From patchwork Thu Apr 21 10:37:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 568089 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1005C433F5 for ; Thu, 21 Apr 2022 10:38:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236262AbiDUKk4 (ORCPT ); Thu, 21 Apr 2022 06:40:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1388461AbiDUKky (ORCPT ); Thu, 21 Apr 2022 06:40:54 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9597325580 for ; Thu, 21 Apr 2022 03:38:04 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23L9rOWT020967; Thu, 21 Apr 2022 03:38:03 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=GvM3eilFC3Z7gdhCZ3UVBtt8GfL3PEGZtZAf8MmfGT4=; b=EYAES55BH5H20Thb8FxWRuKz0ZOFowOEEcEphqv0xAeNcL52yZGzCsjoRx+TOv3S+cnp 13kXgTEt/eoFTazeZeo0JkQq5Rn1FM2jTOSvxl4+ciRxGszxfgVXojyBV+wEK+mGtGKY 93Q5zuuj6uzwJMK10FBpwxCq7hLUs0wkqFLjDZszcm7+3xFhxfjmY6NDyR/ngN474VV6 +Iu+oh1OHqJRg/YLWjTQGf1XHcEr9dm4Tth7FthP7HtuBqyIx+ZNv3VD0j/TT/vfyWxa ljN3RrwqlS0bG4Mf+goGo3LR/kbi7NuCwj6bdY9ZK1jD2ekbw7sqwoBPPs8RlL/0VNcG bg== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3ffs313nqc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Apr 2022 03:38:02 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Il+4K/cSbPoyVqbao8NscCOC1F5dLDahzz36PvEnjeFdJ35m62uMOWu22xVbPDYPd/nIgQdt4gxAvVlC3sGvmrsZl7RCKS44X2n/H5Ri2AmPN+qO7/+xUcD/XMY9QFr9nX2oUdv+TEghEScTK8h8Ak4WA+wtqkA+lUfXUo5kMAOrwz6Ljs4z9mhbM5OSOrPHw34sF+mcPtULeyAMKMO7BPmaBUgeSMVhta4e2+StlBiZ9eEbE12NFphJmx4+k1MmCnrPCBzDw3H98j6dP8lLdxkIsBKAAfPeLIxq3wKSHGLJCG8eP06zSOVZbIJpJTNwr6KgKegAB8AGumBgBK8tzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GvM3eilFC3Z7gdhCZ3UVBtt8GfL3PEGZtZAf8MmfGT4=; b=S/I3sYcgSZ5+WO708dKBFErhnXmcyUXAdHOeu9J3rYzHt/nhP5toukzbu8kquuMNImAyt1O9vAUZLUC1T/MNoWM1qDAClzo8wDTgbLbkTr4qvoIUyyIf1MxMGy0YQTLcufNUUfllaljvvWyWUGRjpX4qIwSrh11htG4DScbB5My64QZ6izewQA9ryzlW3fG52330R+mTxs+Q2Y4KOPgDHW5sYscUkP12+6YCS4VyZjnBQxtYS0f8uzf/DYLzpZO3F3f21QqyQftQ4euQ4E7L5SNa7CtnFDwwCVSVXDntNHbMi7g+5d37a7O1efn6H7GzRKMR8Q+ePMDw1zrTVyPptw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM4PR11MB5406.namprd11.prod.outlook.com (2603:10b6:5:395::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Thu, 21 Apr 2022 10:38:00 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022 10:38:00 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: Duoming Zhou , "David S . Miller" , Ovidiu Panait Subject: [PATCH 4.14 1/8] ax25: add refcount in ax25_dev to avoid UAF bugs Date: Thu, 21 Apr 2022 13:37:32 +0300 Message-Id: <20220421103739.1274449-1-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 X-ClientProxiedBy: VE1PR03CA0024.eurprd03.prod.outlook.com (2603:10a6:802:a0::36) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9003f0c2-2837-4af6-75e2-08da238301fa X-MS-TrafficTypeDiagnostic: DM4PR11MB5406:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: S9kTnUSjgWsIoKm5oer9e6Z9hc4sAxAl9U0cf6hAttFwCptxWFN/tl//EJHru0iMVndHWIp0qp/VFqQBb1wr/sbBJexy40s8fXUnrenBXYZenyYYAD3qW3gJH+sMEDvBP6K+VREjmzzhfuPnGffhQv9ghEaOKLbOFevoma/+WURfbe2hdX5MLnvqmlxMoOJLJy+JMFhI2YiMLb0TAfs1cFeuGYG7YB+VXCplaAiKX5up+gICa31XNZTwy2wbpCPFysMM6fZW3p2vcezGz+XSaaW0ZkrWlI0t0CEZxQs3d69JIa1HFT5L+xmmh2rBtN84k55JNqNbEU41/M2uaXoYrucb5ROIzPoXH4ConPw88koY7NP6epYh2udJgyOtLhcsJGO9qndL6N91kXKd+7fhGD8jIk2Mv6LbSOn5OmubwDqewAvAgk8M+b8vdmMz3xwa8ulSmS8cVkuZolb8orKKLAPBf6wkV0CeO+0COsFZiHeoFruidQacXebS/nBrRWCw0E87nOIpD7Ovdsrtcy6DFMWVZZ5p1n6NsejnNQyPZYlayDICN81UCByeJDfNas+2+xU5gjmD6/98C7i1xoGoXke4o+ZA6k0hrNCwLAzymO0vskk97OtRuTnCnyI06APMKoUUi3Tp8NwvcbTzRkROHf/7koaaSJZzY0MTcPwQt5dYsNfibGmUE2m0DL0yRR3aY2OjeKLL9DlnlVa3gGHtVg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6486002)(38350700002)(38100700002)(26005)(508600001)(8936002)(86362001)(6916009)(316002)(54906003)(52116002)(36756003)(186003)(107886003)(4326008)(44832011)(66556008)(83380400001)(2906002)(6506007)(66946007)(6512007)(5660300002)(1076003)(66476007)(6666004)(2616005)(8676002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: a+Leqri0jW/n0djP7sQmBrQBHFI4fB6II18gjEgs8Y2bJSBBAcpcTIkbDtWfOF/XAtTmBnA6Ugk10jsvzo13FHt3akICae+hwVCust7e+e9DXai/0nEe3BxSXSGdhdo7tGRU40Gx+2fPVsTd0v1PxlPCqKh28Fp8b/cHJTo9XKHKmUc6S/B51gzs/7AFRJMYExb/1ISIuTkZqFzn1dmLG7XZsHzk7XQPQ9Rh+KClGuBqP6tQ9E7bs6AJppKpw5HMeluJhguRr7qjn9Gg2oGPbWbWR+sA/8ru4hHBeUpy8h2wbM6Vj/oPKZ0gu6HsOcHy9KdgibSqpAVnVLFE9asHg+Y9caOlrITdemXaYL2c8XNcmCJhZMrv5zNzbuh7JOlxs0IJS19yxYlRM9RSDdSs+ozxXsFQzL1x8JGr89PWC+wDou/2P7rKMD62PMMQwEebOE6Zfe4g5rZWmaqpUwzhpdGCHSUoN2p96DpL/UftGszX2Uia60RuLm6i4GX1sPeRgNFge+VaAI65DDrkil8kRXBAyzclIAcsDTQXbcVMTJYdX0nvGi1Z2CjppDfBe36IMPa1K412XQpPwGo0hqpBcFzSEJ5ysKfPaPboV/BgNUNl3T7kyudIwKDn4OXiNLk+hU4t1F+o4dSmhBKLrI1wF62P3QPDlB0LLEifsm/81Jg7cPZMYmap2dhYOZjdpCqGVJlcZ6P53OLhKsnM38QSa+TuGlal/60mdBoFaNGV6Ws1rjxqrgmi60iz734X0UpSAfxkDom4xLN5BYehu/NY14o95wmb2jUs/uMk76evv49s4t4wouLQVsP6CCmrMxLktY56O37T4sj/kuyE9FK+1TiGdTGSxi5qAXiztz7Twh+RIV6lxcJ7aQSl1ZHgtUKSom19X8oU+bpZGwqsf9ygtTcsKjF3PDrpciQ0ejfCBGoY09Nf/FlkvBI8liBghVDBiEF1zwcNHlhcIzKf60bJuiu5EMF2hekrEsKPhS4YBDNOTXmv2/TGCqNI1OPkLAbuwxlg9o8ymKCmKzBpZggtpeguOKYMSXuzM1GKcgcJRuo8orUEkomqKlJuD/089Qrn/qBtA6eP31F76WWyjT8nsqZbX5hXNhqEkirrdD56PKi0WfUpzzLAXRcOxADKmPXHZ18Trnjtw4cLML2IdAGOhAQa+neD7FIYqQlSztUl/X6J8K1q5pyf6MnKmFWJsvDt4vU/AS1uOLUPd28kDlJeJJRKNksXEtbk0AI8Uz4M961jUqiBwllcBytEgGYAZ/HEvddoX+agKakGPqfxYVZfC8Ha64ubtv/cHGDwzBnLcCE1LVxRXy6bgBRVkeqK82TUtXL+qMpmY+XS25B+cOwEfQh3DYedzIfjLtHjEEDTivBrVpbFUEFhr/VpN3izCFg8S6299KyjiwyrG7Pp4u/QPOL//bjBU4wzmsJK2c6BXIuHfrtmul0nuRcG76oPQ5AhULmg8upx05VEn+2vUdlEHfRH5z2wL65QtF+YjATCPpU5Ug4658uiF/ok9fgIVgU4wBNCZBvqS+wv2SgoVnksKCnIuOC3EuMVr5Krpq9/gKz0hnt9XkKtJZZF4OOeTfxhx6jSLqvWRRdIoEE/qi9Y9TiD2BqVJ/713Z2o8J57V8MCU5TpIUmc6/fOz68N8gWYZhKKMqMLRW4OyV8UzcrDmtSDZPPKpS2oFd1Q30fZwrgIYW8RC49NPjIVsTsiv+2oW4iuZiSZqLx6zU/rOMqmKGjNSUii/iPj5sW7+teDHU4= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9003f0c2-2837-4af6-75e2-08da238301fa X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2022 10:38:00.8475 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: p8KpcYrmaIHV7gvLPgZxzfBJi9neZfjYJ2OO7ePCbxDhQUPwpEdAnOQt2hhzoO0cDaXFBwCpLy+ra+pcPsCo++1RRwGvLKTLulwy962lYqo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5406 X-Proofpoint-ORIG-GUID: 1DpZOiaD2HYhw62_KL2MWa8Ry8LV41dc X-Proofpoint-GUID: 1DpZOiaD2HYhw62_KL2MWa8Ry8LV41dc X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_06,2022-04-21_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=785 mlxscore=0 adultscore=0 clxscore=1015 spamscore=0 bulkscore=0 malwarescore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204210059 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit d01ffb9eee4af165d83b08dd73ebdf9fe94a519b upstream. If we dereference ax25_dev after we call kfree(ax25_dev) in ax25_dev_device_down(), it will lead to concurrency UAF bugs. There are eight syscall functions suffer from UAF bugs, include ax25_bind(), ax25_release(), ax25_connect(), ax25_ioctl(), ax25_getname(), ax25_sendmsg(), ax25_getsockopt() and ax25_info_show(). One of the concurrency UAF can be shown as below: (USE) | (FREE) | ax25_device_event | ax25_dev_device_down ax25_bind | ... ... | kfree(ax25_dev) ax25_fillin_cb() | ... ax25_fillin_cb_from_dev() | ... | The root cause of UAF bugs is that kfree(ax25_dev) in ax25_dev_device_down() is not protected by any locks. When ax25_dev, which there are still pointers point to, is released, the concurrency UAF bug will happen. This patch introduces refcount into ax25_dev in order to guarantee that there are no pointers point to it when ax25_dev is released. Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 4.14: adjusted context] Signed-off-by: Ovidiu Panait --- include/net/ax25.h | 10 ++++++++++ net/ax25/af_ax25.c | 2 ++ net/ax25/ax25_dev.c | 12 ++++++++++-- net/ax25/ax25_route.c | 3 +++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index e667bca42ca4..390e32103a6e 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -235,6 +235,7 @@ typedef struct ax25_dev { #if defined(CONFIG_AX25_DAMA_SLAVE) || defined(CONFIG_AX25_DAMA_MASTER) ax25_dama_info dama; #endif + refcount_t refcount; } ax25_dev; typedef struct ax25_cb { @@ -289,6 +290,15 @@ static __inline__ void ax25_cb_put(ax25_cb *ax25) } } +#define ax25_dev_hold(__ax25_dev) \ + refcount_inc(&((__ax25_dev)->refcount)) + +static __inline__ void ax25_dev_put(ax25_dev *ax25_dev) +{ + if (refcount_dec_and_test(&ax25_dev->refcount)) { + kfree(ax25_dev); + } +} static inline __be16 ax25_type_trans(struct sk_buff *skb, struct net_device *dev) { skb->dev = dev; diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 466f9e3883c8..3f13c619824b 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -101,6 +101,7 @@ static void ax25_kill_by_device(struct net_device *dev) spin_unlock_bh(&ax25_list_lock); lock_sock(sk); s->ax25_dev = NULL; + ax25_dev_put(ax25_dev); release_sock(sk); ax25_disconnect(s, ENETUNREACH); spin_lock_bh(&ax25_list_lock); @@ -450,6 +451,7 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg) } out_put: + ax25_dev_put(ax25_dev); ax25_cb_put(ax25); return ret; diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index d92195cd7834..76d105390706 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -40,6 +40,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next) if (ax25cmp(addr, (ax25_address *)ax25_dev->dev->dev_addr) == 0) { res = ax25_dev; + ax25_dev_hold(ax25_dev); } spin_unlock_bh(&ax25_dev_lock); @@ -59,6 +60,7 @@ void ax25_dev_device_up(struct net_device *dev) return; } + refcount_set(&ax25_dev->refcount, 1); dev->ax25_ptr = ax25_dev; ax25_dev->dev = dev; dev_hold(dev); @@ -86,6 +88,7 @@ void ax25_dev_device_up(struct net_device *dev) spin_lock_bh(&ax25_dev_lock); ax25_dev->next = ax25_dev_list; ax25_dev_list = ax25_dev; + ax25_dev_hold(ax25_dev); spin_unlock_bh(&ax25_dev_lock); ax25_register_dev_sysctl(ax25_dev); @@ -115,20 +118,22 @@ void ax25_dev_device_down(struct net_device *dev) if ((s = ax25_dev_list) == ax25_dev) { ax25_dev_list = s->next; + ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; dev_put(dev); - kfree(ax25_dev); + ax25_dev_put(ax25_dev); return; } while (s != NULL && s->next != NULL) { if (s->next == ax25_dev) { s->next = ax25_dev->next; + ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; dev_put(dev); - kfree(ax25_dev); + ax25_dev_put(ax25_dev); return; } @@ -136,6 +141,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + ax25_dev_put(ax25_dev); } int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) @@ -152,6 +158,7 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) if (ax25_dev->forward != NULL) return -EINVAL; ax25_dev->forward = fwd_dev->dev; + ax25_dev_put(fwd_dev); break; case SIOCAX25DELFWD: @@ -164,6 +171,7 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) return -EINVAL; } + ax25_dev_put(ax25_dev); return 0; } diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c index b8e1a5e6a9d3..c13f1e897b39 100644 --- a/net/ax25/ax25_route.c +++ b/net/ax25/ax25_route.c @@ -119,6 +119,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->dev = ax25_dev->dev; ax25_rt->digipeat = NULL; ax25_rt->ip_mode = ' '; + ax25_dev_put(ax25_dev); if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); @@ -175,6 +176,7 @@ static int ax25_rt_del(struct ax25_routes_struct *route) } } } + ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); return 0; @@ -217,6 +219,7 @@ static int ax25_rt_opt(struct ax25_route_opt_struct *rt_option) } out: + ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); return err; } From patchwork Thu Apr 21 10:37:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 568086 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9EB2C4332F for ; Thu, 21 Apr 2022 10:38:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1388463AbiDUKlI (ORCPT ); Thu, 21 Apr 2022 06:41:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59994 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379782AbiDUKlD (ORCPT ); Thu, 21 Apr 2022 06:41:03 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AC0925C72 for ; Thu, 21 Apr 2022 03:38:14 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23L9rOWU020967; Thu, 21 Apr 2022 03:38:03 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=Y51S0zNai+VsC0pN4DKPayO7CJbwgw6YozZnpa/W+So=; b=LDYxTwpNgrnwllnC0CAcnpRMxDMmMCjVkJpOxSsuSYkq01MnOcL5kC55m1YLo8BH/1yK qI+ImiuVgEbwiQ91G9hKQ+d8+AAL9+kzOP/MopuZzAuxba6rfzPlTgNKOTd5u9dHgHEl OrnaNz0X236PoED3X3SZkPvGIm3BJVjOa8Z/CdSstobpZGmhzcLKKpWSltj1kPDeuqBL ZTBUnUe/tFljLYAwST3U1Ys0rp2b5Uud+AcfTIL8uuchhnYlBtUpreB09BaUui7FQWXU 6vhtXZJXd9dGlaR+hcobq9kCOD3TGhkSdRkQCnZAeKqR7ZLDjkEqhtu5JMSlqNUrQC9m Lw== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3ffs313nqc-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Apr 2022 03:38:03 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d6uMvL3d8kgXSeWX/Atb7ugSmqG0R2Bcn6WE1WHESjIszbB9PV9+XwgoI+qeAY69EATV81mEf796Ez9/LBZ6bzrojs8bgttQBzxke7j8zQ1qDKZTpoNHxtEGDqnczqfSK5wEj+LC/kBbY1wpIY9rHcS5xJgQ6l1/XlvGeUtXNtACSoQ7L3KJPPPBhwP1BjmL4qAGExlazrgd08EOL/jZ9h2/ytDYTtTQ7r1D+aoa718jg+trnc3u7DKdK5vr1lguepZUMbpwhyCUi9ABv0cDLonZxNfTtu2PzVtsQIV6PIvq22gcmSUWgik76lOfSz92WtD5JfOpUuF4a17mr0kMFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Y51S0zNai+VsC0pN4DKPayO7CJbwgw6YozZnpa/W+So=; b=SSfMG53JdBLgoeShmbOns5nOeNHRvVvafK8BsTLVZbyzlrdrTvT81oztEu9s8qsx04KK85gu3Wj+nL6gwpWDodL+Tuc09cWKVG3in4uRGyogNzX1y6mYJUeth7CuN9HL0AumzgwoYbe2M7KwPmYymQjE9DJ7dMthB/EmaPtCNE9erFlKCX0MlIH1L5n40kBavWLOq/QXB/F9aEsUoUSQNn21gBQKA7EPdBJTtrUQbLlheZiY+q9hmhKuqCjZWGLKzf8Yp4g+VAAoZmN9gYWswi2v8nazuxbOgVlCmHFPxwVx4uAsFV01iR5vIj8zCnr6sxsaqZim81WUFCrN1f5zZQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM4PR11MB5406.namprd11.prod.outlook.com (2603:10b6:5:395::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Thu, 21 Apr 2022 10:38:02 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022 10:38:02 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: Duoming Zhou , Dan Carpenter , Jakub Kicinski , Ovidiu Panait Subject: [PATCH 4.14 2/8] ax25: fix reference count leaks of ax25_dev Date: Thu, 21 Apr 2022 13:37:33 +0300 Message-Id: <20220421103739.1274449-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220421103739.1274449-1-ovidiu.panait@windriver.com> References: <20220421103739.1274449-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VE1PR03CA0024.eurprd03.prod.outlook.com (2603:10a6:802:a0::36) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c7d544d8-ff12-46a2-b6ca-08da238302da X-MS-TrafficTypeDiagnostic: DM4PR11MB5406:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: oSW6GcJEduMyJ+DLOYJtZXRv3siwFZt9LjmdGVmrk/v3CVqqwDwqyyf9k6fYsKWZZGD4GN8sUGK7qTf+9EzZzDVkNuIPzy9Khna+FjQ0a7s9scOuWcS3jr+KIbDqaPVFvgOjJ47y1upq6kKsyefmzwLNuI6TRAV35ymWi4ErKQawuSrYznlRw5DlMqqkIPxdH9a8/x3eakVEITi8iq6s+ZDfzHwIuxdc766OQPT0hGi7anxIAVc1kdvhHvbBKWzXdy7Yx8LYOcAmDyMB4dYAzZ6h1+cN0RYxeVs4DhRtTyw4jylaomRWsaVfpa25lJBIq56fPoC1QFw7gGFxD4Z1JVzVemP1KqnVjQ7rhDwMNCveB1aZdhmzosInV8QgmgvW2LXwmQHKPB7W6A+HxLw1C4ah9E4yna3YN1rDBBD/qP4SZkzXa73yKN5yOmUGEltUhYPv8ACndSSK/0MlkkhXJbicOZlhCfPVk15F9fXCewVmqJof9h3xCZ69GlS+0v+AKxa2dG0XeLmsV8pvFPGwxqY/Wy9STs7QRtBHiKFfR1NgZRv61xb+aPySNe8LYTydXLgI3kSgRj69WuPl5DlPZnAr+cXyNZCdlHcwN1J4nMbcpPDmEwsg/7WeXhrBj6fmSZpDSIOMBGnmkWDR1FwHcJfEWhgoAtantYUrzcnqCu69uGywOq6//kLZTpxHjr2W0zdfNIcz7KMwQVTu1+xWO7NWdvBIfxHMY7VSRjfdeHpoRQhcR5xf8a/hD87wYuxqSSGShSWgqp8M+iZF1R4Iap+a32rN/mh/jWoFwWcrqpg= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6486002)(966005)(38350700002)(38100700002)(26005)(508600001)(8936002)(86362001)(6916009)(316002)(54906003)(52116002)(36756003)(186003)(107886003)(4326008)(44832011)(66556008)(83380400001)(2906002)(6506007)(66946007)(6512007)(5660300002)(1076003)(66476007)(6666004)(2616005)(8676002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: g5JWRnfAjXsWyx2S467vGHeni3V+dUymXV+wzsBekiJqTLk6xry5OU8zMzF/3E7l7xzhRtvkYNgreoYvSi6kvjkYMmIqQ+76tvbWQ11UbY7+cPPnIaWp+lyyYwP0eVoYkHwaweJk8YVv91pfogK+nXCOO3L6ZZUcyQMp7mTHUZNbmmmOPGWdvxddKXZ+/yE2pDjsDvqqaC4qualopEdaBTxRjMaYM95FWx3SPtj65ff57Dqokri6P6f+wItU/uT07CWqUDSzwpenI69bSXrHA/Udcf0yY12T/HyguP/U827EDwCROH4krsgchRWyaD7dDDsKv4/b1kAD/P964PrladaqdKjpGbtlsCHTVb2A1B2LqcxYn4ypPYs5163eZ0WbG+zlQeTcMAOAqbY0UWXzeXcZzUCRfPKwbzOgfPP6s4ygc8LkGlJblCzfbUXr1z5EYmMTKil+jTsHEHmY7Pz+vTCBQ1H3tSBM2XJQLOf8fDOU3TdpXAtjLDDfVpst9ORLP08msi9q9KnhybjCFoz/WsEBKowozpzHVycS2XjVpQ2RAagia0vfnR+URw8DX2Wu4HxZ+xqPto1dlcAPNkd/Lfa+cb6aaH2hNeh6yN5ElaVbXKH1UhO9f6jONu132z18SN50M5LsKhRtriOI7eP2JDRADE0KFBx43V0y276bUsFBjTojSfgeli+jklxjO+xn8f4qmai460QqyuWtdADQ2QtHiTxlmdWPTICF4peFS0L+CAu8/6kBO1YpCqmajTryN6lzNhEaen7oaHX5uHHjJ6wRpTgvc8SVmN5iXAO16p4gQ92+hhAJDYZe9HMMwYphj+vQTml0/TI1CB9i/bx91CYI3/Mi/dpRAAGxH+cZ+tQ8yu6dsCeOErr7Y1HxHH5B8XgBYlfEsN9m8OAsf6HjomSr5nBRIc11z5x9CsHyVsRA5OL9tKDHvziD8FIQRcwht0C9Qj5ZWJNM4vzUBUDjgayz1PqJXksp8Lpg/U2ocjuDEIKeBGCo15bghIY2KeM6fywdKet9X+a9eyXv2Ms7rdsZt6eQezqfn/2C7AsGo850mn5tpPWOBN/KFMjFAUdB0ovnkUtsKVebd+qJm4X6O/6DNaB70x19wdmBlPNnq2cN1+rpWqJOlJjXtwTxM5fP9h/Wdkq8FAVw7yDH3tw+TyrLUdk5LfJkM5V3J9o2floM4PGea0KjwUFccbIxvWH6ATS400ZCXYTKODbawdrIXLKxPinsIQsJa6yUGgI5t6c4OVVcOKJHeNm1y9vfeUQIYuLJraAcaHM3EdTwXt51Xy8/ncMiX3onsM27L7FQir91dZ8ebMlAvB/XAszmKnESPZHtmhHNQglGIK4QuXVAJt7xKxv+zMrno4qSGXvM7KfL7jjxj3l9ynqwIY3VLDHsCuR+nqmO0N2dUXaHio6kN8n7rEvtlkuD4cTNs3Yq+hjHYzx7pYE8dKqXe45l4+5wqqTObUvkQrO4OmsjQve8Qgo4hTRAJNPdt+n9//cNWZ9bW7ERZxYKwayKzSyxUjcHihCR2z4ulAK8SEFiqsel3/zB0EL8coBvD/XhRiJSH3w4I9Kkna4oMnjmjuQCI3CmNU/+TS5QZTf+OJwo9OF42j8TCyxB03WgM6IbgW5Yz6mXFtF5dOrBctJ2D5H3tgbS/ZccMCSTy1IzYJCvbPXGKmOlYTnNnnRlcmr+9TS+3g3Mv8fGrpM0gBB2HEMx7vLlquMNpssupl3iKmxE/H79AxfoOHVGE3SzQCoIz0gR5KA= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: c7d544d8-ff12-46a2-b6ca-08da238302da X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2022 10:38:02.3328 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 5GSgWuelLuSYhOsvxwTv8R0UIVfhgpZTR8dwU8IIQwkkoSaKjq3zcFThhWwSh3F647oPeHjxEpQna9y8uETCWBC+7GEAACc3MzOdaASmbn8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5406 X-Proofpoint-ORIG-GUID: y0BshWE5NZtAcg2i5CjmF_dqYkI40xb- X-Proofpoint-GUID: y0BshWE5NZtAcg2i5CjmF_dqYkI40xb- X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_06,2022-04-21_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 mlxscore=0 adultscore=0 clxscore=1015 spamscore=0 bulkscore=0 malwarescore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204210059 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 87563a043cef044fed5db7967a75741cc16ad2b1 upstream. The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") introduces refcount into ax25_dev, but there are reference leak paths in ax25_ctl_ioctl(), ax25_fwd_ioctl(), ax25_rt_add(), ax25_rt_del() and ax25_rt_opt(). This patch uses ax25_dev_put() and adjusts the position of ax25_addr_ax25dev() to fix reference cout leaks of ax25_dev. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Signed-off-by: Duoming Zhou Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20220203150811.42256-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski [OP: backport to 4.14: adjust context] Signed-off-by: Ovidiu Panait --- include/net/ax25.h | 8 +++++--- net/ax25/af_ax25.c | 12 ++++++++---- net/ax25/ax25_dev.c | 24 +++++++++++++++++------- net/ax25/ax25_route.c | 16 +++++++++++----- 4 files changed, 41 insertions(+), 19 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index 390e32103a6e..5db7b4c9256d 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -290,10 +290,12 @@ static __inline__ void ax25_cb_put(ax25_cb *ax25) } } -#define ax25_dev_hold(__ax25_dev) \ - refcount_inc(&((__ax25_dev)->refcount)) +static inline void ax25_dev_hold(ax25_dev *ax25_dev) +{ + refcount_inc(&ax25_dev->refcount); +} -static __inline__ void ax25_dev_put(ax25_dev *ax25_dev) +static inline void ax25_dev_put(ax25_dev *ax25_dev) { if (refcount_dec_and_test(&ax25_dev->refcount)) { kfree(ax25_dev); diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 3f13c619824b..e699bd80a861 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -370,21 +370,25 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg) if (copy_from_user(&ax25_ctl, arg, sizeof(ax25_ctl))) return -EFAULT; - if ((ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr)) == NULL) - return -ENODEV; - if (ax25_ctl.digi_count > AX25_MAX_DIGIS) return -EINVAL; if (ax25_ctl.arg > ULONG_MAX / HZ && ax25_ctl.cmd != AX25_KILL) return -EINVAL; + ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr); + if (!ax25_dev) + return -ENODEV; + digi.ndigi = ax25_ctl.digi_count; for (k = 0; k < digi.ndigi; k++) digi.calls[k] = ax25_ctl.digi_addr[k]; - if ((ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev)) == NULL) + ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev); + if (!ax25) { + ax25_dev_put(ax25_dev); return -ENOTCONN; + } switch (ax25_ctl.cmd) { case AX25_KILL: diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 76d105390706..55a611f7239b 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -88,8 +88,8 @@ void ax25_dev_device_up(struct net_device *dev) spin_lock_bh(&ax25_dev_lock); ax25_dev->next = ax25_dev_list; ax25_dev_list = ax25_dev; - ax25_dev_hold(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_hold(ax25_dev); ax25_register_dev_sysctl(ax25_dev); } @@ -118,8 +118,8 @@ void ax25_dev_device_down(struct net_device *dev) if ((s = ax25_dev_list) == ax25_dev) { ax25_dev_list = s->next; - ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); dev->ax25_ptr = NULL; dev_put(dev); ax25_dev_put(ax25_dev); @@ -129,8 +129,8 @@ void ax25_dev_device_down(struct net_device *dev) while (s != NULL && s->next != NULL) { if (s->next == ax25_dev) { s->next = ax25_dev->next; - ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); dev->ax25_ptr = NULL; dev_put(dev); ax25_dev_put(ax25_dev); @@ -153,25 +153,35 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) switch (cmd) { case SIOCAX25ADDFWD: - if ((fwd_dev = ax25_addr_ax25dev(&fwd->port_to)) == NULL) + fwd_dev = ax25_addr_ax25dev(&fwd->port_to); + if (!fwd_dev) { + ax25_dev_put(ax25_dev); return -EINVAL; - if (ax25_dev->forward != NULL) + } + if (ax25_dev->forward) { + ax25_dev_put(fwd_dev); + ax25_dev_put(ax25_dev); return -EINVAL; + } ax25_dev->forward = fwd_dev->dev; ax25_dev_put(fwd_dev); + ax25_dev_put(ax25_dev); break; case SIOCAX25DELFWD: - if (ax25_dev->forward == NULL) + if (!ax25_dev->forward) { + ax25_dev_put(ax25_dev); return -EINVAL; + } ax25_dev->forward = NULL; + ax25_dev_put(ax25_dev); break; default: + ax25_dev_put(ax25_dev); return -EINVAL; } - ax25_dev_put(ax25_dev); return 0; } diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c index c13f1e897b39..7d4c86f11b0f 100644 --- a/net/ax25/ax25_route.c +++ b/net/ax25/ax25_route.c @@ -78,11 +78,13 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_dev *ax25_dev; int i; - if ((ax25_dev = ax25_addr_ax25dev(&route->port_addr)) == NULL) - return -EINVAL; if (route->digi_count > AX25_MAX_DIGIS) return -EINVAL; + ax25_dev = ax25_addr_ax25dev(&route->port_addr); + if (!ax25_dev) + return -EINVAL; + write_lock_bh(&ax25_route_lock); ax25_rt = ax25_route_list; @@ -94,6 +96,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return -ENOMEM; } ax25_rt->digipeat->lastrepeat = -1; @@ -104,6 +107,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) } } write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } ax25_rt = ax25_rt->next; @@ -111,6 +115,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) if ((ax25_rt = kmalloc(sizeof(ax25_route), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return -ENOMEM; } @@ -119,11 +124,11 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->dev = ax25_dev->dev; ax25_rt->digipeat = NULL; ax25_rt->ip_mode = ' '; - ax25_dev_put(ax25_dev); if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); kfree(ax25_rt); + ax25_dev_put(ax25_dev); return -ENOMEM; } ax25_rt->digipeat->lastrepeat = -1; @@ -136,6 +141,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->next = ax25_route_list; ax25_route_list = ax25_rt; write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } @@ -176,8 +182,8 @@ static int ax25_rt_del(struct ax25_routes_struct *route) } } } - ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } @@ -219,8 +225,8 @@ static int ax25_rt_opt(struct ax25_route_opt_struct *rt_option) } out: - ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return err; } From patchwork Thu Apr 21 10:37:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 568088 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A12B6C433EF for ; Thu, 21 Apr 2022 10:38:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1388466AbiDUKlC (ORCPT ); Thu, 21 Apr 2022 06:41:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59948 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379782AbiDUKk6 (ORCPT ); Thu, 21 Apr 2022 06:40:58 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43BDB25580 for ; Thu, 21 Apr 2022 03:38:09 -0700 (PDT) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23LANwFc022458; Thu, 21 Apr 2022 10:38:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=/p1IE42hYuY6rJ39QgiYvfGUWQAb8rsSkNc43lTPQA4=; b=skGUGLHJVZ3SdXGpp8MLRQ7pfhue/c8EsDV2DhJZogoPRmypJv3VA51DQB7r3kMavAnc PxlzvqOvFQjuD5dU74njrz6/KI+E781hBbupZod3G70yDNKZMZ5RkQ5V4VVDBHwQiZdK W1xizmnkQV1+71BixOhmY9Ncx7uf+Fyc95vpxt611PImbRJvX03TWt8ncJbzeJwTNQkP W4Ye8qllrQs2uoCnp3IRg9WO2seUIqtgk/B6+Ch+DsI3WWFCRoOsNbPIBtv/bhZBUBb8 6wgm5m/UANH1dfp8piK8fISuEfjaGXQLiRfZnDm4VZ2q8zoZvote5eIQ/mEvzaK7wIfZ JQ== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2106.outbound.protection.outlook.com [104.47.70.106]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3ffpj2uqbb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Apr 2022 10:38:07 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QrNhVMdIMwBNrLJtwFkDEgP08DxSPYsahT3K+fox29+XYSY67tViSQ0EvUc3PLzmEnOdsSqOuxNLKJ7qZEC/geTUnpOqt2k8CGE0j3dDGrYW81NaTFiphg5+mu1S/AAIN4kET2D1nOAibgY/CBokhYPy2bKCPZxFORfOBDKUQlwB1GEY4sgrU8yX5VIwEMU8VCT/COyNlFeXSSF1IDzi1M/h+dzn1G27w78myA76xSVchqyLh53g6zTLmvE+5+nWlUr9NOCtkgqQeX6hBZakkc6IotHjF1NnDrNvd1tPuwbL7IBtPH+sgNd+6tTwI+L/8vDD/E1MSjN/CntfBODNMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/p1IE42hYuY6rJ39QgiYvfGUWQAb8rsSkNc43lTPQA4=; b=doTLudCPhPjHn1Pt7eB8NHsh+xkcSpk6Fho9+74ij1Um/guu07EWeo73OxU+9Fo6WSqJ6hoZKdAQi63AC2XzRDWXTwggmnEM5EnCqPmdhYHFE7KjX1CY7PvYkxine4DtVQjhUiTNN9mARwMrYnYO/NkBWOddo9QmXc0z/8NBkbT6f7UKpgCUcwY1bB9S38fhiOoMeY9Z6CNM72zSMl27ko2lPy1JQT0gurmbenuuWpOkSH9DgBEvMWjFPoSIRE3D25hom5MtLTkmPIt+fAOLtDuDnZGLzAWqC2VCQSkV4+w/33i+L3S4zP+ZFZzbxnx/iPrNxm6KCeUulROif7NKMA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM4PR11MB5406.namprd11.prod.outlook.com (2603:10b6:5:395::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Thu, 21 Apr 2022 10:38:06 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022 10:38:06 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: Duoming Zhou , Paolo Abeni , Ovidiu Panait Subject: [PATCH 4.14 5/8] ax25: fix UAF bug in ax25_send_control() Date: Thu, 21 Apr 2022 13:37:36 +0300 Message-Id: <20220421103739.1274449-5-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220421103739.1274449-1-ovidiu.panait@windriver.com> References: <20220421103739.1274449-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VE1PR03CA0024.eurprd03.prod.outlook.com (2603:10a6:802:a0::36) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9744e995-3050-44b2-4ad9-08da23830549 X-MS-TrafficTypeDiagnostic: DM4PR11MB5406:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 7Fw9O22tScXx418BDoEcJxiu+pbSRHida9wt85Q2npaFmBhuioVGo/Jqqm6Q2I8WhqXN+8jPKBmQfxln+iewUMt0kCayE/bRHmsCwXREp04syqo7r2BWyICODCr/KN5StVJ0wYMaYdXJPlxCo8CBv57DNAOOVcLqhbXxkDatP8SYiqfdKnm3Z29eE6FHtSp/qCdwHSQK+VETcQ0HvC102bE/PyCTVxGW6skEPr+aaXZhxHoE1dLPrcwcBvrDKWaHcvoSYIdKTjrPMA4fU5OYJnwB4vHomJk3kXO7F8lg1Wu9EcKYVTQjh5Q/2fvgTgcm+XY9vM7kNRVdjoZMy4pUh26FBFOHIo9PUh5y5mL/9mGOerxyrjcHR01Jw9oa6rCCKz+XzEEvTp+NiaSNwI9yha9Ufy5RY2Sj8jQuDXI7P2B2ZIzt+Depb+bK+Ifb66S6Q8N23Mgzv+qCGgyf9V+k+ZSUnpeYnlM5Z0CATBOe9xzsUY4olP+Cr9oHww7Y+B9lStmltqnxJ30eHX6TQM1Zsm0vijTq3gesZbVCiSvViXMzouN06H1AXpIDpHtDiwP2vXiod5+KoKXbGOdou4tfgK1vxQW/+JrIXy9eMTdY1T8CIcKOAS21gVmyYs9a26dWttdEIBPVePmtHlBLdbyITP2G686mi5v8Dk1r1pcqDvREygh06r9g0E7JtNeYmECfj5n7drG4w4riwPP82cnZRQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6486002)(38350700002)(38100700002)(26005)(508600001)(8936002)(86362001)(6916009)(316002)(54906003)(52116002)(36756003)(186003)(107886003)(4326008)(44832011)(66556008)(83380400001)(2906002)(6506007)(66946007)(6512007)(5660300002)(1076003)(66476007)(6666004)(2616005)(8676002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: BOsgqXaUz+2Wb3lBbjgExdaFOnvjAcFyUL0G/e8Z176DQqruIxXKesKbNcySQ6C9eUFcx66zJj6Ek1aiFdnhoCla2yNsiQNjI1cNfk74CZWcTi59YYdl0suZd1PUFhmu99V60IeIcO3Bs+QbYihwgkEIvkitp3kydvWb259CGB3nMbwRb7TU/5wvPpEQ9GLcCukHsxR4QtvhEbknRHOjh5k8Lcv2ZDsvtSw6Dsuwm87nwI6qgEeitjFPwH6PWUntD2f1EKbMGVt11njLL8XjysZ/55LuaqPzU5uaEFExSNTUAmmorBDZbvlGnlulxccIdTUkYQplEfX3edvr8tQ0/NMHsUTtKD5Zh4wqkRpZ4LfJZiURoNPxjspzIjijBf419kQSJTO5pLKUOf+MZ6ytHx/54mJpuFuuMsLhfiVA5jtI3GOu9JMZe7OVDEaNHO/0Lsaf7pf/oNPZ+/cdyI3iOLiVMJXNNqhi4y8nLJBQWbs8nMgIAbNTh9i4wSQQQ+ngQDcO2BQs1OP/9gCoQpxJpSdg785nXHOEFTzwMD07i+aCR+bx1QOGycICzEN3BA4EyCe2z8+jRYICIJiR/3FzoGnjMuam4eM+o4e/Rbs6M2dbkKOx+MPpEN4YV2k3VdU/5bP1qh3duHjlHJzt5PQ6WRSkBwuXjP4Wx6Elg/ERdYskWo3nL9B5esSgfPGT4TahAGgT/WjR1IUiapUO31uAlcxS7/LkTLjO2/BcnMxsPfnX/+9ZSibY06XXXpJZ8hnLVoxMxS16S25+9q7QqF0e105OzijpBECIcw+3nqNQA/6pPKmaDgtM2/ef33k/NwVRhta52RjiJ/QhFwg2PH5hIU380A6Kh/ICvBzOshL8GnPM3/Fn6i3q/sKMjNFy9fb9mIR4PLpQciCW6xTKxi1OnuaB99Cmci0uyzZC60Iwn1CKECAi2AVquvOM+mRRO6TREORg6wMehzs+XeF9MV0aj4lhL22Zuw1DGaHqDTPE9uCVBSPGGdcNzU8f3S8/40SP9wKcMcNMtRf95ozzRDgxH6Njz0+KFdWYWAF6QxavLqQf0ugQNk+2cLIBwJCOPsPPKHz1Wc4UpsqAtDGwlZ5zu9EABV5WGbUgf8oU46mGTViLxG4ZLyAF7GDDxZ9CKSJpL6sLxLQENo4OARIsKq7xeOLEQBUNl64fz3lu3HqFnpBKkxX2oWqoRZd35KFr5SQk92QtmOQMxLyWQx5SI5abvRKmbBpQx2cb8K0kq1Awg/A6i1+LHXVBlADTOOWcFTSCT1PG87cMp+TV/R4jeeOzN/qnMpCBw67uOtvbInf9SkWg0zZi1O6jEBFl7GRwzvD95r8HWQEnr+A4Z8SsmfbeEgUY893l5VoC7i6dI59/7g2sFlghk4BwozP/+4Db7EnEg9kbnEq+PtcqDYTeZEnz2C2+af3e92yr4Bed54PRqkumuDp06sFaVjMoCULkJVx6mqSSR2do9tqyhuOsct4nkFNKFy9/EZf3npc3JODJoT9h/isygnWP9nHksYC3WsVmUIbU/S2RBTtraq7YOHKpa15yNIkRdDqy1AQArXYn3S+w0INtem6/ixuYaBm2msthD0nuFJhKn9uZhfWkZ8XCWF9MfA62EW6uckNCtM0LTotRx+jDU2fFrGQcnGUJ1+5J0JNisFZ/uHZxPrKD57QR1CQCq4t/XodipqHBd7fJMx+UXjIgPPgkuvuh0aHiFUxV/OBekgxpb7E2sjEi/80oKK2ViHvAlu1u3zGTNiDlLm0= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9744e995-3050-44b2-4ad9-08da23830549 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2022 10:38:06.3817 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: V8UD8PyHGCSWWpB78jituVDNPMdbjwCUCAdcx2jWUuVoeCRp48gnqey1v65BancVYQ3GJ74xyuE/nFrxkiKf7O2W/jpi0oVFyzBGdYzok+g= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5406 X-Proofpoint-ORIG-GUID: rgHvKd7ph__SZtBgQbKzh8391zvc_vug X-Proofpoint-GUID: rgHvKd7ph__SZtBgQbKzh8391zvc_vug X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_06,2022-04-21_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 suspectscore=0 bulkscore=0 spamscore=0 mlxscore=0 malwarescore=0 mlxlogscore=721 clxscore=1015 phishscore=0 impostorscore=0 adultscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204210059 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 5352a761308397a0e6250fdc629bb3f615b94747 upstream. There are UAF bugs in ax25_send_control(), when we call ax25_release() to deallocate ax25_dev. The possible race condition is shown below: (Thread 1) | (Thread 2) ax25_dev_device_up() //(1) | | ax25_kill_by_device() ax25_bind() //(2) | ax25_connect() | ... ax25->state = AX25_STATE_1 | ... | ax25_dev_device_down() //(3) (Thread 3) ax25_release() | ax25_dev_put() //(4) FREE | case AX25_STATE_1: | ax25_send_control() | alloc_skb() //USE | The refcount of ax25_dev increases in position (1) and (2), and decreases in position (3) and (4). The ax25_dev will be freed before dereference sites in ax25_send_control(). The following is part of the report: [ 102.297448] BUG: KASAN: use-after-free in ax25_send_control+0x33/0x210 [ 102.297448] Read of size 8 at addr ffff888009e6e408 by task ax25_close/602 [ 102.297448] Call Trace: [ 102.303751] ax25_send_control+0x33/0x210 [ 102.303751] ax25_release+0x356/0x450 [ 102.305431] __sock_release+0x6d/0x120 [ 102.305431] sock_close+0xf/0x20 [ 102.305431] __fput+0x11f/0x420 [ 102.305431] task_work_run+0x86/0xd0 [ 102.307130] get_signal+0x1075/0x1220 [ 102.308253] arch_do_signal_or_restart+0x1df/0xc00 [ 102.308253] exit_to_user_mode_prepare+0x150/0x1e0 [ 102.308253] syscall_exit_to_user_mode+0x19/0x50 [ 102.308253] do_syscall_64+0x48/0x90 [ 102.308253] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 102.308253] RIP: 0033:0x405ae7 This patch defers the free operation of ax25_dev and net_device after all corresponding dereference sites in ax25_release() to avoid UAF. Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") Signed-off-by: Duoming Zhou Signed-off-by: Paolo Abeni [OP: backport to 4.14: adjust dev_put_track()->dev_put()] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 43a69d0e8a71..ed40d4e47887 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -994,10 +994,6 @@ static int ax25_release(struct socket *sock) sock_orphan(sk); ax25 = sk_to_ax25(sk); ax25_dev = ax25->ax25_dev; - if (ax25_dev) { - dev_put(ax25_dev->dev); - ax25_dev_put(ax25_dev); - } if (sk->sk_type == SOCK_SEQPACKET) { switch (ax25->state) { @@ -1059,6 +1055,10 @@ static int ax25_release(struct socket *sock) sk->sk_state_change(sk); ax25_destroy_socket(ax25); } + if (ax25_dev) { + dev_put(ax25_dev->dev); + ax25_dev_put(ax25_dev); + } sock->sk = NULL; release_sock(sk); From patchwork Thu Apr 21 10:37:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 568087 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3BCAC433EF for ; Thu, 21 Apr 2022 10:38:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1388464AbiDUKlF (ORCPT ); Thu, 21 Apr 2022 06:41:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1388465AbiDUKlA (ORCPT ); Thu, 21 Apr 2022 06:41:00 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9383C25C71 for ; Thu, 21 Apr 2022 03:38:11 -0700 (PDT) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23L9auMF015749; Thu, 21 Apr 2022 03:38:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=7p0Ld6EOQG6qJEG7bmLYjWJhARKO1s4up+dYkVEiOxE=; b=tBlWuqVSbe+y43pe6ZLGrr76fC3gV0EVwax0zMRMAtU80dtVu4S4ViwxAMuFr+EK1qwA vrtH40L7lrNMzuLeLeDlHp5wZFEPnpQ88yhSGTbQGXbbhr7oPtoR3ryQkHr9U5vNHCkn JqJx0yI3n9kzvwdjjeOnbVITpAaEqxRn1pVrknYBvT0tWErmt3QXHAeLmNwhx0WvLRKU jXhLv104H+39ZtiNiW7onRC0QevJyvsd8O4NhgQ0MQGtE24crgGUk5hKHfjCP2x4Uu8T /dxUk0OKJCauYPhtn6nNuXkXe0S174DwvowFGyw9Pc+ea+rsLW+CamY/HtsU1C8/jGZ1 7w== Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fhmfc1x5x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Apr 2022 03:38:10 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b8SR5OPBfO/n9BZOlwG2ZDP2c45UZEbdX4KarDiamn03aH4Xv/yNK6X48YIlryOSMSuakxBk1G94zzg77sqGyNILVsSjxeKZgq6KJenJRCKeYxjolPhQKntTMOQuUOAMRpLnekLHL3MrVA0w3/7Pmk87timZXAdbiYlaEGUmx7ShjgxlPo3JHW2NZfgcSi/o1IGZ+PuIWUPfXpjJ53HURU1AyeVtAHCGUyZ1gIjAFIqa67lLdvz4xci/M/YTPqdjEtHRXxFrH8nk9/FtdAUIBHgagAB9mW+uMpvohjfgo5Y/5xqB4WplN4uhAOU1d7f8QbsX8vlzyiOZr3ttkrJEKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7p0Ld6EOQG6qJEG7bmLYjWJhARKO1s4up+dYkVEiOxE=; b=baoSD+5L+o7+/VlSg+1X6kRKhuqaRfpTy5BBxjMDaRsQFL8KC/Fs+pKo3OuqOaxUxCFQwDqFVzYRu9+Q4C+jckVTblGeVdI1GCn63IlDTIwXg96Gwn63h/GPqt4K3eBD1cuQqRpYsjfuIZMj0/sp7EJkRoR0h+72lIg94crhTY5HmLUcLWlx9rm/7R3pwZqfCe6ESp2RqTj6amuruTwoxg6y2GOJn2I6i+nX+4OtpxBOPyIQwidGebXqIvmrENBn7dJ/6K9/AoYdPDhXfAgPv8hVk+0lLX1ZO8jttxRlarY+pKiYT3qk2iiy/WPy1vOJ+6WckX27f1AmNbJG3lZKMA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM4PR11MB5406.namprd11.prod.outlook.com (2603:10b6:5:395::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Thu, 21 Apr 2022 10:38:09 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022 10:38:09 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: Duoming Zhou , "David S . Miller" , Ovidiu Panait Subject: [PATCH 4.14 7/8] ax25: Fix NULL pointer dereferences in ax25 timers Date: Thu, 21 Apr 2022 13:37:38 +0300 Message-Id: <20220421103739.1274449-7-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220421103739.1274449-1-ovidiu.panait@windriver.com> References: <20220421103739.1274449-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VE1PR03CA0024.eurprd03.prod.outlook.com (2603:10a6:802:a0::36) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: fb3a6872-069b-4ce5-492e-08da238306d0 X-MS-TrafficTypeDiagnostic: DM4PR11MB5406:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: LadcKVk3wk0RL2kCFT5lA/Sm9h8GiMAnKn+3u4HqzmQxbD2QF05RMC4KZ+n+dP7C6rnSlCArji8C4xSXbe1WPwH+LEiO8yqBpVSCxksgm+RG77O8EsyZw+0OXm9sPdXX+a1T6z41C5hP0zbM+M0AOGNs0rsTjwEch2q1kRdKK2JBC5NTn/WoOpUwpLFGNhC9bRmEvdZWW24UyaoL8PAoTTsiOesEPkFZCJomD2v83d2wcDx059MQHL8CjwF5VTMnsT+ibCBMxk1OMsZAUI4zj+SVeC/5/9DXqXrmULaucFY4C74k3/zxxQiU610kBPLvOxiE7/b8GnJx6zqsW1hNVyuS5Tj8TGYveLoHNyjCHr0HN+QOMJWA/sZlNSWfQpbkghuVM2IIkvs63jVrdXPi39DfSUIllmxoIPHKMhWcwaoIKQ/SKA3JTQGJEmaHEBTVqQrkvuaMLjH5YulvPL3XJXn+QDQTpimRCcoRErdDn35NsgJC1v/GXiUNJ3cLSa/n4yGTIzCyTyLRuT5Z2/tF9YSaIRJEX0YUYAOJk6DPG3HpBaou78qFO2nTnrSv+YdgHTYUottMCvTMVjoytihbltz8N2HSkDXIURMpA8OnDyyVNL+n0n4yQkOy76Pjr3WI6RwmnYXy3TMY706ss0nyDr9l1YK7pQqYaOU6Vmq82p+F+AitiXxYxBjnucxs3Sy8JC0rVLP/LLehUiGYtHzsXQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6486002)(38350700002)(38100700002)(26005)(508600001)(8936002)(86362001)(6916009)(316002)(54906003)(52116002)(36756003)(186003)(107886003)(4326008)(44832011)(66556008)(83380400001)(2906002)(6506007)(66946007)(6512007)(5660300002)(1076003)(66476007)(6666004)(2616005)(8676002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: nudxq46Oncdp4RLDXHC/Q60u2EYLnRoBiyk8CCXGOF8/7oDfHCozeWRmdWwU/dnK+rVn0T6XoTinzdoqPcxB1I7JhPsXkcvf1r0t0GYMQ/wj6LQsiVZ7ni9+5YH4brVw+sY1+Ab/6IdZKusNJKqzmqDCapGJLGKAhA8m/uGrryle3/ZM72WFu7tZ1stEEW1clfQSPYDfmcbxMJFBEuTpFAjcVCCEax2MU8jZCb6HkNTPKFHn+Ug+AeQipU6rvnOGrdLQAW1ueu1L/KQ9hg2mx8k9iH41w+JKQCVf5C3Gzchot3Aq0VawUUkLCvPSUV6ZYHW2q7eMi6Sb/WCFZbhr/Ai0e3ejqTiBKCGhfiGSTdbwx6jykEKXQd5X+r7phTonERhiuOhrfZ9bOfUZV1BPzpu5sGzPgxQA2jYyrc6BG8x8591bL+f40UX3jVk1fvFQ9Zr7z3sHqYcXuLOXZG0JlmF/OxZXjdPk/GgfRdvIfgBOIdLv7PAAcm5UZT814DEbHEBDH1BUNN9oXnpYiMVOXEUOH/M3NVp9cwFCgvu3SLbXCsMqwEhAvCLNB9dp7xy/Z/OWECnj9zsHcdQjRkTkpKG+n4Tug68/xzKNGGv+Vs1MBVOAI+Ga/gK8beysb92OS6iVVFpLV8DqB3Hq6AzWFaAjsL1wguY4KToW7POv4NZ/t3D/rXwwAlrl3IZHVGCeutReab0QRl8Whf3ulaj5qEJm8Dad2LuwWgRKYWMcylnwdl72syMyRkbeonP0cVMrBbJPmRvq5U5MnedbSTrKsaFAOPjoiDrtfDaoKIi+T9lp4+sd/FX0/z83bvsqRUo666vJ+jIq3fGUKPHI/dbCXeiSgN/e/QqTzavR/y5lcik7uh4hveuWjzlOu93ryLG2o138Ck70gYgH+guYPlpOPQCZh+ADSEUel+y3aZfNMlrOFjIshrnwL4K+QUlHOZ3s75sqWqtkF34tfrOa/91Q1yn7bpyuuclc3XZDDVcFfb42kKM6uWIw0NRDoYsGDFTKiolb0PGr2NHXbRvDLEZOv/cGSjfOJKA76ZUJkyaowsr7vigs4HbXqRRMIPvmOpEJmsNTHrJLm/l2Cnphf9bqwO5hI3Ltd62A8kWcwarexN33c+pcAj/o6MEm9puChTn+PrZYEsrGUtD2VmrBY1L/upJYZD9swAvjjbpvOz+mMlWlvfiTEI4T+W6j19LeNBs4wEcvXQo7PXuSB2xKih9HS6OubzEUm5VxAJ1zl+3NcJ0fBMv31MNGDKTxTaStC9UC2STqUd2taQcmHGx93B9PnBnvd8mb+KHwFWbryeyXYa+84duV9D0HpEu2W1MUATn3nim9cE9IPtEwHve18ICZswPqmzmA0rXTu9yk+vcDYgulLIbgms0gp9G2tWH/edF2uadZ6DvYp8ZTVNEDD5xqRHbnqpDWBWJyY1BVsiKlIrB6iEY9Fd8w64QyohyWCFISXSWo7sNT/jt4NETWZgdY9ULDTYYV1POa5s8lW1fHqqnFXmcxDLj8GsAXT9ild9ksRM6ivv/JvO0CH8TYiL2+T2v/IrThNIipOGn+6GfVhJQtW7tt41tZUIYymKCZvkUrav5T2COR2qfbViCdUD0H7YUn1eJyJhMSFyTHz5OE6jGq/kgCYH02J/yMYhLOvi4fy/XZKbpw/kYqR3WyJ5pKbiuf2OaCckhxHugP7c7P7CX/Qy2nPGzZfV29WDULcO5FyeLzEjCjdUVzXCDh3AWd8wcPNs+//vmZvJvB4+371wg= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: fb3a6872-069b-4ce5-492e-08da238306d0 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2022 10:38:08.9441 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /u/lSTFrEv7IksRGFNnWKEIiJlXcMa8GNzH0mkmXdGXD0vSjt2UsiX6pZ21DBxtNwXukxO2okn2+R9pjyBUOVj++jyKKXnGaB9EEI67Uzo0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5406 X-Proofpoint-GUID: 0oOWLibnt5RQKwgOUMFhJRC6zwNwJ46c X-Proofpoint-ORIG-GUID: 0oOWLibnt5RQKwgOUMFhJRC6zwNwJ46c X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_06,2022-04-21_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 impostorscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=757 suspectscore=0 malwarescore=0 clxscore=1015 bulkscore=0 lowpriorityscore=0 phishscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204210059 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009 upstream. The previous commit 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") move ax25_disconnect into lock_sock() in order to prevent NPD bugs. But there are race conditions that may lead to null pointer dereferences in ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(), ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we use ax25_kill_by_device() to detach the ax25 device. One of the race conditions that cause null pointer dereferences can be shown as below: (Thread 1) | (Thread 2) ax25_connect() | ax25_std_establish_data_link() | ax25_start_t1timer() | mod_timer(&ax25->t1timer,..) | | ax25_kill_by_device() (wait a time) | ... | s->ax25_dev = NULL; //(1) ax25_t1timer_expiry() | ax25->ax25_dev->values[..] //(2)| ... ... | We set null to ax25_cb->ax25_dev in position (1) and dereference the null pointer in position (2). The corresponding fail log is shown below: =============================================================== BUG: kernel NULL pointer dereference, address: 0000000000000050 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc6-00794-g45690b7d0 RIP: 0010:ax25_t1timer_expiry+0x12/0x40 ... Call Trace: call_timer_fn+0x21/0x120 __run_timers.part.0+0x1ca/0x250 run_timer_softirq+0x2c/0x60 __do_softirq+0xef/0x2f3 irq_exit_rcu+0xb6/0x100 sysvec_apic_timer_interrupt+0xa2/0xd0 ... This patch moves ax25_disconnect() before s->ax25_dev = NULL and uses del_timer_sync() to delete timers in ax25_disconnect(). If ax25_disconnect() is called by ax25_kill_by_device() or ax25->ax25_dev is NULL, the reason in ax25_disconnect() will be equal to ENETUNREACH, it will wait all timers to stop before we set null to s->ax25_dev in ax25_kill_by_device(). Fixes: 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 4.14: adjust context] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 4 ++-- net/ax25/ax25_subr.c | 20 ++++++++++++++------ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 391b17ca1183..008b9403ab62 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -92,20 +92,20 @@ static void ax25_kill_by_device(struct net_device *dev) sk = s->sk; if (!sk) { spin_unlock_bh(&ax25_list_lock); - s->ax25_dev = NULL; ax25_disconnect(s, ENETUNREACH); + s->ax25_dev = NULL; spin_lock_bh(&ax25_list_lock); goto again; } sock_hold(sk); spin_unlock_bh(&ax25_list_lock); lock_sock(sk); + ax25_disconnect(s, ENETUNREACH); s->ax25_dev = NULL; if (sk->sk_socket) { dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); } - ax25_disconnect(s, ENETUNREACH); release_sock(sk); spin_lock_bh(&ax25_list_lock); sock_put(sk); diff --git a/net/ax25/ax25_subr.c b/net/ax25/ax25_subr.c index 038b109b2be7..c129865cad9f 100644 --- a/net/ax25/ax25_subr.c +++ b/net/ax25/ax25_subr.c @@ -264,12 +264,20 @@ void ax25_disconnect(ax25_cb *ax25, int reason) { ax25_clear_queues(ax25); - if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY)) - ax25_stop_heartbeat(ax25); - ax25_stop_t1timer(ax25); - ax25_stop_t2timer(ax25); - ax25_stop_t3timer(ax25); - ax25_stop_idletimer(ax25); + if (reason == ENETUNREACH) { + del_timer_sync(&ax25->timer); + del_timer_sync(&ax25->t1timer); + del_timer_sync(&ax25->t2timer); + del_timer_sync(&ax25->t3timer); + del_timer_sync(&ax25->idletimer); + } else { + if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY)) + ax25_stop_heartbeat(ax25); + ax25_stop_t1timer(ax25); + ax25_stop_t2timer(ax25); + ax25_stop_t3timer(ax25); + ax25_stop_idletimer(ax25); + } ax25->state = AX25_STATE_0; From patchwork Thu Apr 21 10:24:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 568090 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B8B1C433EF for ; Thu, 21 Apr 2022 10:26:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1388377AbiDUK2x (ORCPT ); Thu, 21 Apr 2022 06:28:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52062 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1388534AbiDUK1t (ORCPT ); Thu, 21 Apr 2022 06:27:49 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7082B2DC2 for ; Thu, 21 Apr 2022 03:25:00 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23LA8WLO024294; Thu, 21 Apr 2022 03:24:57 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=x6DoE+R7VRU9KtrS/JflUb1WueV0u9wpC5YzsH/0ZFI=; b=Gq80i3UlUStURyS47D58f/H6uCv9DFnTbkYcHEzcS/ANnuzmTCPiaOUVu3SDVWCEe/ZP jpxDhTsiCHRRHKWndXNacjJ/O6cBcZPolJYqp7QoU82AeDzZiXz9WTTlf8QFhHbAaXm6 Y//88PoSAYS/qsOF0oq7/0UllHj9292yY1ICpgTosDBpiPi0aqF+Ho1RPVLqJdFRYR7t E7S4UBnco6SffTNsu4pTC2b7hBPnd4AM63FxTEp3K1Nbq5YjAeQ2iPJLsb8XzeZ1jmr8 UEFBP6gUyUzcGEDAb1myK7eq8fXXlOx0DNW/PjMB3LJSfMZaagx68REnANXTfbbKWzhc HQ== Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3ffs313ngq-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Apr 2022 03:24:57 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IAlvSncHwNqMLo2y647FsgatrkJPNKo+Nzii4X0O6IuTHa5B2/zY3yB4Ib0DZUkEs18GLD8/N8FNgkJUb7okKzxeAoZAoBqYVPxEghB1gsDOMza2a7pz1YPxPuUrjbbjTrDugZJIeb5m2ocwGEx2sVSYcwgwY34LBY5HZRsWuNKXvWAoSQ5shE6OLVaUSZwVYF00D8A42Ham0MK7dowzEz5F54c8Z3M/oFqb1jLO4NdhSzWvOKlAJ2130zIgbrQKidIqpm4AYG+6xxVzNF6Tz4zGta7KJjjHycQtYlt9BN6XePPFVGl9UTe3KL+brQQRP7tCYIRbNwPcpfxF1I1wqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=x6DoE+R7VRU9KtrS/JflUb1WueV0u9wpC5YzsH/0ZFI=; b=etW6+qBe6uHNtKYdy2fsVQAEz2QbIIzJrx/6+jTWeU7kOIm6dLMnrMzcsIp2GePSg74NfZVusTT0T9ZZOXeCUuvzsJcEs9QXwhHvT0BIUYR8C8q3FNMQpcFUz+jxkfcLw1++OIGeFrwc0XFXZtiAqRjcipQTJ2kKPF28BXfFz2wC/6InMow1GtmM4ZNxSH+G20Uv30B1TNv4ZupVcEY7nnlkmzzbrEg8Py9jWd/b6cVE9TjakVSMT7FkbPkM6N4S+HsR18ZNTao71edWfy/A7vItZsT0rpVbnUQRPEGZQL4YfgdFeRW1L3ZlyoQA08L7eoA8RzR6h4RFJkFenrH8Sw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by SN6PR11MB2640.namprd11.prod.outlook.com (2603:10b6:805:56::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Thu, 21 Apr 2022 10:24:56 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022 10:24:56 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: Duoming Zhou , Paolo Abeni , Ovidiu Panait Subject: [PATCH 4.19 8/8] ax25: Fix UAF bugs in ax25 timers Date: Thu, 21 Apr 2022 13:24:22 +0300 Message-Id: <20220421102422.1206656-8-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220421102422.1206656-1-ovidiu.panait@windriver.com> References: <20220421102422.1206656-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1P195CA0092.EURP195.PROD.OUTLOOK.COM (2603:10a6:802:59::45) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1e6a4310-3b25-4d2d-f49c-08da23812e5b X-MS-TrafficTypeDiagnostic: SN6PR11MB2640:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Ebqg7e/ri4wwhSswKtI0mhcp7lmmvkZ+TY5yWBC3oQxVKnTrd8PpJt19T6ZslG1V1quhthVwvH+pp4wUujL1zam4hmn5Gg3LkVCpwsE+G7cMNRAtJmn3cDACyuJ+CGnOgXuwBzihj320UdzmIFucJPnGfdYmSIb3KlkFlMtaY3wFP7/0IehTDVHEVaBfPZUCqqfOR/A9I8xpgweq38JXJQHwFTIN1Yqbj/XjxcuBb9yp0Cgv5/yPewNBFEE6pBohOkbNdecro/QodRtpEie+Sj8B3eUrgyPlMf+V4Vci60TtL7honPqrGAtJrQA703tctLBEIlJ7wKOIJDojqSAvOPmJ2WTBhUAJ2t1E4uSSo4SNaplmqpbi2UV7GUwQaqZST06l7mvQAo6DgmLR6lMsQPs14OaSGw+uSX3V1OGr3Or01/J7Zz3I8KXnCthAf0CKmUmqEoPtFOpQxx8Vk7QvBFsycXGh3TQsGrcUTLVFbA37l+G9J3G7bdJDqz9b+8mT9QD+JwFZQv6/tm1SUlZqKw72xGG/u4EpvrxDJM+5IRDgiXFXmUAF4nyvnLo5BtSZtTnY9f3NxmbTQjzd3ggZ65/LNhpuMLw3+eB/qpnFi5U9FulXIQkaajyFLtHNmbDUqGNG+BB+/Sd3D/SWQCkqpDlL10z/S6F6AkpSAZ9HN0YCAkeBOarjn21GSUejM1n/RDf2fzsLBNr9y/7wPRjrTA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(38350700002)(38100700002)(66946007)(36756003)(8676002)(44832011)(2906002)(4326008)(6916009)(5660300002)(6486002)(6512007)(8936002)(107886003)(66476007)(508600001)(6666004)(66556008)(86362001)(54906003)(1076003)(2616005)(186003)(26005)(52116002)(316002)(6506007); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Cl/FeMrE+O8Rz77a5bgoahxc6ZkCyKB9PCMAZoelRVjk93SAJ0G9a695o1A8rESb5ixxKio4X3210o6zY6JJsBwUfs1askMe5Neq0ftN7Ct0fcY1+tVIxnCnla4MGMQoNuRcOp5GWYattxNhWnMGZqlXRO/krPqs12mkHpHRxCmB0egBrgFq89eFvlp89RCsk9cykAPGOcFw0bG75kQ5U1pEqv3oOKZ0bh24MVQDh2qz7bpsz/kmYiksYhbMUHbrWOubovCqWvLYHU6JhIIbnGrCDBUu8GkYm0M304ng+F6JOoyWAf/vze+i3Dt8CAlkv86zPDpAO1kpdE6gDpGI5PJbbIgs6KGYtznGWP/vaTzrMvSC1O1tB8f2vCuApyNn8nz/JCCnfEr8OG5C2J/8Rr9xL66VGGs3xyFMHKiKe3fSZJw2ofsHo/K9Z+Y/ihdhiMNYAZZonoBEg2fS4cnWb+WEQlxNFlbVtOQNM+Pr0DONbnWWH3i2cReV47481fhR5+tzWbzW/Dogougj24TInXFWsv5vivdGox0SUio2XqVoN7lY4pOFErR+RsI/hW0ZP01RjzYpUcsS7xqyWUdHCeJSH9ilYFm7RZkMUEpsUvSn7VN22aRjBsLo2vUYZjnc9kJfv2GzvcLjoQoWlHb6Hrv6fKdw4z8w9S6sL2t57V2wOIv+FridTb+tSuHYzw/3P6jycPvGfhCVectJtJRbXMZuiIooISAtegk50I0Dy0pBpL3w0TKu7WkLnC2uujOrCInJO1cY6yoKUHjFGabx0C7K9RvH9o4NWmBm+usuRNytpHZg2JDSZnXN3taVE99Rv5EgkNb8tw2MjdnjeIMomHDjEKUxFMTmpQwaSdSZvVji66K8hc2cgAXZ5MPEKrO/lmakuGVmc1q/ICjq7xEKxVpgP2/E3wnDkL8ZDYWGRGcZblmmReW5m9OcsLc4qRItxOOZV2BI/XwYGnVg1WvpFfxO2z8Qc2N45NI7GywrLwFNwCyPlKISZo41nk5lFhkaMAwuPEnaeaAtcGCLb1UgdjTfQ/dCaxH7cTB3ixkA44999ptetkf5eLQxS8A6xtbzjChjR5FLSgsX1I/EgWGCr9RjfnYUxCqLT+O9FdeGkxTBWTGNifB4PrWA7uFnSDwRRHznDojRHHr/KziMmSP2g9NbA1ikyMnr53xo6gKaYVpMjXrnMGZ5M3LhSA8WlID1+CxlE4vZ6IBgntUhLMXeXvgrQX901IrcdwM0HpRQx8Kk3NvpBVBSh1uZ41XMfZDjr+bHZMmcZanGcz1VSNPgc5G8UVXkX+/LpTorhFSICBMLjL0liE6lTk/mqudOc4QlHbeM401FOmpo3i0YBKia5OFZCpHa5o2M7ILdFe3m8q2HblI6j4koSSysD4l8zyORrxXNHEL1s8q62T7LgmXMro0VmGD8bD0co1K9tS2IPexuV21dm/B1sZFZCI2tgMx7TdDNMrLrMneht4LamMr7LzEHVb6Jut7cqWMCe0Cr9xYTa8hW5M04GTxKnj2vgeGeDlqXsn4DTmfKfuKnxaNvh1OOtDm2LNAVM6dgD8nmF/p6zZ2SSU/9nq1matQKdY+DeYx42I/7rVkcbxMPKS2TBbwDY144LKKpOyOXdnvFn162/NzQozg3eNGmbzSqpARp6ku9lAXuT/Gr7KmAMtHycA2R72Pvg76Ysjc7isgivhE2821f9LUoRLcHCIzydN76OPQKpeSFhj3rzk8GxxskzHRuu/fq4Q/SPA8Qu2ix6OA= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1e6a4310-3b25-4d2d-f49c-08da23812e5b X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2022 10:24:56.2815 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +dgFdTajBdbmYWuX/KTA1RsQWaaXTs0SaZTzPz1JWgykTkreOom97Qotob6MKB6WAGEJORq/a2q4lSF9oDDFQ7uEqAjL5kVksj9gbEDoPcs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB2640 X-Proofpoint-ORIG-GUID: cA9-dMCZuDX9vsUNnf10mqQGD1bvxhLV X-Proofpoint-GUID: cA9-dMCZuDX9vsUNnf10mqQGD1bvxhLV X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_06,2022-04-21_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=633 mlxscore=0 adultscore=0 clxscore=1015 spamscore=0 bulkscore=0 malwarescore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204210057 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 82e31755e55fbcea6a9dfaae5fe4860ade17cbc0 upstream. There are race conditions that may lead to UAF bugs in ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(), ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we call ax25_release() to deallocate ax25_dev. One of the UAF bugs caused by ax25_release() is shown below: (Thread 1) | (Thread 2) ax25_dev_device_up() //(1) | ... | ax25_kill_by_device() ax25_bind() //(2) | ax25_connect() | ... ax25_std_establish_data_link() | ax25_start_t1timer() | ax25_dev_device_down() //(3) mod_timer(&ax25->t1timer,..) | | ax25_release() (wait a time) | ... | ax25_dev_put(ax25_dev) //(4)FREE ax25_t1timer_expiry() | ax25->ax25_dev->values[..] //USE| ... ... | We increase the refcount of ax25_dev in position (1) and (2), and decrease the refcount of ax25_dev in position (3) and (4). The ax25_dev will be freed in position (4) and be used in ax25_t1timer_expiry(). The fail log is shown below: ============================================================== [ 106.116942] BUG: KASAN: use-after-free in ax25_t1timer_expiry+0x1c/0x60 [ 106.116942] Read of size 8 at addr ffff88800bda9028 by task swapper/0/0 [ 106.116942] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-06123-g0905eec574 [ 106.116942] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-14 [ 106.116942] Call Trace: ... [ 106.116942] ax25_t1timer_expiry+0x1c/0x60 [ 106.116942] call_timer_fn+0x122/0x3d0 [ 106.116942] __run_timers.part.0+0x3f6/0x520 [ 106.116942] run_timer_softirq+0x4f/0xb0 [ 106.116942] __do_softirq+0x1c2/0x651 ... This patch adds del_timer_sync() in ax25_release(), which could ensure that all timers stop before we deallocate ax25_dev. Signed-off-by: Duoming Zhou Signed-off-by: Paolo Abeni [OP: backport to 4.19: adjust context] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index faa098faafa7..7861f2747f84 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1055,6 +1055,11 @@ static int ax25_release(struct socket *sock) ax25_destroy_socket(ax25); } if (ax25_dev) { + del_timer_sync(&ax25->timer); + del_timer_sync(&ax25->t1timer); + del_timer_sync(&ax25->t2timer); + del_timer_sync(&ax25->t3timer); + del_timer_sync(&ax25->idletimer); dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); }