* [syzbot] [PATCH] Test for aea6bf908d73
@ 2023-11-09 12:34 syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2023-11-09 12:34 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 6c9592d05120..b463452c507e 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -30,6 +30,7 @@
#include <net/nfc/nci.h>
#include <net/nfc/nci_core.h>
#include <linux/nfc.h>
+#include "../llcp.h"
struct core_conn_create_data {
int length;
@@ -1206,6 +1207,9 @@ EXPORT_SYMBOL(nci_allocate_device);
*/
void nci_free_device(struct nci_dev *ndev)
{
+ struct nfc_llcp_sock *nls = container_of(ndev->nfc_dev,
+ struct nfc_llcp_sock, dev);
+ nls->local = NULL;
nfc_free_device(ndev->nfc_dev);
nci_hci_deallocate(ndev);
kfree(ndev);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (3 preceding siblings ...)
2023-11-10 11:26 ` syzbot
@ 2023-11-10 12:19 ` syzbot
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2023-11-10 12:19 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..05b21ced9e1f 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -754,6 +754,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
remaining_len = len;
msg_ptr = msg_data;
+ bh_lock_sock(sock);
do {
remote_miu = sock->remote_miu > LLCP_MAX_MIU ?
local->remote_miu : sock->remote_miu;
@@ -784,6 +785,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
remaining_len -= frag_len;
msg_ptr += frag_len;
} while (remaining_len > 0);
+ bh_unlock_sock(sock);
kfree(msg_data);
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (2 preceding siblings ...)
2023-11-09 14:33 ` syzbot
@ 2023-11-10 11:26 ` syzbot
2023-11-10 12:19 ` syzbot
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2023-11-10 11:26 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..f5dd2d7e41de 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -738,7 +738,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
pr_debug("Send UI frame len %zd\n", len);
- local = sock->local;
+ local = nfc_llcp_find_local(sock->dev);
+ printk("finded: %p, d: %p, %s\n", local, sock->dev, __func__);
if (local == NULL)
return -ENODEV;
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..8d47f17da904 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -299,6 +299,7 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
spin_lock(&llcp_devices_lock);
list_for_each_entry_safe(local, tmp, &llcp_devices, list)
if (local->dev == dev) {
+ printk("deled: l: %p, d: %p, %s\n", local, dev, __func__);
list_del(&local->list);
spin_unlock(&llcp_devices_lock);
return local;
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
2023-11-09 13:28 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
2023-11-09 14:14 ` syzbot
@ 2023-11-09 14:33 ` syzbot
2023-11-10 11:26 ` syzbot
2023-11-10 12:19 ` syzbot
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2023-11-09 14:33 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
From d6bab181339771591ed9519dced29a8eb20ddadc Mon Sep 17 00:00:00 2001
From: Lizhi Xu <lizhi.xu@windriver.com>
Date: Thu, 9 Nov 2023 21:31:26 +0800
Subject: [PATCH] nfc/nci: fix uaf in nfc_alloc_send_skb
After releasing the nfc/nci device, nfc_llcp_sock->local should be set to null
to avoid referencing expired devices.
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
net/nfc/llcp_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..024cbba26fc8 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -102,6 +102,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
accept_sk->sk_state_change(sk);
bh_unlock_sock(accept_sk);
+ lsk->local = NULL;
}
}
@@ -113,6 +114,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
bh_unlock_sock(sk);
sk_del_node_init(sk);
+ llcp_sock->local = NULL;
}
write_unlock(&local->sockets.lock);
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
2023-11-09 13:28 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
@ 2023-11-09 14:14 ` syzbot
2023-11-09 14:33 ` syzbot
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2023-11-09 14:14 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..4959163d8dc5 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -113,6 +113,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
bh_unlock_sock(sk);
sk_del_node_init(sk);
+ llcp_sock->local = NULL;
}
write_unlock(&local->sockets.lock);
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
@ 2023-11-09 13:28 ` syzbot
2023-11-09 14:14 ` syzbot
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2023-11-09 13:28 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..016364890357 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1640,11 +1640,14 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
void nfc_llcp_unregister_device(struct nfc_dev *dev)
{
struct nfc_llcp_local *local = nfc_llcp_remove_local(dev);
+ struct nfc_llcp_sock *nls;
if (local == NULL) {
pr_debug("No such device\n");
return;
}
+ nls = container_of(local, struct nfc_llcp_sock, local);
+ nls->local = NULL;
local_cleanup(local);
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-11-10 19:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-09 12:34 [syzbot] [PATCH] Test for aea6bf908d73 syzbot
2023-11-09 13:02 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
2023-11-09 13:28 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
2023-11-09 14:14 ` syzbot
2023-11-09 14:33 ` syzbot
2023-11-10 11:26 ` syzbot
2023-11-10 12:19 ` syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.