[PATCH net] af_unix: don't append consumed skbs to sk_receive_queue

[PATCH net] af_unix: don't append consumed skbs to sk_receive_queue

[Hannes Frederic Sowa]

In case multiple writes to a unix stream socket race we could end up in a
situation where we pre-allocate a new skb for use in unix_stream_sendpage
but have to free it again in the locked section because another skb
has been appended meanwhile, which we must use. Accidentally we didn't
clear the pointer after consuming it and so we touched freed memory
while appending it to the sk_receive_queue. So, clear the pointer after
consuming the skb.

This bug has been found with syzkaller
(http://github.com/google/syzkaller) by Dmitry Vyukov.

Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
 net/unix/af_unix.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index aaa0b58..c6eb2e8 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1799,6 +1799,7 @@ alloc_skb:
 		 * this - does no harm
 		 */
 		consume_skb(newskb);
+		newskb = NULL;
 	}
 
 	if (skb_append_pagefrags(skb, page, offset, size)) {
-- 
2.5.0

Re: [PATCH net] af_unix: don't append consumed skbs to sk_receive_queue

[Eric Dumazet]

On Mon, 2015-11-16 at 16:25 +0100, Hannes Frederic Sowa wrote:
> In case multiple writes to a unix stream socket race we could end up in a
> situation where we pre-allocate a new skb for use in unix_stream_sendpage
> but have to free it again in the locked section because another skb
> has been appended meanwhile, which we must use. Accidentally we didn't
> clear the pointer after consuming it and so we touched freed memory
> while appending it to the sk_receive_queue. So, clear the pointer after
> consuming the skb.
> 
> This bug has been found with syzkaller
> (http://github.com/google/syzkaller) by Dmitry Vyukov.
> 
> Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: Eric Dumazet <eric.dumazet@gmail.com>
> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
> ---

Acked-by: Eric Dumazet <edumazet@google.com>

Re: [PATCH net] af_unix: don't append consumed skbs to sk_receive_queue

[David Miller]

From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Mon, 16 Nov 2015 16:25:56 +0100

> In case multiple writes to a unix stream socket race we could end up in a
> situation where we pre-allocate a new skb for use in unix_stream_sendpage
> but have to free it again in the locked section because another skb
> has been appended meanwhile, which we must use. Accidentally we didn't
> clear the pointer after consuming it and so we touched freed memory
> while appending it to the sk_receive_queue. So, clear the pointer after
> consuming the skb.
> 
> This bug has been found with syzkaller
> (http://github.com/google/syzkaller) by Dmitry Vyukov.
> 
> Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: Eric Dumazet <eric.dumazet@gmail.com>
> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>

Applied and queued up for -stable, thanks.