korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-11 12:28:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
0fe0bbe00a
linux/net/nfc
History
Or Cohen c61760e694 net/nfc: fix use-after-free llcp_sock_bind/connect 
Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")
and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
fixed a refcount leak bug in bind/connect but introduced a
use-after-free if the same local is assigned to 2 different sockets.

This can be triggered by the following simple program:
    int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
    int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
    memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );
    addr.sa_family = AF_NFC;
    addr.nfc_protocol = NFC_PROTO_NFC_DEP;
    bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
    bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
    close(sock1);
    close(sock2);

Fix this by assigning NULL to llcp_sock->local after calling
nfc_llcp_local_put.

This addresses CVE-2021-23134.

Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
Reported-by: Nadav Markus <nmarkus@paloaltonetworks.com>
Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-05-04 11:59:48 -07:00
..
hci hci: llc_shdlc: style: Simplify bool comparison 2021-01-12 20:18:30 -08:00
nci Networking changes for 5.13. 2021-04-29 11:57:23 -07:00
af_nfc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
core.c net: nfc: Fix kerneldoc warnings 2020-10-30 11:57:56 -07:00
digital_core.c NFC: digital: Correct function name in the kerneldoc comments 2021-03-28 17:56:56 -07:00
digital_dep.c net:nfc:digital: Fix a double free in digital_tg_recv_dep_req 2021-04-27 15:36:10 -07:00
digital_technology.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
digital.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
Kconfig net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
llcp_commands.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
llcp_core.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
llcp_sock.c net/nfc: fix use-after-free llcp_sock_bind/connect 2021-05-04 11:59:48 -07:00
llcp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-01-28 17:09:31 -08:00
nfc.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
rawsock.c NFC: fix resource leak when target index is invalid 2021-01-23 13:34:35 -08:00