mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 13:55:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/tipc
History
Hoang Le 77d5ad4048 tipc: fix use-after-free in tipc_sk_filter_rcv 
skb free-ed in:
  1/ condition 1: tipc_sk_filter_rcv -> tipc_sk_proto_rcv
  2/ condition 2: tipc_sk_filter_rcv -> tipc_group_filter_msg
This leads to a "use-after-free" access in the next condition.

We fix this by intializing the variable at declaration, then it is safe
to check this variable to continue processing if condition matches.

syzbot report:

==================================================================
BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0
 net/tipc/socket.c:2167
Read of size 4 at addr ffff88808ea58534 by task kworker/u4:0/7

CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.0.0+ #61
Hardware name: Google Google Compute Engine/Google Compute Engine,
 BIOS Google 01/01/2011
Workqueue: tipc_send tipc_conn_send_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 tipc_sk_filter_rcv+0x2166/0x34f0 net/tipc/socket.c:2167
 tipc_sk_enqueue net/tipc/socket.c:2254 [inline]
 tipc_sk_rcv+0xc45/0x25a0 net/tipc/socket.c:2305
 tipc_topsrv_kern_evt+0x3b7/0x580 net/tipc/topsrv.c:610
 tipc_conn_send_to_sock+0x43e/0x5f0 net/tipc/topsrv.c:283
 tipc_conn_send_work+0x65/0x80 net/tipc/topsrv.c:303
 process_one_work+0x98e/0x1790 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x357/0x430 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Reported-by: syzbot+e863893591cc7a622e40@syzkaller.appspotmail.com
Fixes: c55c8eda ("tipc: smooth change between replicast and broadcast")
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-21 09:56:55 -07:00
..
addr.c tipc: handle collisions of 32-bit node address hash values 2018-03-23 13:12:18 -04:00
addr.h tipc: add 128-bit node identifier 2018-03-23 13:12:18 -04:00
bcast.c tipc: smooth change between replicast and broadcast 2019-03-19 13:56:17 -07:00
bcast.h tipc: smooth change between replicast and broadcast 2019-03-19 13:56:17 -07:00
bearer.c tipc: fix a double free in tipc_enable_bearer() 2018-12-27 16:16:17 -08:00
bearer.h tipc: enable tracepoints in tipc 2018-12-19 11:49:24 -08:00
core.c tipc: introduce new capability flag for cluster 2019-03-19 13:56:17 -07:00
core.h tipc: introduce new capability flag for cluster 2019-03-19 13:56:17 -07:00
diag.c tipc: switch to rhashtable iterator 2018-08-29 18:04:54 -07:00
discover.c tipc: fix lockdep warning when reinitilaizing sockets 2018-11-17 22:01:31 -08:00
discover.h tipc: some cleanups in the file discover.c 2018-03-23 13:12:17 -04:00
eth_media.c
group.c net: tipc: fix a missing check of nla_nest_start 2019-03-16 12:09:05 -07:00
group.h tipc: extend sock diag for group communication 2018-06-30 21:05:42 +09:00
ib_media.c
Kconfig tipc: implement socket diagnostics for AF_TIPC 2018-03-22 14:43:35 -04:00
link.c tipc: support broadcast/replicast configurable for bc-link 2019-03-19 13:56:17 -07:00
link.h tipc: add trace_events for tipc link 2018-12-19 11:49:24 -08:00
Makefile tipc: enable tracepoints in tipc 2018-12-19 11:49:24 -08:00
monitor.c tipc: make some functions static 2018-07-21 16:23:22 -07:00
monitor.h
msg.c tipc: buffer overflow handling in listener socket 2018-09-29 11:24:22 -07:00
msg.h tipc: smooth change between replicast and broadcast 2019-03-19 13:56:17 -07:00
name_distr.c tipc: eliminate message disordering during binding table update 2018-10-22 19:29:12 -07:00
name_distr.h tipc: permit overlapping service ranges in name table 2018-03-31 22:19:52 -04:00
name_table.c tipc: eliminate message disordering during binding table update 2018-10-22 19:29:12 -07:00
name_table.h tipc: eliminate message disordering during binding table update 2018-10-22 19:29:12 -07:00
net.c tipc: fix lockdep warning when reinitilaizing sockets 2018-11-17 22:01:31 -08:00
net.h tipc: fix lockdep warning when reinitilaizing sockets 2018-11-17 22:01:31 -08:00
netlink.c tipc: support broadcast/replicast configurable for bc-link 2019-03-19 13:56:17 -07:00
netlink.h
netlink_compat.c tipc: fix uninit-value in tipc_nl_compat_doit 2019-01-15 20:29:21 -08:00
node.c tipc: introduce new capability flag for cluster 2019-03-19 13:56:17 -07:00
node.h tipc: introduce new capability flag for cluster 2019-03-19 13:56:17 -07:00
socket.c tipc: fix use-after-free in tipc_sk_filter_rcv 2019-03-21 09:56:55 -07:00
socket.h tipc: add trace_events for tipc socket 2018-12-19 11:49:24 -08:00
subscr.c tipc: fix unbalanced reference counter 2018-04-12 21:46:10 -04:00
subscr.h tipc: replace name table service range array with rb tree 2018-03-31 22:19:52 -04:00
sysctl.c tipc: add trace_events for tipc socket 2018-12-19 11:49:24 -08:00
topsrv.c tipc: remove dead code in struct tipc_topsrv 2019-01-24 22:31:23 -08:00
topsrv.h tipc: rename tipc_server to tipc_topsrv 2018-02-16 15:26:34 -05:00
trace.c tipc: remove unneeded semicolon in trace.c 2019-01-17 22:04:43 -08:00
trace.h tipc: add trace_events for tipc bearer 2018-12-19 11:49:25 -08:00
udp_media.c tipc: compare remote and local protocols in tipc_udp_enable() 2018-12-14 13:28:03 -08:00
udp_media.h tipc: implement configuration of UDP media MTU 2018-04-20 11:04:05 -04:00