All of lore.kernel.org
 help / color / mirror / Atom feed
* [Patch net] atm: fix a UAF in lec_arp_clear_vccs()
@ 2020-05-01 18:11 Cong Wang
  2020-05-01 18:11 ` [Patch net] atm: fix a memory leak of vcc->user_back Cong Wang
  2020-05-04 19:00 ` [Patch net] atm: fix a UAF in lec_arp_clear_vccs() David Miller
  0 siblings, 2 replies; 4+ messages in thread
From: Cong Wang @ 2020-05-01 18:11 UTC (permalink / raw)
  To: netdev; +Cc: Cong Wang, Gengming Liu

Gengming reported a UAF in lec_arp_clear_vccs(),
where we add a vcc socket to an entry in a per-device
list but free the socket without removing it from the
list when vcc->dev is NULL.

We need to call lec_vcc_close() to search and remove
those entries contain the vcc being destroyed. This can
be done by calling vcc->push(vcc, NULL) unconditionally
in vcc_destroy_socket().

Another issue discovered by Gengming's reproducer is
the vcc->dev may point to the static device lecatm_dev,
for which we don't need to register/unregister device,
so we can just check for vcc->dev->ops->owner.

Reported-by: Gengming Liu <l.dmxcsnsbh@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/atm/common.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/net/atm/common.c b/net/atm/common.c
index 0ce530af534d..8575f5d52087 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -177,18 +177,18 @@ static void vcc_destroy_socket(struct sock *sk)
 
 	set_bit(ATM_VF_CLOSE, &vcc->flags);
 	clear_bit(ATM_VF_READY, &vcc->flags);
-	if (vcc->dev) {
-		if (vcc->dev->ops->close)
-			vcc->dev->ops->close(vcc);
-		if (vcc->push)
-			vcc->push(vcc, NULL); /* atmarpd has no push */
-		module_put(vcc->owner);
-
-		while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {
-			atm_return(vcc, skb->truesize);
-			kfree_skb(skb);
-		}
+	if (vcc->dev && vcc->dev->ops->close)
+		vcc->dev->ops->close(vcc);
+	if (vcc->push)
+		vcc->push(vcc, NULL); /* atmarpd has no push */
+	module_put(vcc->owner);
+
+	while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {
+		atm_return(vcc, skb->truesize);
+		kfree_skb(skb);
+	}
 
+	if (vcc->dev && vcc->dev->ops->owner) {
 		module_put(vcc->dev->ops->owner);
 		atm_dev_put(vcc->dev);
 	}
-- 
2.26.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [Patch net] atm: fix a memory leak of vcc->user_back
  2020-05-01 18:11 [Patch net] atm: fix a UAF in lec_arp_clear_vccs() Cong Wang
@ 2020-05-01 18:11 ` Cong Wang
  2020-05-04 19:00   ` David Miller
  2020-05-04 19:00 ` [Patch net] atm: fix a UAF in lec_arp_clear_vccs() David Miller
  1 sibling, 1 reply; 4+ messages in thread
From: Cong Wang @ 2020-05-01 18:11 UTC (permalink / raw)
  To: netdev; +Cc: Cong Wang, Gengming Liu

In lec_arp_clear_vccs() only entry->vcc is freed, but vcc
could be installed on entry->recv_vcc too in lec_vcc_added().

This fixes the following memory leak:

unreferenced object 0xffff8880d9266b90 (size 16):
  comm "atm2", pid 425, jiffies 4294907980 (age 23.488s)
  hex dump (first 16 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5  ............kkk.
  backtrace:
    [<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151
    [<(____ptrval____)>] lane_ioctl+0x4b3/0x569
    [<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236
    [<(____ptrval____)>] svc_ioctl+0x17d/0x198
    [<(____ptrval____)>] sock_do_ioctl+0x47/0x12f
    [<(____ptrval____)>] sock_ioctl+0x2f9/0x322
    [<(____ptrval____)>] vfs_ioctl+0x1e/0x2b
    [<(____ptrval____)>] ksys_ioctl+0x61/0x80
    [<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19
    [<(____ptrval____)>] do_syscall_64+0x57/0x65
    [<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3

Cc: Gengming Liu <l.dmxcsnsbh@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/atm/lec.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/atm/lec.c b/net/atm/lec.c
index 25fa3a7b72bd..ca37f5a71f5e 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -1264,6 +1264,12 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry)
 		entry->vcc = NULL;
 	}
 	if (entry->recv_vcc) {
+		struct atm_vcc *vcc = entry->recv_vcc;
+		struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc);
+
+		kfree(vpriv);
+		vcc->user_back = NULL;
+
 		entry->recv_vcc->push = entry->old_recv_push;
 		vcc_release_async(entry->recv_vcc, -EPIPE);
 		entry->recv_vcc = NULL;
-- 
2.26.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [Patch net] atm: fix a UAF in lec_arp_clear_vccs()
  2020-05-01 18:11 [Patch net] atm: fix a UAF in lec_arp_clear_vccs() Cong Wang
  2020-05-01 18:11 ` [Patch net] atm: fix a memory leak of vcc->user_back Cong Wang
@ 2020-05-04 19:00 ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2020-05-04 19:00 UTC (permalink / raw)
  To: xiyou.wangcong; +Cc: netdev, l.dmxcsnsbh

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Fri,  1 May 2020 11:11:08 -0700

> Gengming reported a UAF in lec_arp_clear_vccs(),
> where we add a vcc socket to an entry in a per-device
> list but free the socket without removing it from the
> list when vcc->dev is NULL.
> 
> We need to call lec_vcc_close() to search and remove
> those entries contain the vcc being destroyed. This can
> be done by calling vcc->push(vcc, NULL) unconditionally
> in vcc_destroy_socket().
> 
> Another issue discovered by Gengming's reproducer is
> the vcc->dev may point to the static device lecatm_dev,
> for which we don't need to register/unregister device,
> so we can just check for vcc->dev->ops->owner.
> 
> Reported-by: Gengming Liu <l.dmxcsnsbh@gmail.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Patch net] atm: fix a memory leak of vcc->user_back
  2020-05-01 18:11 ` [Patch net] atm: fix a memory leak of vcc->user_back Cong Wang
@ 2020-05-04 19:00   ` David Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2020-05-04 19:00 UTC (permalink / raw)
  To: xiyou.wangcong; +Cc: netdev, l.dmxcsnsbh

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Fri,  1 May 2020 11:11:09 -0700

> In lec_arp_clear_vccs() only entry->vcc is freed, but vcc
> could be installed on entry->recv_vcc too in lec_vcc_added().
> 
> This fixes the following memory leak:
> 
> unreferenced object 0xffff8880d9266b90 (size 16):
>   comm "atm2", pid 425, jiffies 4294907980 (age 23.488s)
>   hex dump (first 16 bytes):
>     00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5  ............kkk.
>   backtrace:
>     [<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151
>     [<(____ptrval____)>] lane_ioctl+0x4b3/0x569
>     [<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236
>     [<(____ptrval____)>] svc_ioctl+0x17d/0x198
>     [<(____ptrval____)>] sock_do_ioctl+0x47/0x12f
>     [<(____ptrval____)>] sock_ioctl+0x2f9/0x322
>     [<(____ptrval____)>] vfs_ioctl+0x1e/0x2b
>     [<(____ptrval____)>] ksys_ioctl+0x61/0x80
>     [<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19
>     [<(____ptrval____)>] do_syscall_64+0x57/0x65
>     [<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
> 
> Cc: Gengming Liu <l.dmxcsnsbh@gmail.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-04 19:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-01 18:11 [Patch net] atm: fix a UAF in lec_arp_clear_vccs() Cong Wang
2020-05-01 18:11 ` [Patch net] atm: fix a memory leak of vcc->user_back Cong Wang
2020-05-04 19:00   ` David Miller
2020-05-04 19:00 ` [Patch net] atm: fix a UAF in lec_arp_clear_vccs() David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.