jBjBnbQqn3ZyN0ir/Vvp9E99F2bzCWG7gZrl+LU0/rBX3pX7TJVMaekyPKfHfMB9EhFI+K87XxHNYbzt8JsLUsvYz2JC7iBhQK6PO36WujxpZ3T2lfxkiIYrQrFxJlNKyt/JgL7R/ro+HC46UvBqX2fJ4AglDNFH8RC58jl4Db2EyA8rX6oJHlvU8DEMOpQ1Wg7kcZEQ4YCVadFOrdxsOr7T5W0PDhfR8QBX5yUbEVPjbsqZd15epVvUzGz/XPxWRpLokzNsCpT/1vopuTOFN7rA6jB58u3gjg7M/Ml7epvdAB4QPMOsJa3xUkZPCBP2WzXwvY0eft3u+tPY/o1qoNk5bAig0+/hEC5mLGH8I6WEk2XbSHL0VPmH+8QOUSQEnkHGO86rXV+Q1mnoE6fvJuHRWd7Ghhkzxk//URDagdTOGdbH/Cr3rK7eDEHheaV4FqsNLYYVI8DTkmPP4sP2d3AwNx2+DKOAPnHT34MtaXKNl3MZL9/1H/5C5OQOlfZMT1rf0JDv8VBYcAoQ1UZ3SJx6Hmh/7CRi8vOIE1sTNhNM+QVBOhfNVbhlnm0bjWmDQrQZ7+Bhd+uzd3FEh2s3ygjoDYCLZG9kyIDV5DCxcFUatcuDm/aqlbXWZ6IWsLex47urKoRsbkCcgXDNfPVbCAUEd39wf7/E6P1BJATvG+bFnfALEX1NWaDjweRfNB9PiUO287lrFn++4NHPou30m7bXlK7js2RcjqtyiM7pMdpPyvt/HpXVdJPYK4FuXKBSkf3+Iy7nOBAM+ujkhe8ItwqtPNJNBnBQqVC57WZvGbn+2I7sQJwaBufSx1P+acJZL3DvSaG9tUmgDcHSPJTuP0k42OylRjOv9/FIZ6rT3zvD3PT66FPyINiR9SyLBX584/gZrXRRGOb6YmCWYWpw2mvZN/YwOBa+v45MAUFB9CFNDyAMBC8MARpn/dRyk5Ck9Fstqj9Uv2FGMznn3iQ42YYxzQ8a8hCPXD4vbjLyobDfKozoTckT9eIEeUYz1GU0Y43fEFYuEsnDX0jps+vkOyh2z4ngcbsBr+0l0MHDLGmEdIA= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0876bf0b-08b8-4cc0-0d03-08da1efb0bec X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 16:14:41.3083 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: UrzfZIAk6PWVDHeZzIotlNdKkJBpfqBOKxd9Zv8HUv24UJbB4sZCraAvQV/GIEcnvS0uchBDixlo3cJyTaYx7Z0FjYIHGvEiNadxaegMTr4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3626 X-Proofpoint-ORIG-GUID: Oa-2HkS6V-KKOm7RdF5u65Rc0W8jDc70 X-Proofpoint-GUID: Oa-2HkS6V-KKOm7RdF5u65Rc0W8jDc70 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=721 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 clxscore=1015 phishscore=0 priorityscore=1501 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150092 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 5352a761308397a0e6250fdc629bb3f615b94747 upstream. There are UAF bugs in ax25_send_control(), when we call ax25_release() to deallocate ax25_dev. The possible race condition is shown below: (Thread 1) | (Thread 2) ax25_dev_device_up() //(1) | | ax25_kill_by_device() ax25_bind() //(2) | ax25_connect() | ... ax25->state = AX25_STATE_1 | ... | ax25_dev_device_down() //(3) (Thread 3) ax25_release() | ax25_dev_put() //(4) FREE | case AX25_STATE_1: | ax25_send_control() | alloc_skb() //USE | The refcount of ax25_dev increases in position (1) and (2), and decreases in position (3) and (4). The ax25_dev will be freed before dereference sites in ax25_send_control(). The following is part of the report: [ 102.297448] BUG: KASAN: use-after-free in ax25_send_control+0x33/0x210 [ 102.297448] Read of size 8 at addr ffff888009e6e408 by task ax25_close/602 [ 102.297448] Call Trace: [ 102.303751] ax25_send_control+0x33/0x210 [ 102.303751] ax25_release+0x356/0x450 [ 102.305431] __sock_release+0x6d/0x120 [ 102.305431] sock_close+0xf/0x20 [ 102.305431] __fput+0x11f/0x420 [ 102.305431] task_work_run+0x86/0xd0 [ 102.307130] get_signal+0x1075/0x1220 [ 102.308253] arch_do_signal_or_restart+0x1df/0xc00 [ 102.308253] exit_to_user_mode_prepare+0x150/0x1e0 [ 102.308253] syscall_exit_to_user_mode+0x19/0x50 [ 102.308253] do_syscall_64+0x48/0x90 [ 102.308253] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 102.308253] RIP: 0033:0x405ae7 This patch defers the free operation of ax25_dev and net_device after all corresponding dereference sites in ax25_release() to avoid UAF. Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") Signed-off-by: Duoming Zhou Signed-off-by: Paolo Abeni [OP: backport to 5.15: adjust dev_put_track()->dev_put()] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 13e8c9a0cf4f..7968696d78ee 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -991,10 +991,6 @@ static int ax25_release(struct socket *sock) sock_orphan(sk); ax25 = sk_to_ax25(sk); ax25_dev = ax25->ax25_dev; - if (ax25_dev) { - dev_put(ax25_dev->dev); - ax25_dev_put(ax25_dev); - } if (sk->sk_type == SOCK_SEQPACKET) { switch (ax25->state) { @@ -1056,6 +1052,10 @@ static int ax25_release(struct socket *sock) sk->sk_state_change(sk); ax25_destroy_socket(ax25); } + if (ax25_dev) { + dev_put(ax25_dev->dev); + ax25_dev_put(ax25_dev); + } sock->sk = NULL; release_sock(sk); From patchwork Fri Apr 15 16:14:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 563095 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C756C43217 for ; Fri, 15 Apr 2022 16:15:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355764AbiDOQRy (ORCPT ); Fri, 15 Apr 2022 12:17:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355815AbiDOQRn (ORCPT ); Fri, 15 Apr 2022 12:17:43 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5FBC36B60 for ; Fri, 15 Apr 2022 09:15:14 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FFwNBH025644 for ; Fri, 15 Apr 2022 09:15:14 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=hpMAhMdyZKcVu89I7/rQv1Sd7X53j97dUwN0OiS+DTk=; b=ICOynKd0pQwvZZXImxST9nC4QAACAc+viHHlGBxbfxj0StyENzPmL4cOHKeFUQNPgVL4 8SYZotOZGzsShEmoIMxETb3CUVj3IuknuD3jfDlYWP4kfgcgVo49a/vMcqE4syDwO7bA 2+1PR8HMt23JChBa4AxFZsSBZlyS1N3oK/iUjJjdu09E3UBcJcEEVI2tEuZckR3Dd3P9 yqgi447yIMeBvXGJk5/LB4mPCwLF8AqLTSfgiQGMMPpLgZMUtbALi/kDKix1RBTiZWk2 YeMgScQhhGWvF/LCG5q1Sb2daVte46V1nKN8P6ks6p0cXWMOJSIo70vZwrXk6Djg+NuD Ag== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2040.outbound.protection.outlook.com [104.47.56.40]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fc0jec5hv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 09:15:14 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YC3cG7tesr8nzB4YGorM7H/Lj63qh0P1y48PVE7mbiSs2nisnnKJxgfNtDF8ToaPmfvLqYNEvWu9vS+IpmLaZuPE+01fV9RfmOoqNj069mo1typ88icZw8Wv4ya+P4CWwWkyyD1l7bCtI61wJGV9w7F4asdBSWVd8RxUQ1JyDq+c2K8De44reoSrnr2c8LpBLX1VOPhfNEeZ9mJE1xs72FAAtP/ITBDTSKSfeYF+PPLuwUE02+o1/ucg1ImBjyk5FvNARbCLXSN61Nn6AqZfZRZXNsTwHfty0nEd8/7badRfjav/hDNIMtpVEl3dtxBYyBLamvhfWKgUwkzLml3q7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hpMAhMdyZKcVu89I7/rQv1Sd7X53j97dUwN0OiS+DTk=; b=OUJDEg1Ns54/tO2AFCWzd2/qh5HsT8+hroL+9xM/bjGB/24aopCL6xipfDF1dKJthwPhCFZ+RDOuX5Tg4y8nEUkzmZvIcDC6gCF8sLPUeMo9WHvQKgx0wCuf24qAru2cT+gS+tUnMaZFA9sRKzEOUwvgrPS5RmHWPwkWbcac71Obx1JdC622ONvSA8+VAjvGR0+x0I39QIhm9bSfza3i0Zm8tcwooZKOeAtgKkRTJlQvAJKeeZtO2f2ikmXk4LIer90VvoVzbW55Yde8HbYY2TOXz7mGmFPFbKni6pCLrt4YsUJ4Rzv9kB/+TTvq8WN+wX92VPa+qjuw7+6hchVj1Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB3626.namprd11.prod.outlook.com (2603:10b6:5:146::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 16:14:42 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 16:14:42 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.15 6/8] ax25: fix NPD bug in ax25_disconnect Date: Fri, 15 Apr 2022 19:14:20 +0300 Message-Id: <20220415161422.1016735-7-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415161422.1016735-1-ovidiu.panait@windriver.com> References: <20220415161422.1016735-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0202CA0009.eurprd02.prod.outlook.com (2603:10a6:803:14::22) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: aa4e6fbb-02ca-44c8-1e15-08da1efb0c6a X-MS-TrafficTypeDiagnostic: DM6PR11MB3626:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: pLPzFkFbzIttlH+kAzoMiUIdry92qaONVske6Pdsp8PsUQngZ8fNhMlRLh/HO6UspbYgWpDh8vVFetvISjfxJQZ9Dx0ZKBXpVAuYP10orWduN7JCDBl7+8fih8iUiOl8djTWfmjwVQ/6HCHgh/fS8aIJfxNVMJ+x7ldaS5O/egjJkUnprjZ0DKDBnE59fzyoHXeZuRmv5If819csSEtzCeRNY7pXKFNZS4jWW9XH7y8lQtKeC+IQ9MHTgIP7H0H+ayPSc7YbDAlLlrcmCdFwfv756kLNmM58har+npzOI8Y4gEn2M+a1JpiGCoD2EKiJgVt5Cjj+lQCAo5nXHaewB9ElopJzwvX94gZPmCmGw557rCgahLr5atsMe2zo0GfKbZgdPHy3p0Ed8eEvJ88wApCLykbX2mDINNIIvAlbYLgJMp/vcZ4cudM/Ad5HNGQkPHGYP7r8Iyit5ATGlceK4ZzU6HvBDA0mPkKl8aRzoAf6JT9Ww2hsoFt1j0IBspMx1AwVfE4i5tJVQ8IDARFT8CjQGSB6HvFn1QRrfCf2lVC/gLSdfzkElqK5t2LqO64NscjdfhLr72gVXpFbMp/T8jj+n+7gwbpPaxOpfaPTGonSbmY6VuWI/XfjwEQsUB3ltYxLA54Uw+eeHvHKGvGKQxZlUUhsCg8LdzfZhG+U6CKy9DRr/fXNS31OJxPFzbhlQ4dJ0w3e/cS6tN0C8AlQ9g== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(38100700002)(8936002)(38350700002)(1076003)(6506007)(26005)(186003)(2616005)(6916009)(52116002)(6666004)(508600001)(6486002)(6512007)(316002)(66556008)(66476007)(66946007)(8676002)(83380400001)(36756003)(2906002)(44832011)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lSxi4erlPGxqYRm1Qb0dAXq2V9hr2itzQmQkaDJXHn0uHaKIT2TdeLUQW2sVzWA++FwitjegAbJ8f7S/J8nWysE10leSlypiCYB6u6o2Av3910ibwDjjnJrr7Co2peAgrnNF7c0tRMkbP+Xc2C+Pb+uLlbUzrkG4cj5XvtAPAXFDVeb8D4J+bx8t/8vR+y65srxxLTGm0gMKWOoaHlhNpfZbtiZRoGJrwxxMZMoFBXikgaKXfX2q3Oks9PsdTdg7l4FxoJJcYM7GpHYISzDdCd2YhTGkH/6y6z5S1X+WZEPnvdivq82+Mpqs/grsh2ixJ/SC8UU86OMYWRg4lAMTwPA4WE7jEGbofllBeIeGuwAE4HuxTK+j8UwOGYj2se2oFRdDMF6sTwQBOmElYmUDpQhL616VuDDws382Ot/St166+kCL1JcRs83yIGA+4DmkkyeV7+dheqmHxb8oD9mmG/VSR4UK8t6/a0Z54NKSq0d7N1XiACoMn0UJO2M7NKFXzpJe3eQcPasVcnPegnmSGyFtlCqC8t9J+FinCBeAY2jK0MD8mH4mRsVuTLaHgaY8sLHlTm/PbpHnto7+6rNcn3+4VyrBIXihAfrQdLao67ANB85tTxHPyRSgr+8YGYynJZbtZ8iDf3IsJFyJ5Kbsd74drXCjbLy6hhlgTo/FXRCq3ZsFdctjRT9x2W/VHBbuQMYbuqOi52s+x+bNZFqQFfM0md5+9U9lojeU7+Lhsiwio9dNor3K8Su1cZPRqm9vDhK7jkwf9FIcS39FiIRjsb9E/puc2jUswfDKlTRE/rQy/+wi46U32MVzskpnwukElZUtEI6FweJKWDeh2kkEPkOoHaWQ4znVqBaYv5X5ZA69c+J1GAEbbvYv1LE8OX9T6Ctu8Ct/QVsmvINg1NucQA0VLcgFyABSXGcA8bhtJU+DGeUmPRvyIYVV6twee3NbWoTc+hp+h17+koIqHjI9RQhlMvfsUDX7rUkhYkA3zigL83hn8gW/1bxZIxvGpMxi7uaxKIzp6iRI1CV/X6mBfi/4cDZd3GD0Kn0fEmcIzEHn8A/5Zq+9hke52Rp9et2b4qvZQ6VtAutJhfKYnRUAJJEdtWnAbB5vNJyJez9+iHnBFwRY3qrS/qgPmvOzmYCUUJZJNiWdLuQ6qWpHRTK/WyeTr4rzs+ojfeZxHllcYS9LCt4WsOrNHcQWDvFxnnYIbuskyu3IWLkhhoj2XrcC9gKiEAOmXFhYS9dhizDXWaMszSXnqP9aYxcsSG6Sok13pdUVLudbaCG/RkS3wWBsoAbKe4N777BtoaocP0bgtJuF3XkjsY0+NJ/wcPswNCOHl1AHyV//qgkiVG8zoqITplCYN4QJtce21LDq1COko1lMuTepx95Zeuzg67yCtg0bk5yUKAArmtmVmiZmqA7VJMAO1k1T1wIGUctlvOUQRZq6OgO/44ORDdhQG/6WzUL8yMDD5Qq6OcAiLsMoQZ4MgFoPU7gqT7A6denSwyhyXmIdugo2yF8K8qg3VUpbQOEhYNj44Xgki4b8l1D2TB1vMABqZrryN3w6SaJOyI2wyjbAqNA02v0WEgONp9C/mFZxPQ4WHLML1DMKwbZYUwQcFSWpoMNMDcCevgCuBVVmUkkya61yUeke2Hse5nGmgOsnJlXFPVJebNPDCfHyiASDYmRYz87TFjUizS+8b4KLuF1827pF+ByrhE1BTxQb3hY1v9p2w5g9ehSNM39Hof5bvjtcYbPYdklFuO74QaHDXQs= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: aa4e6fbb-02ca-44c8-1e15-08da1efb0c6a X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 16:14:42.1189 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 7sdAj37xRuPKAKiMvx/kGDmJdkK571z8ZNwQXVhB4U7vCr6VX1qSs71CfUMm3Pdt/9cUuGV5y5eT/7yColRVjH9tcfSBq/U3NYD1EwD8EXg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3626 X-Proofpoint-ORIG-GUID: ArOSEuy1zYo7tdzNFYL3FYksJazzKJrK X-Proofpoint-GUID: ArOSEuy1zYo7tdzNFYL3FYksJazzKJrK X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=883 priorityscore=1501 lowpriorityscore=0 adultscore=0 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 spamscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150092 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10 upstream. The ax25_disconnect() in ax25_kill_by_device() is not protected by any locks, thus there is a race condition between ax25_disconnect() and ax25_destroy_socket(). when ax25->sk is assigned as NULL by ax25_destroy_socket(), a NULL pointer dereference bug will occur if site (1) or (2) dereferences ax25->sk. ax25_kill_by_device() | ax25_release() ax25_disconnect() | ax25_destroy_socket() ... | if(ax25->sk != NULL) | ... ... | ax25->sk = NULL; bh_lock_sock(ax25->sk); //(1) | ... ... | bh_unlock_sock(ax25->sk); //(2)| This patch moves ax25_disconnect() into lock_sock(), which can synchronize with ax25_destroy_socket() in ax25_release(). Fail log: =============================================================== BUG: kernel NULL pointer dereference, address: 0000000000000088 ... RIP: 0010:_raw_spin_lock+0x7e/0xd0 ... Call Trace: ax25_disconnect+0xf6/0x220 ax25_device_event+0x187/0x250 raw_notifier_call_chain+0x5e/0x70 dev_close_many+0x17d/0x230 rollback_registered_many+0x1f1/0x950 unregister_netdevice_queue+0x133/0x200 unregister_netdev+0x13/0x20 ... Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.15: adjust context] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 7968696d78ee..df01f790a34c 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -102,8 +102,8 @@ static void ax25_kill_by_device(struct net_device *dev) dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); } - release_sock(sk); ax25_disconnect(s, ENETUNREACH); + release_sock(sk); spin_lock_bh(&ax25_list_lock); sock_put(sk); /* The entry could have been deleted from the From patchwork Fri Apr 15 16:14:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 563094 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19387C4332F for ; Fri, 15 Apr 2022 16:15:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355790AbiDOQRz (ORCPT ); Fri, 15 Apr 2022 12:17:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54590 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355818AbiDOQRo (ORCPT ); Fri, 15 Apr 2022 12:17:44 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 965FA939ED for ; Fri, 15 Apr 2022 09:15:15 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FFwNBI025644 for ; Fri, 15 Apr 2022 09:15:15 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=kVjcxyKBDbCEwTePd1ICqejqL5zZLyl5Izu1NU4wlFE=; b=cpgoBiVR09vmNocdNz3zi4+BCkEsGTaE5JlqGZGCTbR1plhifG48g6p1OSDzF2aEanvh ccT4Lusw1HZhqdheYRMIgUTDByi3ft3NFPxmKoEFxPCFpG7gxE7DgBzkwF67UycNlOuA 9h+D4DMNlbehBLr6QF9pOUjjT3k9TblNO/mYj7SxW8HssO1Ib9dzuSPNEd6j0e+DeNwA iCoEWZPMIJwPr+WbWi1DdJI/FlDyri1mSKUQnMQZN2OwaUJLkMSxofCOiZNfKn+ytFR0 X2YqhZNYt40LundoELE/mBgHgibuN7fioSIwI6bGjG6nCd3mqk+K/6IN8511GEmU7uVR AA== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2040.outbound.protection.outlook.com [104.47.56.40]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fc0jec5hv-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 09:15:14 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mtjCd2zopPciNghqQwbHW1ER/oFy0Ia96UE5FGeV9yCYfErEBx7/vdgWnJHh7F4yPBYfUxnszAi2S6o0cNWGbJbfcw4jierWWy9VLNzTwp3/tqQxZnrRvWPQvhRiXtXR52FoBvenfgFMZCDGsWzNU/9cNPo513ScEMd7SJe86b8Co1+IyOrIZS1Zi6gUG5Mbif/dcctDQnS5iRT05mUmE6X8kLk04a/fVe+uVUmC23mwO9Xo60JVSzfR/csVQJJU9NLVtpG7f6+4158SgTiaifYk7HvJyMA2iqj7jQqliJxph2/OEY81psEBKCDJvQWzYNrNe1I2TUM15a/I7tkIPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kVjcxyKBDbCEwTePd1ICqejqL5zZLyl5Izu1NU4wlFE=; b=l/PQk2wx75PioECkxA6R00wCyOrWXyvvgvKFc3U4ne6NNQJBDs6DM2YENc8leqbwOpPMBQsp8F2ilxsw3UUwf0RABGqljzKB1XvPqJjEhyyDdL0FMrDLzzieGK78Y67QcqninFG0divXNNnF9GHKc7FAoKEB/CgzZcL2EZIlpIlKAz//4xAdx4CbHwb0NinVv2gikso2awFX1dO0JOodVgGRSKXPFgBb6+7NDXqxN3ji15UZEOL4l0SEPLk9IPSuJXS4WS1ZdcDRG+Xv7paeRGNPdGCrKyanVuzrJGlEY5hO/D9GVol6TQV8vrSpvY+k4m+QIpPUY7vh37XoJ4bCWg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB3626.namprd11.prod.outlook.com (2603:10b6:5:146::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 16:14:43 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 16:14:43 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.15 7/8] ax25: Fix NULL pointer dereferences in ax25 timers Date: Fri, 15 Apr 2022 19:14:21 +0300 Message-Id: <20220415161422.1016735-8-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415161422.1016735-1-ovidiu.panait@windriver.com> References: <20220415161422.1016735-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0202CA0009.eurprd02.prod.outlook.com (2603:10a6:803:14::22) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1327dbdb-f4e6-42d3-5370-08da1efb0ce3 X-MS-TrafficTypeDiagnostic: DM6PR11MB3626:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: eQWhp9NWQKcj3KtN1prszytyBUxFJZIcvtZkEiS/sSwVphxFyEl0HZIznjKC/Me4qSJVpazH69TM+Ug2a7jE0ilMFMqDj8Wo8TKGd+cCgwXv9mImXQv7eLzeLGMx+Eb12a4QtLr905q9XMWG4LpPhok2YSDCLCjWFUSm/AxHt19RlvBOxVa5oG8RY8FKZqQ654ukiHLFaxPnb47oIhOm/vysbyBHexdB1euC/kRe8Ot35b8KeUhhZe0cvwhWcaoLW3dbqND2TPxkIhlBuzo9LcWzxhpYX1gkJyi6GH6MBnjdl2Gjlk7jyrulsvIaNhJBSloJXJc2rHA4+v+IuLCeheMy5L//ewqikrZmpvHoG7CIHd0Hb5on9VbWSfM2VPPHvVN3J4OxkN0GeIyuhOMFKDyfjHpwvMUoTMlGgaUYZCgqXglk/+CpranYbCda0CbjYlTOo9SYbOGK55sKD4sRioISja1MvGbLjYRj4QfGWFNA3+j+2xqLAQaJ3hwW0qOip4pP0/F6/yWjX6inb+Gxo3sa/X86q0amaTHWtXszU1cwQehcUqNY5bxbEkltMpAS1b3ZxyYROZDoSnKjgRvyY63tYu1lIn4FtNkuuLKAyFgdYayQGPhrm/1k7zRjsyrdC387t0w+FA8CusqdE2q/KbXB8f4/BefW/zv2r20X2HP6HchUt4ei4SkSRDmAnXsAKzGzVPXHJWIw+Oi3UC4wSQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(38100700002)(8936002)(38350700002)(1076003)(6506007)(26005)(186003)(2616005)(6916009)(52116002)(6666004)(508600001)(6486002)(6512007)(316002)(66556008)(66476007)(66946007)(8676002)(83380400001)(36756003)(2906002)(44832011)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 53xhP++cPBuzOrTQfLxr3qxvLlSe2k+akx1GSgUXAjOUzdeq7dx7DgdgJZgKnmF/bHPWe9uL4ImlwLQOMRZ/TGgcOWK85YHRJHUFjtiBeSgkfREr3EfzJdowTzrrpMh9r0a6386TeCDnBLPTML4QP4eL6GijjpKELjwHHuEZ7zbIPPGBNIVsW8D0V95BMm3wrgps/wCP8nblfvLhGXxSgQEnLU98PZZfIgIS0POuCESqm0Un5kZXCriTe0sJR3oYnKI1FyDSDpvUgQ0SDClO0leyY//M7/YQcKYFzyb4QKN+ws7Au1f69n5W3uQXlyKkA7xgW45lka5wzZhvXAJocfbZ1HgAYhrK1FbrY5h66cnPkIlfW6saacI0TqGdot6oHwok0DVk+0bAf+9ZCGSD+5IC5B2ZiQtOgNTg+m+BKPqX6Fmp+b30RnDdFpNpyF85yUpZ0EKleObmyFi+GSH6bpXOarI8y2bGiecYPrg5hbtBxs4EKjIlPpq1mgfgDLdK3EsMK2i5M2EIQ7CCHJE1hGPwIeor03ezXcX93Iv7jyROqwKnnS2IBnK6YVYj3jRe5Xdl98LH7H7mKVr/tk84XGPdqtx7NQKac7uKIk09rUADn/dtIiXZva2uRl4KLCZ/yDZKyzsP6HOHGbGzX7ATP0sUNHTAwdPzNUuBVDeKg0GpckFQPeFZ+tu7GycZ84T7ZM8alvvlh8rJir+2ppBREChWV6zR9yC6vlExMI0dI3QMIYJkUWPg+xe/rSKTnufJtFEwTU2dODCoLa76ZyAYU92N56ToP2TbwGJsvL4vLB0aoElt3wbKsyxms0WRvZq9ntsXKBpkH4oj9ubsoz3LK+rFkpbaFeI4eOaOyKVQxLP8pquANiAtg4pExW7QVEAW2Iag4fIT1MzmE4UPvqAMTXhgpVFt/upqexdzKzBwrx/hw7czffJlpgsYk3RcQBI2oz9OwXk5oFEegbdZtE1sTco8oCLvYnKJgf924FsaK25ku0GDIOsTuBxLXPMduwY/mzpCPwy8FqaSMWwO5yNMwbjKSstpqa797bn2rX+Hk6jgCqbIbGi/ZevTEfP/1WpbWFiSQWOuY3ufID5Cm472gjwWg4usHg81g+cKNUfcYLhTfUqDhWBV8y8oDQyxcZW3++DRXWVzQH1Jj/TBE/LqTqgXP9aRrRFgFPXmfUlNn4YwwpqOuAGbEO+a9OP8u+pDWLMiXi2qLGOSsNaV0LtjzK/4tOsAnYassTMitqe2UOY2bcV4KNDj7f5FbVS6uTYQ8mia7Hfqk5zSVFDj5n/gbt7iy1HVlLR52IE+w7YJeUNRSFF2QDgyIVThZT/aQftoYxyTib70PB64w6gZpxmHQzBOKRlxlmcMzt5LrduDdkvoOmb6qu7sH6kknxmWoXfqmPeducNSi/dRn1NVfIWK9Hs0tMQuyy7rEs1aGY66w9HTgOuA0HC8xItoDagnSq/7/BcbQsDhrYS/7CL2LAGVRuS1YCDX3jl/p12+sEi6tRWF8bCSxB1njQ5ZOl8KaCMfLWQwvxmRzzREzOaBJ73Sr+8UjFrDr+bSkX/7KxEYfuC0NCYMf6p9ZniY5OBcaNrviPezBQCb23BZtliQpTVcl+nxjThycFs8IaGIX4wKzY/tVksqFsGjr3k6kmQHW5gUUjfAHztRdzECh6raW868OU6R9iXcQvh2WnD4Eebq1NnfFwN309XvNvYAfi43pmT7yadA8Qac5MUlrV8ToX8pxrQmWUwgDpZkFknGNc4mnOw= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1327dbdb-f4e6-42d3-5370-08da1efb0ce3 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 16:14:42.9445 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: vZRAJP6Ojg6JWlTe51qdXegTyG2Fp3uSTjEiQNT7IshpjDwOpRnTfHq2WtrmgLkmwBEAY2LSedSILCfTbtWmUbjeJX+Gem/3UdHMt4E2Jjc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3626 X-Proofpoint-ORIG-GUID: fIibLDHXLBTC_MIyps2jIPgxShVyQUav X-Proofpoint-GUID: fIibLDHXLBTC_MIyps2jIPgxShVyQUav X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=752 priorityscore=1501 lowpriorityscore=0 adultscore=0 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 spamscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150092 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009 upstream. The previous commit 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") move ax25_disconnect into lock_sock() in order to prevent NPD bugs. But there are race conditions that may lead to null pointer dereferences in ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(), ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we use ax25_kill_by_device() to detach the ax25 device. One of the race conditions that cause null pointer dereferences can be shown as below: (Thread 1) | (Thread 2) ax25_connect() | ax25_std_establish_data_link() | ax25_start_t1timer() | mod_timer(&ax25->t1timer,..) | | ax25_kill_by_device() (wait a time) | ... | s->ax25_dev = NULL; //(1) ax25_t1timer_expiry() | ax25->ax25_dev->values[..] //(2)| ... ... | We set null to ax25_cb->ax25_dev in position (1) and dereference the null pointer in position (2). The corresponding fail log is shown below: =============================================================== BUG: kernel NULL pointer dereference, address: 0000000000000050 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc6-00794-g45690b7d0 RIP: 0010:ax25_t1timer_expiry+0x12/0x40 ... Call Trace: call_timer_fn+0x21/0x120 __run_timers.part.0+0x1ca/0x250 run_timer_softirq+0x2c/0x60 __do_softirq+0xef/0x2f3 irq_exit_rcu+0xb6/0x100 sysvec_apic_timer_interrupt+0xa2/0xd0 ... This patch moves ax25_disconnect() before s->ax25_dev = NULL and uses del_timer_sync() to delete timers in ax25_disconnect(). If ax25_disconnect() is called by ax25_kill_by_device() or ax25->ax25_dev is NULL, the reason in ax25_disconnect() will be equal to ENETUNREACH, it will wait all timers to stop before we set null to s->ax25_dev in ax25_kill_by_device(). Fixes: 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 5.15: adjust context] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 4 ++-- net/ax25/ax25_subr.c | 20 ++++++++++++++------ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index df01f790a34c..3116d8d1b5cf 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -89,20 +89,20 @@ static void ax25_kill_by_device(struct net_device *dev) sk = s->sk; if (!sk) { spin_unlock_bh(&ax25_list_lock); - s->ax25_dev = NULL; ax25_disconnect(s, ENETUNREACH); + s->ax25_dev = NULL; spin_lock_bh(&ax25_list_lock); goto again; } sock_hold(sk); spin_unlock_bh(&ax25_list_lock); lock_sock(sk); + ax25_disconnect(s, ENETUNREACH); s->ax25_dev = NULL; if (sk->sk_socket) { dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); } - ax25_disconnect(s, ENETUNREACH); release_sock(sk); spin_lock_bh(&ax25_list_lock); sock_put(sk); diff --git a/net/ax25/ax25_subr.c b/net/ax25/ax25_subr.c index 15ab812c4fe4..3a476e4f6cd0 100644 --- a/net/ax25/ax25_subr.c +++ b/net/ax25/ax25_subr.c @@ -261,12 +261,20 @@ void ax25_disconnect(ax25_cb *ax25, int reason) { ax25_clear_queues(ax25); - if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY)) - ax25_stop_heartbeat(ax25); - ax25_stop_t1timer(ax25); - ax25_stop_t2timer(ax25); - ax25_stop_t3timer(ax25); - ax25_stop_idletimer(ax25); + if (reason == ENETUNREACH) { + del_timer_sync(&ax25->timer); + del_timer_sync(&ax25->t1timer); + del_timer_sync(&ax25->t2timer); + del_timer_sync(&ax25->t3timer); + del_timer_sync(&ax25->idletimer); + } else { + if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY)) + ax25_stop_heartbeat(ax25); + ax25_stop_t1timer(ax25); + ax25_stop_t2timer(ax25); + ax25_stop_t3timer(ax25); + ax25_stop_idletimer(ax25); + } ax25->state = AX25_STATE_0; From patchwork Fri Apr 15 16:14:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 562180 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F883C433F5 for ; Fri, 15 Apr 2022 16:15:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355758AbiDOQRx (ORCPT ); Fri, 15 Apr 2022 12:17:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54600 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355821AbiDOQRp (ORCPT ); Fri, 15 Apr 2022 12:17:45 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BF71369F5 for ; Fri, 15 Apr 2022 09:15:16 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23FFwNBJ025644 for ; Fri, 15 Apr 2022 09:15:15 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=x39+ZknzBNy1rOH2oSzW+dCT1fGesTFnYqNIISfylmA=; b=M+/Bk54XEX8eTUWbvlzWkW9IJkXyv3vRmRDMb2/oH6/eIMKFMf2P/uf4MeNYpQWU3Qqn E3Hw+Wn44S8trbIz5EDOqeDBngQzE9vBicc/iZ9zY80HFk7pGSNh11bAHLOP3FA6X3yu 08sarcQ/88EnjqASAQGztiab7ezoIlrh304v7+iYUBgKitAnOy6VEMu/GanUDPtta+dA Wz/CVLANEfoOmgriwkLf9+D/x3cj3RklwpWSdK6pJaLaTgFwQtQBmyYyrYJG3T1Qo9Cg HcNn9prPsDR9UfL3uYBvDvVqzhSRM+WdeUCqSFFPgfh5OCNSFJMq+MGaDeXFh04NWES1 Zg== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2040.outbound.protection.outlook.com [104.47.56.40]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fc0jec5hv-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 15 Apr 2022 09:15:15 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lRgvfhKPiVp0Fv/YvCJZyKz5IbYZo3Z9KIzjbA+wTJomnPwuTlCBICPcPj3AlQ1xz1LHuLaxjUSOtwp5l13s1imVD0ViEKhO475XHM8bDc74SBhqGhgw+6HsIBC/2D4EVTVqz+59aA2WB7UnCelzrOhmvTkKL7Cf3V6P6PaPSZxPJXx5jbZYueDwNzx/Z+LxYuVWWH/wEvcBhXnWHra+B2wKh8sPBquDpauz/3D8e3vccBNbrUx1FrRXFHRQT9T+ngAkn1lpBB6p3cuWe0GiT0RcHwB9GBdT7SgNgFMA8bHYjRbTQdhoJBfd/uT6iVjmDF4BCdGrNVycLjJqpXGhaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=x39+ZknzBNy1rOH2oSzW+dCT1fGesTFnYqNIISfylmA=; b=H4OtN8fc0nvq4RAanf6h0FZ8414/UeeYWMGlNrK0/9raYxrAK5cmo1BW0htDrroQTs7QRbywnChlCa8bmqJNpkc2ZPKolemb9t0sR0OirRNw3Fjvt4fRvWOUy/SVR918IVVzVHZIs65YormZ40lNC4w76OvB5+8XX/eOc1RGfB0R4ysyc+O5oO2k03HlF/1/6j32uZoJPImxgcZ16uYNG96C+fx3o3Dl+ZGAfvXCh22pJnP8/Ze6Xti/5/hUuCSpGKAg84ubADcSieYXE34UVv3/FzBXPT1CXpAHI+hT0Dd4UYPhRzc19AJusBKGCgU0i46Jm7JrwhMoHMIgWJXZHA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB3626.namprd11.prod.outlook.com (2603:10b6:5:146::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 16:14:43 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 16:14:43 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 5.15 8/8] ax25: Fix UAF bugs in ax25 timers Date: Fri, 15 Apr 2022 19:14:22 +0300 Message-Id: <20220415161422.1016735-9-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220415161422.1016735-1-ovidiu.panait@windriver.com> References: <20220415161422.1016735-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0202CA0009.eurprd02.prod.outlook.com (2603:10a6:803:14::22) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6a02f815-1365-4503-a32f-08da1efb0d5d X-MS-TrafficTypeDiagnostic: DM6PR11MB3626:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: MHUt5WusoHNfVP8/3ZAD2FjPaQR0LONhB+rxHOSD5ftE27dd05qRl4oOgE2dJwTmcbTMmW1bAzWvTauo+mjouh1YpklAsQG9bXpBdjiCaJSVjc5qhd9gyIeBNyxwWKxa7cgnAaN+4GpRbP6J71dxMHl7OcSMKu9u8ZrWah3GGU+m649q2XFvH5Rf0BAeClmcxGmbyaKFspOofEKNPhSuAmMbbbOd95Z2pmEu7YiLPet/NcT7AiQZ6Vd88uQZFGnYnKfG8tgYUiKAJCrDq/XdGRsIFbi/uAcpHPbGGWQJzQG7xTaTXnIuRefiT0XdtiiHXX6HC4eOhEBN8wbiedlGOtfDzRkfHdZ66h10IMfzOUl/rhOOTTFoL252kDFXs9MRfad/ig9uPE2hm7soPFwqq9iC2m8xlP9NJydKIymK5RH9FOEpKi7yJKWj7YCHsOPx+oNjXs7Jlg25DFY8PJUHlUg7VHs3wwrw4noHEChXuAuXNuFEgDFEmtuLSnlBwks6oOJ2miJOfuvFAXnye/36lPezZqtgGLNhuw6/zA4XBgHz4O9+e1Lv1aKGsJeNo9s4K2WVJ2Qb928a8ohEjjRM9O23rRfB5lOQzM5eIyCcfgmnmxD5Y9Qn/bCM6+aWnP2NFDxFY8oymFauKVSPJKMyPhze5LG9ERzMuFISNCVe1bekVv3G1MKAWhHCY9uGu1E39sqDPGNG0qsAX6tCh1l2tA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(38100700002)(8936002)(38350700002)(1076003)(6506007)(26005)(186003)(2616005)(6916009)(52116002)(6666004)(508600001)(6486002)(6512007)(316002)(66556008)(66476007)(66946007)(8676002)(36756003)(2906002)(44832011)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: JZSGbmgFHeYwbqWb740GFi6tZd4nz0x6kW9tZqqoLiMXBfxPIhrm2BOyOLsgVdJieVb/nLTLZOb1SLVV69mmX53G7Kn8hxKytnLF9ul0PyIHOVQofCf/sTcm79xt0uBnCOGy+Xsbis0jplsZhLSKU629+7UaJlnJE/tL83I5gS7gkDfDY3duv/noJL7bEwrrOCgKubJP0LgfC1o4Pcj0sjIEDiFAwWUY2qMSa3dlwg6hpje8o3aEtc0GgaRVDCTrqGqfDq54DGFYnVccMZpcZepE5HdkHugu5rNNyDotE3IxkwEYZJxZe71ZJSorOeSIbgY5RUzFcx0g5hgkp8Wh/4Xv/s9Qm2ANWznryw3gnV8sGxbZ6F/saImIXxZjQrjPl6KC+9vM9oznUGypEVJTDPAqXnRyu0I1MrYPI9/clGFmL5xO4PB8hNQ2lI8LJ2G+bCc+a1k5c+IavIU7drosypy2F6AF+o2zZ+PVKQhn2J3KIfFkAzl3wshfTlZkVEyi7hcgvZyxX4cpFq0+8yHTDOkI96GcTaK6ZHUH74cqkfPR9IBa/0d/uScjxq9YK4aXBOQsse7YZ7UPVTjuM500UeuL9UhSFzXYgfw1CWixlF+HTwfKIz17j2roLxLzMzY/Yr4UXdfHy/hH+VOdx1beJ976DeQSyHRlsbvEsRWlID0mf57Q80AJar4DgNecJby1b08s8f0dv5eRhAVi36d4vus2n2zuf1I0Gf0up6y30FwerMV0qPjqA7Lng5tOfDXOHx6l6kfYfo8XcvNhc8QEBiVg5M7JFDKHEeyK0M8k0J+w+ctowyf0Sul3EmGD9/0JRFliAeVMAbT/ijsOh1eZTxxNhLRpGY76DvJuUO87HKeTMI3t/PAGhURQ1Q1WbK9DlUw5Qkktg8Te8m8yWTbduIfNuBEifoO0MUc+CX7dpsmkMKel4hqIAhAZ5B44THwjOfRB8S7AXPonv5YiCt31D6UfiBWUjL+YQLQa4Nrkz50MpQqThYuU9tgpZgoniMNdt2CwEmW87Dzq0mjk5URtCX8k6QyoEbIJtJuiMjMvuqu0Ylj3V6UT+S+uxDSqL7+82BnKoU3K5miraHe3K39UQnLU4VlswPdaabTgNNGPsaE3m1eqDufTCP/+pj1L3F1GPq8+4D/9P52ZmizwapEAs0zSy9wxISe1uM+QY6kYwxLVImBRqkRFn9gNR160YP69izMcCnZ8H6iEcimu2K1YCNcU1I3fahw2LOcqa1zkqa8JwZ6i9sw2HSzqu3LTHfvCN+S4F4Scf2/FNxjc5/ztWHKQLUSY3s9OcIOuZju/XMURU8YTzvsP6fZCvdxLB9K39EOW0STipLLY6m6gsT6koiDKVKhnsz18RHBVsFz3RK9IPurYKjbH4ZmmfM7OUAE4NLY6CiwVFnrLGubV8o6TP2RLoIJBdb2bkTsFzCaLLWa6Pqkxze8Fcz5cwLhjJSy5695iumIOCaDRY/H6gwIDuMs/qvS4SFCdSp3+NixBDP6cV2ywHypfIpXS3EU44NOWkb6nAOhqDRZlWaWlGL09/nCpeu+aQ/QXSu/gTrUfbErKWGa7+mf5PSdoNiJw5/YJq4ZbQNgn3fOdAfPWxrYKsG2Nd0RRb/hAlbKsA0z3yTlpndWuMi2mXIER2ED53DPHBpzBahBJNF12ILUDNq/L3ut+UZLnSIB9b+f85ykSo681d1G0198nMLZ3zKB68UF20klpe1vPAw7ixK5TLIntFDazUV7nn1QOBNVfmHjp9qE= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6a02f815-1365-4503-a32f-08da1efb0d5d X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2022 16:14:43.7148 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OxjVHxT2A7R4CzsLHSjrHdOrphJrUwWKKQ3Du3fKmhxSa29N/jhEescIn10U7WvCbCWj+6Gdpv4+m9dw6xOq2Bl+Q0B9R5cYiF9Sh81UQiI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3626 X-Proofpoint-ORIG-GUID: 3JPU7ku2XSRzXgyVZJoQYQ3mf1dzP2Hu X-Proofpoint-GUID: 3JPU7ku2XSRzXgyVZJoQYQ3mf1dzP2Hu X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-15_06,2022-04-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=631 priorityscore=1501 lowpriorityscore=0 adultscore=0 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 spamscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204150092 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 82e31755e55fbcea6a9dfaae5fe4860ade17cbc0 upstream. There are race conditions that may lead to UAF bugs in ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(), ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we call ax25_release() to deallocate ax25_dev. One of the UAF bugs caused by ax25_release() is shown below: (Thread 1) | (Thread 2) ax25_dev_device_up() //(1) | ... | ax25_kill_by_device() ax25_bind() //(2) | ax25_connect() | ... ax25_std_establish_data_link() | ax25_start_t1timer() | ax25_dev_device_down() //(3) mod_timer(&ax25->t1timer,..) | | ax25_release() (wait a time) | ... | ax25_dev_put(ax25_dev) //(4)FREE ax25_t1timer_expiry() | ax25->ax25_dev->values[..] //USE| ... ... | We increase the refcount of ax25_dev in position (1) and (2), and decrease the refcount of ax25_dev in position (3) and (4). The ax25_dev will be freed in position (4) and be used in ax25_t1timer_expiry(). The fail log is shown below: ============================================================== [ 106.116942] BUG: KASAN: use-after-free in ax25_t1timer_expiry+0x1c/0x60 [ 106.116942] Read of size 8 at addr ffff88800bda9028 by task swapper/0/0 [ 106.116942] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-06123-g0905eec574 [ 106.116942] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-14 [ 106.116942] Call Trace: ... [ 106.116942] ax25_t1timer_expiry+0x1c/0x60 [ 106.116942] call_timer_fn+0x122/0x3d0 [ 106.116942] __run_timers.part.0+0x3f6/0x520 [ 106.116942] run_timer_softirq+0x4f/0xb0 [ 106.116942] __do_softirq+0x1c2/0x651 ... This patch adds del_timer_sync() in ax25_release(), which could ensure that all timers stop before we deallocate ax25_dev. Signed-off-by: Duoming Zhou Signed-off-by: Paolo Abeni [OP: backport to 5.15: adjust context] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 3116d8d1b5cf..7b69503dc46a 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1053,6 +1053,11 @@ static int ax25_release(struct socket *sock) ax25_destroy_socket(ax25); } if (ax25_dev) { + del_timer_sync(&ax25->timer); + del_timer_sync(&ax25->t1timer); + del_timer_sync(&ax25->t2timer); + del_timer_sync(&ax25->t3timer); + del_timer_sync(&ax25->idletimer); dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); }