From: Ovidiu Panait <ovidiu.panait@windriver.com>
To: stable@vger.kernel.org
Subject: [PATCH 5.10 6/8] ax25: fix NPD bug in ax25_disconnect
Date: Fri, 15 Apr 2022 20:49:31 +0300 [thread overview]
Message-ID: <20220415174933.1076972-6-ovidiu.panait@windriver.com> (raw)
In-Reply-To: <20220415174933.1076972-1-ovidiu.panait@windriver.com>
From: Duoming Zhou <duoming@zju.edu.cn>
commit 7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10 upstream.
The ax25_disconnect() in ax25_kill_by_device() is not
protected by any locks, thus there is a race condition
between ax25_disconnect() and ax25_destroy_socket().
when ax25->sk is assigned as NULL by ax25_destroy_socket(),
a NULL pointer dereference bug will occur if site (1) or (2)
dereferences ax25->sk.
ax25_kill_by_device() | ax25_release()
ax25_disconnect() | ax25_destroy_socket()
... |
if(ax25->sk != NULL) | ...
... | ax25->sk = NULL;
bh_lock_sock(ax25->sk); //(1) | ...
... |
bh_unlock_sock(ax25->sk); //(2)|
This patch moves ax25_disconnect() into lock_sock(), which can
synchronize with ax25_destroy_socket() in ax25_release().
Fail log:
===============================================================
BUG: kernel NULL pointer dereference, address: 0000000000000088
...
RIP: 0010:_raw_spin_lock+0x7e/0xd0
...
Call Trace:
ax25_disconnect+0xf6/0x220
ax25_device_event+0x187/0x250
raw_notifier_call_chain+0x5e/0x70
dev_close_many+0x17d/0x230
rollback_registered_many+0x1f1/0x950
unregister_netdevice_queue+0x133/0x200
unregister_netdev+0x13/0x20
...
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
[OP: backport to 5.10: adjust context]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
---
net/ax25/af_ax25.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index f6594dcd36a2..b1e36d48b07c 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -102,8 +102,8 @@ static void ax25_kill_by_device(struct net_device *dev)
dev_put(ax25_dev->dev);
ax25_dev_put(ax25_dev);
}
- release_sock(sk);
ax25_disconnect(s, ENETUNREACH);
+ release_sock(sk);
spin_lock_bh(&ax25_list_lock);
sock_put(sk);
/* The entry could have been deleted from the
--
2.25.1
next prev parent reply other threads:[~2022-04-15 17:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-15 17:49 [PATCH 5.10 1/8] ax25: add refcount in ax25_dev to avoid UAF bugs Ovidiu Panait
2022-04-15 17:49 ` [PATCH 5.10 2/8] ax25: fix reference count leaks of ax25_dev Ovidiu Panait
2022-04-15 17:49 ` [PATCH 5.10 3/8] ax25: fix UAF bugs of net_device caused by rebinding operation Ovidiu Panait
2022-04-15 17:49 ` [PATCH 5.10 4/8] ax25: Fix refcount leaks caused by ax25_cb_del() Ovidiu Panait
2022-04-15 17:49 ` [PATCH 5.10 5/8] ax25: fix UAF bug in ax25_send_control() Ovidiu Panait
2022-04-15 17:49 ` Ovidiu Panait [this message]
2022-04-15 17:49 ` [PATCH 5.10 7/8] ax25: Fix NULL pointer dereferences in ax25 timers Ovidiu Panait
2022-04-15 17:49 ` [PATCH 5.10 8/8] ax25: Fix UAF bugs " Ovidiu Panait
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220415174933.1076972-6-ovidiu.panait@windriver.com \
--to=ovidiu.panait@windriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.