[PATCH 0/4] nfc: fix Resource leakage and endless loop

[PATCH 0/4] nfc: fix Resource leakage and endless loop

[Xiaoming Ni]

fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
 reported by "kiyin(尹亮)".

Link: https://www.openwall.com/lists/oss-security/2020/11/01/1



Xiaoming Ni (4):
  nfc: fix refcount leak in llcp_sock_bind()
  nfc: fix refcount leak in llcp_sock_connect()
  nfc: fix memory leak in llcp_sock_connect()
  nfc: Avoid endless loops caused by repeated llcp_sock_connect()

 net/nfc/llcp_sock.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

-- 
2.27.0

[PATCH 1/4] nfc: fix refcount leak in llcp_sock_bind()

[Xiaoming Ni]

nfc_llcp_local_get() is invoked in llcp_sock_bind(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25670
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
 creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index d257ed3b732a..68832ee4b9f8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
 					  llcp_sock->service_name_len,
 					  GFP_KERNEL);
 	if (!llcp_sock->service_name) {
+		nfc_llcp_local_put(llcp_sock->local);
 		ret = -ENOMEM;
 		goto put_dev;
 	}
 	llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
 	if (llcp_sock->ssap == LLCP_SAP_MAX) {
+		nfc_llcp_local_put(llcp_sock->local);
 		kfree(llcp_sock->service_name);
 		llcp_sock->service_name = NULL;
 		ret = -EADDRINUSE;
-- 
2.27.0

[PATCH 2/4] nfc: fix refcount leak in llcp_sock_connect()

[Xiaoming Ni]

nfc_llcp_local_get() is invoked in llcp_sock_connect(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25671
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 68832ee4b9f8..9e2799ee1595 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -704,6 +704,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 	llcp_sock->local = nfc_llcp_local_get(local);
 	llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
 	if (llcp_sock->ssap == LLCP_SAP_MAX) {
+		nfc_llcp_local_put(llcp_sock->local);
 		ret = -ENOMEM;
 		goto put_dev;
 	}
@@ -748,6 +749,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 
 sock_llcp_release:
 	nfc_llcp_put_ssap(local, llcp_sock->ssap);
+	nfc_llcp_local_put(llcp_sock->local);
 
 put_dev:
 	nfc_put_device(dev);
-- 
2.27.0

[PATCH 3/4] nfc: fix memory leak in llcp_sock_connect()

[Xiaoming Ni]

In llcp_sock_connect(), use kmemdup to allocate memory for
 "llcp_sock->service_name". The memory is not released in the sock_unlink
label of the subsequent failure branch.
As a result, memory leakage occurs.

fix CVE-2020-25672

Fixes: d646960f7986 ("NFC: Initial LLCP support")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.3
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 9e2799ee1595..59172614b249 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -746,6 +746,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 
 sock_unlink:
 	nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
+	kfree(llcp_sock->service_name);
+	llcp_sock->service_name = NULL;
 
 sock_llcp_release:
 	nfc_llcp_put_ssap(local, llcp_sock->ssap);
-- 
2.27.0

[PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()

[Xiaoming Ni]

When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
 LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
 nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
 sk->sk_node->next will point to itself, that will make an endless loop
 and hang-up the system.
To fix it, check whether sk->sk_state is LLCP_CONNECTING in
 llcp_sock_connect() to avoid repeated invoking.

fix CVE-2020-25673
Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.11
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 59172614b249..a3b46f888803 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 		ret = -EISCONN;
 		goto error;
 	}
+	if (sk->sk_state == LLCP_CONNECTING) {
+		ret = -EINPROGRESS;
+		goto error;
+	}
 
 	dev = nfc_get_device(addr->dev_idx);
 	if (dev == NULL) {
-- 
2.27.0

RE: [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()(Internet mail)

[kiyin(尹亮)]

Hi xiaoming,
  the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem.
  if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name...

Regards,
kiyin.

> -----Original Message-----
> From: Xiaoming Ni [mailto:nixiaoming@huawei.com]
> Sent: Wednesday, March 3, 2021 2:17 PM
> To: linux-kernel@vger.kernel.org; kiyin(尹亮) <kiyin@tencent.com>;
> stable@vger.kernel.org; gregkh@linuxfoundation.org; sameo@linux.intel.com;
> linville@tuxdriver.com; davem@davemloft.net; kuba@kernel.org;
> mkl@pengutronix.de; stefan@datenfreihafen.org;
> matthieu.baerts@tessares.net; netdev@vger.kernel.org
> Cc: nixiaoming@huawei.com; wangle6@huawei.com; xiaoqian9@huawei.com
> Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated
> llcp_sock_connect()(Internet mail)
> 
> When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
> LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
>  nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
>  sk->sk_node->next will point to itself, that will make an endless loop  and
> hang-up the system.
> To fix it, check whether sk->sk_state is LLCP_CONNECTING in
>  llcp_sock_connect() to avoid repeated invoking.
> 
> fix CVE-2020-25673
> Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
> Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
> Cc: <stable@vger.kernel.org> #v3.11
> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> ---
>  net/nfc/llcp_sock.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index
> 59172614b249..a3b46f888803 100644
> --- a/net/nfc/llcp_sock.c
> +++ b/net/nfc/llcp_sock.c
> @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock,
> struct sockaddr *_addr,
>  		ret = -EISCONN;
>  		goto error;
>  	}
> +	if (sk->sk_state == LLCP_CONNECTING) {
> +		ret = -EINPROGRESS;
> +		goto error;
> +	}
> 
>  	dev = nfc_get_device(addr->dev_idx);
>  	if (dev == NULL) {
> --
> 2.27.0
> 

Re: [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()(Internet mail)

[Xiaoming Ni]

On 2021/3/3 17:28, kiyin(尹亮) wrote:
> Hi xiaoming,
>    the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem.
>    if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name...

I didn't find the code to modify sk->sk_state after a connect failure. 
Can you provide guidance?

Based on my understanding of the current code:
After llcp_sock_connect() is invoked using the meaningless service_name 
as the parameter, sk->sk_state is set to LLCP_CONNECTING. After that, no 
corresponding service responds to the request because the service_name 
is meaningless, the value of sk->sk_state remains unchanged.
Therefore, when llcp_sock_connect() is invoked again, resources such as 
llcp_sock->service_name are not repeatedly applied because sk_state is 
set to LLCP_CONNECTING.

In this way, the repeated invoking of llcp_sock_connect() does not 
repeatedly leak resources.

Thanks
Xiaoming Ni


> 
>> -----Original Message-----
>> From: Xiaoming Ni [mailto:nixiaoming@huawei.com]
>> Sent: Wednesday, March 3, 2021 2:17 PM
>> To: linux-kernel@vger.kernel.org; kiyin(尹亮) <kiyin@tencent.com>;
>> stable@vger.kernel.org; gregkh@linuxfoundation.org; sameo@linux.intel.com;
>> linville@tuxdriver.com; davem@davemloft.net; kuba@kernel.org;
>> mkl@pengutronix.de; stefan@datenfreihafen.org;
>> matthieu.baerts@tessares.net; netdev@vger.kernel.org
>> Cc: nixiaoming@huawei.com; wangle6@huawei.com; xiaoqian9@huawei.com
>> Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated
>> llcp_sock_connect()(Internet mail)
>>
>> When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
>> LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
>>   nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
>>   sk->sk_node->next will point to itself, that will make an endless loop  and
>> hang-up the system.
>> To fix it, check whether sk->sk_state is LLCP_CONNECTING in
>>   llcp_sock_connect() to avoid repeated invoking.
>>
>> fix CVE-2020-25673
>> Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
>> Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
>> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
>> Cc: <stable@vger.kernel.org> #v3.11
>> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
>> ---
>>   net/nfc/llcp_sock.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index
>> 59172614b249..a3b46f888803 100644
>> --- a/net/nfc/llcp_sock.c
>> +++ b/net/nfc/llcp_sock.c
>> @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock,
>> struct sockaddr *_addr,
>>   		ret = -EISCONN;
>>   		goto error;
>>   	}
>> +	if (sk->sk_state == LLCP_CONNECTING) {
>> +		ret = -EINPROGRESS;
>> +		goto error;
>> +	}
>>
>>   	dev = nfc_get_device(addr->dev_idx);
>>   	if (dev == NULL) {
>> --
>> 2.27.0
>>
> 

Re: [PATCH 0/4] nfc: fix Resource leakage and endless loop

[Greg KH]

On Wed, Mar 03, 2021 at 02:16:50PM +0800, Xiaoming Ni wrote:
> fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
>  reported by "kiyin(尹亮)".
> 
> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1

What happened to this series?

Does it need to be resent against the latest networking tree?

thanks,

greg k-h

[PATCH resend 0/4] nfc: fix Resource leakage and endless loop

[Xiaoming Ni]

fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
 reported by "kiyin(尹亮)".

Link: https://www.openwall.com/lists/oss-security/2020/11/01/1

Xiaoming Ni (4):
  nfc: fix refcount leak in llcp_sock_bind()
  nfc: fix refcount leak in llcp_sock_connect()
  nfc: fix memory leak in llcp_sock_connect()
  nfc: Avoid endless loops caused by repeated llcp_sock_connect()

 net/nfc/llcp_sock.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

-- 
2.27.0

[PATCH resend 1/4] nfc: fix refcount leak in llcp_sock_bind()

[Xiaoming Ni]

nfc_llcp_local_get() is invoked in llcp_sock_bind(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25670
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
 creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index d257ed3b732a..68832ee4b9f8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
 					  llcp_sock->service_name_len,
 					  GFP_KERNEL);
 	if (!llcp_sock->service_name) {
+		nfc_llcp_local_put(llcp_sock->local);
 		ret = -ENOMEM;
 		goto put_dev;
 	}
 	llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
 	if (llcp_sock->ssap == LLCP_SAP_MAX) {
+		nfc_llcp_local_put(llcp_sock->local);
 		kfree(llcp_sock->service_name);
 		llcp_sock->service_name = NULL;
 		ret = -EADDRINUSE;
-- 
2.27.0

[PATCH resend 2/4] nfc: fix refcount leak in llcp_sock_connect()

[Xiaoming Ni]

nfc_llcp_local_get() is invoked in llcp_sock_connect(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25671
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 68832ee4b9f8..9e2799ee1595 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -704,6 +704,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 	llcp_sock->local = nfc_llcp_local_get(local);
 	llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
 	if (llcp_sock->ssap == LLCP_SAP_MAX) {
+		nfc_llcp_local_put(llcp_sock->local);
 		ret = -ENOMEM;
 		goto put_dev;
 	}
@@ -748,6 +749,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 
 sock_llcp_release:
 	nfc_llcp_put_ssap(local, llcp_sock->ssap);
+	nfc_llcp_local_put(llcp_sock->local);
 
 put_dev:
 	nfc_put_device(dev);
-- 
2.27.0

[PATCH resend 3/4] nfc: fix memory leak in llcp_sock_connect()

[Xiaoming Ni]

In llcp_sock_connect(), use kmemdup to allocate memory for
 "llcp_sock->service_name". The memory is not released in the sock_unlink
label of the subsequent failure branch.
As a result, memory leakage occurs.

fix CVE-2020-25672

Fixes: d646960f7986 ("NFC: Initial LLCP support")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.3
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 9e2799ee1595..59172614b249 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -746,6 +746,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 
 sock_unlink:
 	nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
+	kfree(llcp_sock->service_name);
+	llcp_sock->service_name = NULL;
 
 sock_llcp_release:
 	nfc_llcp_put_ssap(local, llcp_sock->ssap);
-- 
2.27.0

[PATCH resend 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()

[Xiaoming Ni]

When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
 LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
 nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
 sk->sk_node->next will point to itself, that will make an endless loop
 and hang-up the system.
To fix it, check whether sk->sk_state is LLCP_CONNECTING in
 llcp_sock_connect() to avoid repeated invoking.

Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.11
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 59172614b249..a3b46f888803 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 		ret = -EISCONN;
 		goto error;
 	}
+	if (sk->sk_state == LLCP_CONNECTING) {
+		ret = -EINPROGRESS;
+		goto error;
+	}
 
 	dev = nfc_get_device(addr->dev_idx);
 	if (dev == NULL) {
-- 
2.27.0

Re: [PATCH resend 0/4] nfc: fix Resource leakage and endless loop

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (refs/heads/master):

On Thu, 25 Mar 2021 11:51:09 +0800 you wrote:
> fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
>  reported by "kiyin(尹亮)".
> 
> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
> 
> Xiaoming Ni (4):
>   nfc: fix refcount leak in llcp_sock_bind()
>   nfc: fix refcount leak in llcp_sock_connect()
>   nfc: fix memory leak in llcp_sock_connect()
>   nfc: Avoid endless loops caused by repeated llcp_sock_connect()
> 
> [...]

Here is the summary with links:
  - [resend,1/4] nfc: fix refcount leak in llcp_sock_bind()
    https://git.kernel.org/netdev/net/c/c33b1cc62ac0
  - [resend,2/4] nfc: fix refcount leak in llcp_sock_connect()
    https://git.kernel.org/netdev/net/c/8a4cd82d62b5
  - [resend,3/4] nfc: fix memory leak in llcp_sock_connect()
    https://git.kernel.org/netdev/net/c/7574fcdbdcb3
  - [resend,4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()
    https://git.kernel.org/netdev/net/c/4b5db93e7f2a

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html