korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-13 14:24:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
93bc2d6d16
linux/net
History
Paolo Abeni 93bc2d6d16 tipc: fix UAF in error path 
commit 080cbb8902 upstream.

Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported
a UAF in the tipc_buf_append() error path:

BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0
linux/net/core/skbuff.c:1183
Read of size 8 at addr ffff88804d2a7c80 by task poc/8034

CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.0-debian-1.16.0-5 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack linux/lib/dump_stack.c:88
 dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106
 print_address_description linux/mm/kasan/report.c:377
 print_report+0xc4/0x620 linux/mm/kasan/report.c:488
 kasan_report+0xda/0x110 linux/mm/kasan/report.c:601
 kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183
 skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026
 skb_release_all linux/net/core/skbuff.c:1094
 __kfree_skb linux/net/core/skbuff.c:1108
 kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144
 kfree_skb linux/./include/linux/skbuff.h:1244
 tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186
 tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324
 tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824
 tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159
 tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390
 udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108
 udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186
 udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346
 __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422
 ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233
 NF_HOOK linux/./include/linux/netfilter.h:314
 NF_HOOK linux/./include/linux/netfilter.h:308
 ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254
 dst_input linux/./include/net/dst.h:461
 ip_rcv_finish linux/net/ipv4/ip_input.c:449
 NF_HOOK linux/./include/linux/netfilter.h:314
 NF_HOOK linux/./include/linux/netfilter.h:308
 ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534
 __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648
 process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976
 __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576
 napi_poll linux/net/core/dev.c:6645
 net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781
 __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553
 do_softirq linux/kernel/softirq.c:454
 do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381
 local_bh_enable linux/./include/linux/bottom_half.h:33
 rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851
 __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378
 dev_queue_xmit linux/./include/linux/netdevice.h:3169
 neigh_hh_output linux/./include/net/neighbour.h:526
 neigh_output linux/./include/net/neighbour.h:540
 ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235
 __ip_finish_output linux/net/ipv4/ip_output.c:313
 __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295
 ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323
 NF_HOOK_COND linux/./include/linux/netfilter.h:303
 ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433
 dst_output linux/./include/net/dst.h:451
 ip_local_out linux/net/ipv4/ip_output.c:129
 ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492
 udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963
 udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250
 inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850
 sock_sendmsg_nosec linux/net/socket.c:730
 __sock_sendmsg linux/net/socket.c:745
 __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191
 __do_sys_sendto linux/net/socket.c:2203
 __se_sys_sendto linux/net/socket.c:2199
 __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199
 do_syscall_x64 linux/arch/x86/entry/common.c:52
 do_syscall_64+0xd8/0x270 linux/arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77 linux/arch/x86/entry/entry_64.S:120
RIP: 0033:0x7f3434974f29
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007fff9154f2b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3434974f29
RDX: 00000000000032c8 RSI: 00007fff9154f300 RDI: 0000000000000003
RBP: 00007fff915532e0 R08: 00007fff91553360 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000212 R12: 000055ed86d261d0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

In the critical scenario, either the relevant skb is freed or its
ownership is transferred into a frag_lists. In both cases, the cleanup
code must not free it again: we need to clear the skb reference earlier.

Fixes: 1149557d64 ("tipc: eliminate unnecessary linearization of incoming buffers")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23852
Acked-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-05-17 11:43:55 +02:00
..
6lowpan 6lowpan: iphc: Fix an off-by-one check of array index 2021-09-15 09:47:31 +02:00
9p net: 9p: avoid freeing uninit memory in p9pdu_vreadf 2024-01-08 11:29:47 +01:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2023-01-18 11:41:37 +01:00
8021q vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING 2024-02-23 08:24:50 +01:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2023-12-20 15:41:18 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2023-12-20 15:41:15 +01:00
ax25 ax25: Fix UAF bugs in ax25 timers 2022-04-20 09:19:40 +02:00
batman-adv batman-adv: Avoid infinite loop trying to resize local TT 2024-05-02 16:18:28 +02:00
bluetooth Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout 2024-05-17 11:43:54 +02:00
bpf bpf: Move skb->len == 0 checks into __bpf_redirect 2023-01-18 11:41:04 +01:00
bpfilter bpfilter: Specify the log level for the kmsg message 2021-07-14 16:53:33 +02:00
bridge net: bridge: fix corrupted ethernet header on multicast-to-unicast 2024-05-17 11:43:54 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:32:51 +01:00
can can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) 2024-02-23 08:25:13 +01:00
ceph libceph: use kernel_connect() 2023-10-25 11:53:19 +02:00
core rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation 2024-05-17 11:43:54 +02:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-11 11:53:57 +02:00
dccp dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2023-11-20 10:30:15 +01:00
decnet Remove DECnet support from kernel 2023-06-21 15:44:10 +02:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:36:45 +02:00
dsa net: dsa: tag_sja1105: fix MAC DA patching from meta frames 2023-07-27 08:37:24 +02:00
ethernet ethernet: Add helper for assigning packet type when dest address does not match device address 2024-05-02 16:18:36 +02:00
hsr hsr: Handle failures in module init 2024-03-26 18:22:25 -04:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-11-03 23:56:54 +09:00
ife net: sched: ife: fix potential use-after-free 2024-01-08 11:29:44 +01:00
ipv4 tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). 2024-05-17 11:43:53 +02:00
ipv6 ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() 2024-05-17 11:43:54 +02:00
iucv net/iucv: fix the allocation size of iucv_path_table array 2024-03-26 18:22:12 -04:00
kcm net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function 2024-03-26 18:22:18 -04:00
key net: af_key: fix sadb_x_filter validation 2023-08-30 16:27:16 +02:00
l2tp net l2tp: drop flow hash on forward 2024-05-17 11:43:49 +02:00
l3mdev l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu 2022-04-27 13:50:47 +02:00
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:25:28 +01:00
llc llc: call sock_orphan() at release time 2024-02-23 08:25:04 +01:00
mac80211 wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc 2024-05-17 11:43:50 +02:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-14 11:30:45 +01:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:50:41 +01:00
ncsi net/ncsi: Fix netlink major/minor version numbers 2024-01-25 14:34:25 -08:00
netfilter ipvs: Fix checksumming on GSO of SCTP packets 2024-05-02 16:18:33 +02:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2024-01-25 14:34:23 -08:00
netlink netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter 2024-03-06 14:36:08 +00:00
netrom netrom: Fix data-races around sysctl_net_busy_read 2024-03-15 10:48:16 -04:00
nfc nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet 2024-04-13 12:51:33 +02:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-05-17 11:43:49 +02:00
openvswitch net: openvswitch: Fix Use-After-Free in ovs_ct_exit 2024-05-02 16:18:34 +02:00
packet packet: annotate data-races around ignore_outgoing 2024-03-26 18:22:25 -04:00
phonet phonet: fix rtm_phonet_notify() skb allocation 2024-05-17 11:43:54 +02:00
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2023-12-13 18:18:17 +01:00
qrtr net: qrtr: fix another OOB Read in qrtr_endpoint_post 2021-09-03 10:08:12 +02:00
rds net/rds: fix possible cp null dereference 2024-04-13 12:51:33 +02:00
rfkill net: rfkill: gpio: set GPIO direction 2024-01-08 11:29:47 +01:00
rose net/rose: fix races in rose_kill_by_device() 2024-01-08 11:29:44 +01:00
rxrpc rxrpc: Fix response to PING RESPONSE ACKs to a dead call 2024-02-23 08:25:07 +01:00
sched net/sched: act_skbmod: prevent kernel-infoleak 2024-04-13 12:51:34 +02:00
sctp sctp: update hb timer immediately after users change hb_interval 2023-10-10 21:46:45 +02:00
smc net/smc: fix illegal rmb_desc access in SMC-D connection dump 2024-02-23 08:24:50 +01:00
strparser bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2021-11-17 09:48:48 +01:00
sunrpc sunrpc: add a struct rpc_stats arg to rpc_create_args 2024-05-17 11:43:48 +02:00
switchdev net: switchdev: do not propagate bridge updates across bridges 2021-10-27 09:54:24 +02:00
tipc tipc: fix UAF in error path 2024-05-17 11:43:55 +02:00
tls tls: stop recv() if initial process_rx_list gave us non-DATA 2024-03-01 13:13:37 +01:00
unix af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). 2024-05-02 16:18:35 +02:00
vmw_vsock virtio/vsock: fix logic which reduces credit update messages 2024-01-25 14:34:25 -08:00
wimax
wireless wifi: cfg80211: fix rdev_dump_mpp() arguments order 2024-05-17 11:43:50 +02:00
x25 net/x25: fix incorrect parameter validation in the x25_getsockopt() function 2024-03-26 18:22:18 -04:00
xdp xsk: Honor SO_BINDTODEVICE on bind 2023-07-27 08:37:23 +02:00
xfrm xfrm: Preserve vlan tags for transport mode software GRO 2024-05-17 11:43:53 +02:00
compat.c net: Return the correct errno code 2021-06-18 09:59:00 +02:00
Kconfig Remove DECnet support from kernel 2023-06-21 15:44:10 +02:00
Makefile Remove DECnet support from kernel 2023-06-21 15:44:10 +02:00
socket.c net: Save and restore msg_namelen in sock_sendmsg 2024-01-15 18:25:26 +01:00
sysctl_net.c