* [PATCH 0/4] nfc: fix Resource leakage and endless loop
@ 2021-03-03 6:16 Xiaoming Ni
2021-03-03 6:16 ` [PATCH 1/4] nfc: fix refcount leak in llcp_sock_bind() Xiaoming Ni
` (4 more replies)
0 siblings, 5 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-03 6:16 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
reported by "kiyin(尹亮)".
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Xiaoming Ni (4):
nfc: fix refcount leak in llcp_sock_bind()
nfc: fix refcount leak in llcp_sock_connect()
nfc: fix memory leak in llcp_sock_connect()
nfc: Avoid endless loops caused by repeated llcp_sock_connect()
net/nfc/llcp_sock.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--
2.27.0
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 1/4] nfc: fix refcount leak in llcp_sock_bind()
2021-03-03 6:16 [PATCH 0/4] nfc: fix Resource leakage and endless loop Xiaoming Ni
@ 2021-03-03 6:16 ` Xiaoming Ni
2021-03-03 6:16 ` [PATCH 2/4] nfc: fix refcount leak in llcp_sock_connect() Xiaoming Ni
` (3 subsequent siblings)
4 siblings, 0 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-03 6:16 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
nfc_llcp_local_get() is invoked in llcp_sock_bind(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().
fix CVE-2020-25670
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index d257ed3b732a..68832ee4b9f8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
llcp_sock->service_name_len,
GFP_KERNEL);
if (!llcp_sock->service_name) {
+ nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM;
goto put_dev;
}
llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
kfree(llcp_sock->service_name);
llcp_sock->service_name = NULL;
ret = -EADDRINUSE;
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/4] nfc: fix refcount leak in llcp_sock_connect()
2021-03-03 6:16 [PATCH 0/4] nfc: fix Resource leakage and endless loop Xiaoming Ni
2021-03-03 6:16 ` [PATCH 1/4] nfc: fix refcount leak in llcp_sock_bind() Xiaoming Ni
@ 2021-03-03 6:16 ` Xiaoming Ni
2021-03-03 6:16 ` [PATCH 3/4] nfc: fix memory " Xiaoming Ni
` (2 subsequent siblings)
4 siblings, 0 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-03 6:16 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
nfc_llcp_local_get() is invoked in llcp_sock_connect(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().
fix CVE-2020-25671
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 68832ee4b9f8..9e2799ee1595 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -704,6 +704,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
llcp_sock->local = nfc_llcp_local_get(local);
llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM;
goto put_dev;
}
@@ -748,6 +749,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
sock_llcp_release:
nfc_llcp_put_ssap(local, llcp_sock->ssap);
+ nfc_llcp_local_put(llcp_sock->local);
put_dev:
nfc_put_device(dev);
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 3/4] nfc: fix memory leak in llcp_sock_connect()
2021-03-03 6:16 [PATCH 0/4] nfc: fix Resource leakage and endless loop Xiaoming Ni
2021-03-03 6:16 ` [PATCH 1/4] nfc: fix refcount leak in llcp_sock_bind() Xiaoming Ni
2021-03-03 6:16 ` [PATCH 2/4] nfc: fix refcount leak in llcp_sock_connect() Xiaoming Ni
@ 2021-03-03 6:16 ` Xiaoming Ni
2021-03-03 6:16 ` [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Xiaoming Ni
2021-03-23 13:43 ` [PATCH 0/4] nfc: fix Resource leakage and endless loop Greg KH
4 siblings, 0 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-03 6:16 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
In llcp_sock_connect(), use kmemdup to allocate memory for
"llcp_sock->service_name". The memory is not released in the sock_unlink
label of the subsequent failure branch.
As a result, memory leakage occurs.
fix CVE-2020-25672
Fixes: d646960f7986 ("NFC: Initial LLCP support")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.3
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 9e2799ee1595..59172614b249 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -746,6 +746,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
sock_unlink:
nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
+ kfree(llcp_sock->service_name);
+ llcp_sock->service_name = NULL;
sock_llcp_release:
nfc_llcp_put_ssap(local, llcp_sock->ssap);
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()
2021-03-03 6:16 [PATCH 0/4] nfc: fix Resource leakage and endless loop Xiaoming Ni
` (2 preceding siblings ...)
2021-03-03 6:16 ` [PATCH 3/4] nfc: fix memory " Xiaoming Ni
@ 2021-03-03 6:16 ` Xiaoming Ni
2021-03-03 9:28 ` [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()(Internet mail) kiyin(尹亮)
2021-03-23 13:43 ` [PATCH 0/4] nfc: fix Resource leakage and endless loop Greg KH
4 siblings, 1 reply; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-03 6:16 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
sk->sk_node->next will point to itself, that will make an endless loop
and hang-up the system.
To fix it, check whether sk->sk_state is LLCP_CONNECTING in
llcp_sock_connect() to avoid repeated invoking.
fix CVE-2020-25673
Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.11
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
net/nfc/llcp_sock.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 59172614b249..a3b46f888803 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
ret = -EISCONN;
goto error;
}
+ if (sk->sk_state == LLCP_CONNECTING) {
+ ret = -EINPROGRESS;
+ goto error;
+ }
dev = nfc_get_device(addr->dev_idx);
if (dev == NULL) {
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* RE: [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()(Internet mail)
2021-03-03 6:16 ` [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Xiaoming Ni
@ 2021-03-03 9:28 ` kiyin(尹亮)
2021-03-05 3:24 ` Xiaoming Ni
0 siblings, 1 reply; 14+ messages in thread
From: kiyin(尹亮) @ 2021-03-03 9:28 UTC (permalink / raw)
To: Xiaoming Ni, linux-kernel, stable, gregkh, sameo, linville,
davem, kuba, mkl, stefan, matthieu.baerts, netdev
Cc: wangle6, xiaoqian9
Hi xiaoming,
the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem.
if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name...
Regards,
kiyin.
> -----Original Message-----
> From: Xiaoming Ni [mailto:nixiaoming@huawei.com]
> Sent: Wednesday, March 3, 2021 2:17 PM
> To: linux-kernel@vger.kernel.org; kiyin(尹亮) <kiyin@tencent.com>;
> stable@vger.kernel.org; gregkh@linuxfoundation.org; sameo@linux.intel.com;
> linville@tuxdriver.com; davem@davemloft.net; kuba@kernel.org;
> mkl@pengutronix.de; stefan@datenfreihafen.org;
> matthieu.baerts@tessares.net; netdev@vger.kernel.org
> Cc: nixiaoming@huawei.com; wangle6@huawei.com; xiaoqian9@huawei.com
> Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated
> llcp_sock_connect()(Internet mail)
>
> When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
> LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
> nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
> sk->sk_node->next will point to itself, that will make an endless loop and
> hang-up the system.
> To fix it, check whether sk->sk_state is LLCP_CONNECTING in
> llcp_sock_connect() to avoid repeated invoking.
>
> fix CVE-2020-25673
> Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
> Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
> Cc: <stable@vger.kernel.org> #v3.11
> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
> ---
> net/nfc/llcp_sock.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index
> 59172614b249..a3b46f888803 100644
> --- a/net/nfc/llcp_sock.c
> +++ b/net/nfc/llcp_sock.c
> @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock,
> struct sockaddr *_addr,
> ret = -EISCONN;
> goto error;
> }
> + if (sk->sk_state == LLCP_CONNECTING) {
> + ret = -EINPROGRESS;
> + goto error;
> + }
>
> dev = nfc_get_device(addr->dev_idx);
> if (dev == NULL) {
> --
> 2.27.0
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()(Internet mail)
2021-03-03 9:28 ` [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()(Internet mail) kiyin(尹亮)
@ 2021-03-05 3:24 ` Xiaoming Ni
0 siblings, 0 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-05 3:24 UTC (permalink / raw)
To: kiyin(尹亮),
linux-kernel, stable, gregkh, sameo, linville, davem, kuba, mkl,
stefan, matthieu.baerts, netdev
Cc: wangle6, xiaoqian9
On 2021/3/3 17:28, kiyin(尹亮) wrote:
> Hi xiaoming,
> the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem.
> if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name...
I didn't find the code to modify sk->sk_state after a connect failure.
Can you provide guidance?
Based on my understanding of the current code:
After llcp_sock_connect() is invoked using the meaningless service_name
as the parameter, sk->sk_state is set to LLCP_CONNECTING. After that, no
corresponding service responds to the request because the service_name
is meaningless, the value of sk->sk_state remains unchanged.
Therefore, when llcp_sock_connect() is invoked again, resources such as
llcp_sock->service_name are not repeatedly applied because sk_state is
set to LLCP_CONNECTING.
In this way, the repeated invoking of llcp_sock_connect() does not
repeatedly leak resources.
Thanks
Xiaoming Ni
>
>> -----Original Message-----
>> From: Xiaoming Ni [mailto:nixiaoming@huawei.com]
>> Sent: Wednesday, March 3, 2021 2:17 PM
>> To: linux-kernel@vger.kernel.org; kiyin(尹亮) <kiyin@tencent.com>;
>> stable@vger.kernel.org; gregkh@linuxfoundation.org; sameo@linux.intel.com;
>> linville@tuxdriver.com; davem@davemloft.net; kuba@kernel.org;
>> mkl@pengutronix.de; stefan@datenfreihafen.org;
>> matthieu.baerts@tessares.net; netdev@vger.kernel.org
>> Cc: nixiaoming@huawei.com; wangle6@huawei.com; xiaoqian9@huawei.com
>> Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated
>> llcp_sock_connect()(Internet mail)
>>
>> When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
>> LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
>> nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
>> sk->sk_node->next will point to itself, that will make an endless loop and
>> hang-up the system.
>> To fix it, check whether sk->sk_state is LLCP_CONNECTING in
>> llcp_sock_connect() to avoid repeated invoking.
>>
>> fix CVE-2020-25673
>> Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
>> Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
>> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
>> Cc: <stable@vger.kernel.org> #v3.11
>> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
>> ---
>> net/nfc/llcp_sock.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index
>> 59172614b249..a3b46f888803 100644
>> --- a/net/nfc/llcp_sock.c
>> +++ b/net/nfc/llcp_sock.c
>> @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock,
>> struct sockaddr *_addr,
>> ret = -EISCONN;
>> goto error;
>> }
>> + if (sk->sk_state == LLCP_CONNECTING) {
>> + ret = -EINPROGRESS;
>> + goto error;
>> + }
>>
>> dev = nfc_get_device(addr->dev_idx);
>> if (dev == NULL) {
>> --
>> 2.27.0
>>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 0/4] nfc: fix Resource leakage and endless loop
2021-03-03 6:16 [PATCH 0/4] nfc: fix Resource leakage and endless loop Xiaoming Ni
` (3 preceding siblings ...)
2021-03-03 6:16 ` [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Xiaoming Ni
@ 2021-03-23 13:43 ` Greg KH
2021-03-25 3:51 ` [PATCH resend " Xiaoming Ni
4 siblings, 1 reply; 14+ messages in thread
From: Greg KH @ 2021-03-23 13:43 UTC (permalink / raw)
To: Xiaoming Ni
Cc: linux-kernel, kiyin, stable, sameo, linville, davem, kuba, mkl,
stefan, matthieu.baerts, netdev, wangle6, xiaoqian9
On Wed, Mar 03, 2021 at 02:16:50PM +0800, Xiaoming Ni wrote:
> fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
> reported by "kiyin(尹亮)".
>
> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
What happened to this series?
Does it need to be resent against the latest networking tree?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH resend 0/4] nfc: fix Resource leakage and endless loop
2021-03-23 13:43 ` [PATCH 0/4] nfc: fix Resource leakage and endless loop Greg KH
@ 2021-03-25 3:51 ` Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 1/4] nfc: fix refcount leak in llcp_sock_bind() Xiaoming Ni
` (4 more replies)
0 siblings, 5 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-25 3:51 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
reported by "kiyin(尹亮)".
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Xiaoming Ni (4):
nfc: fix refcount leak in llcp_sock_bind()
nfc: fix refcount leak in llcp_sock_connect()
nfc: fix memory leak in llcp_sock_connect()
nfc: Avoid endless loops caused by repeated llcp_sock_connect()
net/nfc/llcp_sock.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--
2.27.0
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH resend 1/4] nfc: fix refcount leak in llcp_sock_bind()
2021-03-25 3:51 ` [PATCH resend " Xiaoming Ni
@ 2021-03-25 3:51 ` Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 2/4] nfc: fix refcount leak in llcp_sock_connect() Xiaoming Ni
` (3 subsequent siblings)
4 siblings, 0 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-25 3:51 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
nfc_llcp_local_get() is invoked in llcp_sock_bind(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().
fix CVE-2020-25670
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index d257ed3b732a..68832ee4b9f8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
llcp_sock->service_name_len,
GFP_KERNEL);
if (!llcp_sock->service_name) {
+ nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM;
goto put_dev;
}
llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
kfree(llcp_sock->service_name);
llcp_sock->service_name = NULL;
ret = -EADDRINUSE;
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH resend 2/4] nfc: fix refcount leak in llcp_sock_connect()
2021-03-25 3:51 ` [PATCH resend " Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 1/4] nfc: fix refcount leak in llcp_sock_bind() Xiaoming Ni
@ 2021-03-25 3:51 ` Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 3/4] nfc: fix memory " Xiaoming Ni
` (2 subsequent siblings)
4 siblings, 0 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-25 3:51 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
nfc_llcp_local_get() is invoked in llcp_sock_connect(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().
fix CVE-2020-25671
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 68832ee4b9f8..9e2799ee1595 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -704,6 +704,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
llcp_sock->local = nfc_llcp_local_get(local);
llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM;
goto put_dev;
}
@@ -748,6 +749,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
sock_llcp_release:
nfc_llcp_put_ssap(local, llcp_sock->ssap);
+ nfc_llcp_local_put(llcp_sock->local);
put_dev:
nfc_put_device(dev);
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH resend 3/4] nfc: fix memory leak in llcp_sock_connect()
2021-03-25 3:51 ` [PATCH resend " Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 1/4] nfc: fix refcount leak in llcp_sock_bind() Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 2/4] nfc: fix refcount leak in llcp_sock_connect() Xiaoming Ni
@ 2021-03-25 3:51 ` Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Xiaoming Ni
2021-03-26 0:30 ` [PATCH resend 0/4] nfc: fix Resource leakage and endless loop patchwork-bot+netdevbpf
4 siblings, 0 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-25 3:51 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
In llcp_sock_connect(), use kmemdup to allocate memory for
"llcp_sock->service_name". The memory is not released in the sock_unlink
label of the subsequent failure branch.
As a result, memory leakage occurs.
fix CVE-2020-25672
Fixes: d646960f7986 ("NFC: Initial LLCP support")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.3
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 9e2799ee1595..59172614b249 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -746,6 +746,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
sock_unlink:
nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
+ kfree(llcp_sock->service_name);
+ llcp_sock->service_name = NULL;
sock_llcp_release:
nfc_llcp_put_ssap(local, llcp_sock->ssap);
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH resend 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()
2021-03-25 3:51 ` [PATCH resend " Xiaoming Ni
` (2 preceding siblings ...)
2021-03-25 3:51 ` [PATCH resend 3/4] nfc: fix memory " Xiaoming Ni
@ 2021-03-25 3:51 ` Xiaoming Ni
2021-03-26 0:30 ` [PATCH resend 0/4] nfc: fix Resource leakage and endless loop patchwork-bot+netdevbpf
4 siblings, 0 replies; 14+ messages in thread
From: Xiaoming Ni @ 2021-03-25 3:51 UTC (permalink / raw)
To: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev
Cc: nixiaoming, wangle6, xiaoqian9
When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
sk->sk_node->next will point to itself, that will make an endless loop
and hang-up the system.
To fix it, check whether sk->sk_state is LLCP_CONNECTING in
llcp_sock_connect() to avoid repeated invoking.
Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.11
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
net/nfc/llcp_sock.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 59172614b249..a3b46f888803 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
ret = -EISCONN;
goto error;
}
+ if (sk->sk_state == LLCP_CONNECTING) {
+ ret = -EINPROGRESS;
+ goto error;
+ }
dev = nfc_get_device(addr->dev_idx);
if (dev == NULL) {
--
2.27.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH resend 0/4] nfc: fix Resource leakage and endless loop
2021-03-25 3:51 ` [PATCH resend " Xiaoming Ni
` (3 preceding siblings ...)
2021-03-25 3:51 ` [PATCH resend 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Xiaoming Ni
@ 2021-03-26 0:30 ` patchwork-bot+netdevbpf
4 siblings, 0 replies; 14+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-03-26 0:30 UTC (permalink / raw)
To: Xiaoming Ni
Cc: linux-kernel, kiyin, stable, gregkh, sameo, linville, davem,
kuba, mkl, stefan, matthieu.baerts, netdev, wangle6, xiaoqian9
Hello:
This series was applied to netdev/net.git (refs/heads/master):
On Thu, 25 Mar 2021 11:51:09 +0800 you wrote:
> fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
> reported by "kiyin(尹亮)".
>
> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
>
> Xiaoming Ni (4):
> nfc: fix refcount leak in llcp_sock_bind()
> nfc: fix refcount leak in llcp_sock_connect()
> nfc: fix memory leak in llcp_sock_connect()
> nfc: Avoid endless loops caused by repeated llcp_sock_connect()
>
> [...]
Here is the summary with links:
- [resend,1/4] nfc: fix refcount leak in llcp_sock_bind()
https://git.kernel.org/netdev/net/c/c33b1cc62ac0
- [resend,2/4] nfc: fix refcount leak in llcp_sock_connect()
https://git.kernel.org/netdev/net/c/8a4cd82d62b5
- [resend,3/4] nfc: fix memory leak in llcp_sock_connect()
https://git.kernel.org/netdev/net/c/7574fcdbdcb3
- [resend,4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()
https://git.kernel.org/netdev/net/c/4b5db93e7f2a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2021-03-26 0:30 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-03 6:16 [PATCH 0/4] nfc: fix Resource leakage and endless loop Xiaoming Ni
2021-03-03 6:16 ` [PATCH 1/4] nfc: fix refcount leak in llcp_sock_bind() Xiaoming Ni
2021-03-03 6:16 ` [PATCH 2/4] nfc: fix refcount leak in llcp_sock_connect() Xiaoming Ni
2021-03-03 6:16 ` [PATCH 3/4] nfc: fix memory " Xiaoming Ni
2021-03-03 6:16 ` [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Xiaoming Ni
2021-03-03 9:28 ` [PATCH 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()(Internet mail) kiyin(尹亮)
2021-03-05 3:24 ` Xiaoming Ni
2021-03-23 13:43 ` [PATCH 0/4] nfc: fix Resource leakage and endless loop Greg KH
2021-03-25 3:51 ` [PATCH resend " Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 1/4] nfc: fix refcount leak in llcp_sock_bind() Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 2/4] nfc: fix refcount leak in llcp_sock_connect() Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 3/4] nfc: fix memory " Xiaoming Ni
2021-03-25 3:51 ` [PATCH resend 4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Xiaoming Ni
2021-03-26 0:30 ` [PATCH resend 0/4] nfc: fix Resource leakage and endless loop patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).