mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-28 07:13:34 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Eric Dumazet 91820c10ea net/x25: reset state in x25_connect() 
[ Upstream commit ee74d0bd43 ]

In case x25_connect() fails and frees the socket neighbour,
we also need to undo the change done to x25->state.

Before my last bug fix, we had use-after-free so this
patch fixes a latent bug.

syzbot report :

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 16137 Comm: syz-executor.1 Not tainted 5.0.0+ #117
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:x25_write_internal+0x1e8/0xdf0 net/x25/x25_subr.c:173
Code: 00 40 88 b5 e0 fe ff ff 0f 85 01 0b 00 00 48 8b 8b 80 04 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d 79 1c 48 89 fe 48 c1 ee 03 <0f> b6 34 16 48 89 fa 83 e2 07 83 c2 03 40 38 f2 7c 09 40 84 f6 0f
RSP: 0018:ffff888076717a08 EFLAGS: 00010207
RAX: ffff88805f2f2292 RBX: ffff8880a0ae6000 RCX: 0000000000000000
kobject: 'loop5' (0000000018d0d0ee): kobject_uevent_env
RDX: dffffc0000000000 RSI: 0000000000000003 RDI: 000000000000001c
RBP: ffff888076717b40 R08: ffff8880950e0580 R09: ffffed100be5e46d
R10: ffffed100be5e46c R11: ffff88805f2f2363 R12: ffff888065579840
kobject: 'loop5' (0000000018d0d0ee): fill_kobj_path: path = '/devices/virtual/block/loop5'
R13: 1ffff1100ece2f47 R14: 0000000000000013 R15: 0000000000000013
FS:  00007fb88cf43700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9a42a41028 CR3: 0000000087a67000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 x25_release+0xd0/0x340 net/x25/af_x25.c:658
 __sock_release+0xd3/0x2b0 net/socket.c:579
 sock_close+0x1b/0x30 net/socket.c:1162
 __fput+0x2df/0x8d0 fs/file_table.c:278
 ____fput+0x16/0x20 fs/file_table.c:309
 task_work_run+0x14a/0x1c0 kernel/task_work.c:113
 get_signal+0x1961/0x1d50 kernel/signal.c:2388
 do_signal+0x87/0x1940 arch/x86/kernel/signal.c:816
 exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457f29
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb88cf42c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 0000000000457f29
RDX: 0000000000000012 RSI: 0000000020000080 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb88cf436d4
R13: 00000000004be462 R14: 00000000004cec98 R15: 00000000ffffffff
Modules linked in:

Fixes: 95d6ebd53c ("net/x25: fix use-after-free in x25_device_event()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: andrew hendry <andrew.hendry@gmail.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-19 13:13:22 +01:00
..
6lowpan 6lowpan: iphc: reset mac_header after decompress to fix panic 2018-10-03 17:00:47 -07:00
9p 9p/net: put a lower bound on msize 2019-01-13 10:01:06 +01:00
802
8021q net: fix use-after-free in GRO with ESP 2018-07-22 14:28:44 +02:00
appletalk
atm atm: Preserve value of skb->truesize when accounting to vcc 2018-07-22 14:28:43 +02:00
ax25 ax25: fix possible use-after-free 2019-02-23 09:06:44 +01:00
batman-adv batman-adv: fix uninit-value in batadv_interface_tx() 2019-02-27 10:08:06 +01:00
bluetooth Bluetooth: Fix locking in bt_accept_enqueue() for BH context 2019-03-13 14:03:10 -07:00
bpf
bridge netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present 2019-03-13 14:03:13 -07:00
caif net: caif: Add a missing rcu_read_unlock() in caif_flow_cb 2018-09-05 09:26:27 +02:00
can can: bcm: check timer values before ktime conversion 2019-01-31 08:13:46 +01:00
ceph libceph: handle an empty authorize reply 2019-02-27 10:08:01 +01:00
core gro_cells: make sure device is up in gro_cells_receive() 2019-03-19 13:13:21 +01:00
dcb net: dcb: For wild-card lookups, use priority -1, not 0 2018-09-19 22:43:43 +02:00
dccp dccp: fool proof ccid_hc_[rt]x_parse_options() 2019-02-12 19:46:10 +01:00
decnet
dns_resolver KEYS: DNS: fix parsing multiple options 2018-07-22 14:28:49 +02:00
dsa net: dsa: slave: Don't propagate flag changes on down slave interfaces 2019-02-12 19:46:11 +01:00
ethernet
hsr net/hsr: fix possible crash in add_timer() 2019-03-19 13:13:22 +01:00
ieee802154 ieee802154: lowpan_header_create check must check daddr 2019-01-09 17:14:43 +01:00
ife
ipv4 ipv4/route: fail early when inet dev is missing 2019-03-19 13:13:22 +01:00
ipv6 net: sit: fix UBSAN Undefined behaviour in check_6rd 2019-03-19 13:13:22 +01:00
ipx
iucv
kcm kcm: Fix use-after-free caused by clonned sockets 2018-06-11 22:49:19 +02:00
key af_key: Always verify length of provided sadb_key 2018-06-16 09:45:14 +02:00
l2tp l2tp: fix infoleak in l2tp_ip6_recvmsg() 2019-03-19 13:13:22 +01:00
l3mdev
lapb
llc llc: do not use sk_eat_skb() 2018-12-01 09:42:51 +01:00
mac80211 mac80211: Add attribute aligned(2) to struct 'action' 2019-03-05 17:58:02 +01:00
mac802154 net: mac802154: tx: expand tailroom if necessary 2018-09-09 19:55:52 +02:00
mpls mpls: Return error for RTA_GATEWAY attribute 2019-03-13 14:03:09 -07:00
ncsi
netfilter netfilter: nf_nat: skip nat clash resolution for same-origin entries 2019-03-13 14:03:21 -07:00
netlabel netlabel: fix out-of-bounds memory accesses 2019-03-13 14:03:08 -07:00
netlink netlink: Don't shift on 64 for ngroups 2018-08-09 12:16:38 +02:00
netrom netrom: switch to sock timer API 2019-02-06 17:31:32 +01:00
nfc net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails 2019-03-13 14:03:08 -07:00
nsh nsh: set mac len based on inner packet 2018-07-22 14:28:49 +02:00
openvswitch openvswitch: Avoid OOB read when parsing flow nlattrs 2019-01-31 08:13:41 +01:00
packet net/packet: fix 4gb buffer limit due to overflow check 2019-02-27 10:08:06 +01:00
phonet
psample
qrtr net: qrtr: Broadcast messages only from control port 2018-08-24 13:09:13 +02:00
rds rds: fix refcount bug in rds_sock_addref 2019-02-12 19:46:10 +01:00
rfkill
rose net/rose: fix NULL ax25_cb kernel panic 2019-02-06 17:31:32 +01:00
rxrpc rxrpc: bad unlock balance in rxrpc_recvmsg 2019-02-12 19:46:10 +01:00
sched net: netem: fix skb length BUG_ON in __skb_to_sgvec 2019-03-13 14:03:08 -07:00
sctp inet_diag: fix reporting cgroup classid and fallback to priority 2019-02-27 10:08:07 +01:00
smc net/smc: fix TCP fallback socket release 2019-01-09 17:14:46 +01:00
strparser strparser: Remove early eaten to fix full tcp receive buffer stall 2018-07-22 14:28:47 +02:00
sunrpc sunrpc: fix 4 more call sites that were using stack memory with a scatterlist 2019-02-23 09:06:43 +01:00
switchdev
tipc tipc: fix RDM/DGRAM connect() regression 2019-03-13 14:03:07 -07:00
tls net/tls: Fixed return value when tls_complete_pending_work() fails 2018-12-05 19:41:11 +01:00
unix
vmw_vsock vsock/virtio: reset connected sockets on device removal 2019-03-13 14:03:21 -07:00
wimax
wireless cfg80211: extend range deviation for DMG 2019-03-05 17:58:02 +01:00
x25 net/x25: reset state in x25_connect() 2019-03-19 13:13:22 +01:00
xfrm xfrm: refine validation of template and selector families 2019-02-15 08:09:13 +01:00
compat.c sock: Make sock->sk_stamp thread-safe 2019-01-09 17:14:46 +01:00
Kconfig
Makefile
socket.c net: socket: set sock->sk to NULL after calling proto_ops::release() 2019-03-13 14:03:09 -07:00
sysctl_net.c