mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-22 17:01:14 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Ziyang Xuan 632881680b can: bcm: fix UAF of bcm op 
Stopping tasklet and hrtimer rely on the active state of tasklet and
hrtimer sequentially in bcm_remove_op(), the op object will be freed
if they are all unactive. Assume the hrtimer timeout is short, the
hrtimer cb has been excuted after tasklet conditional judgment which
must be false after last round tasklet_kill() and before condition
hrtimer_active(), it is false when execute to hrtimer_active(). Bug
is triggerd, because the stopping action is end and the op object
will be freed, but the tasklet is scheduled. The resources of the op
object will occur UAF bug.

Move hrtimer_cancel() behind tasklet_kill() and switch 'while () {...}'
to 'do {...} while ()' to fix the op UAF problem.

Fixes: a06393ed03 ("can: bcm: fix hrtimer/tasklet termination in bcm op removal")
Reported-by: syzbot+5ca851459ed04c778d1d@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-01-29 10:17:06 +01:00
..
6lowpan 6lowpan: Off by one handling ->nexthdr 2020-01-27 14:46:30 +01:00
9p 9p/trans_virtio: Remove sysfs file on probe failure 2021-09-26 13:37:28 +02:00
802 net/802/garp: fix memleak in garp_request_join() 2021-08-04 12:22:14 +02:00
8021q net: vlan: avoid leaks on register_vlan_dev() failures 2021-01-17 13:58:58 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 12:47:02 +02:00
atm atm: fix a memory leak of vcc->user_back 2020-10-01 13:12:42 +02:00
ax25 ax25: NPD bug when detaching AX25 device 2021-12-29 12:17:36 +01:00
batman-adv batman-adv: Don't always reallocate the fragmentation skb head 2021-11-26 11:40:41 +01:00
bluetooth Bluetooth: Fix debugfs entry leak in hci_register_dev() 2022-01-27 09:00:53 +01:00
bpf bpf: fix panic due to oob in bpf_prog_test_run_skb 2021-12-22 09:17:58 +01:00
bridge netfilter: bridge: add support for pppoe filtering 2022-01-27 09:00:49 +01:00
caif net-caif: avoid user-triggerable WARN_ON(1) 2021-09-22 11:45:33 +02:00
can can: bcm: fix UAF of bcm op 2022-01-29 10:17:06 +01:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-11-05 11:07:03 +01:00
core netns: add schedule point in ops_exit_list() 2022-01-27 09:01:00 +01:00
dcb net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands 2021-01-23 15:48:46 +01:00
dccp dccp: don't duplicate ccid when cloning dccp sock 2021-09-22 11:45:33 +02:00
decnet net: decnet: Fix sleeping inside in af_decnet 2021-07-28 11:12:18 +02:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-24 08:01:25 +02:00
dsa net: dsa: Fix duplicate frames flooded by learning 2020-04-02 16:34:24 +02:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:17:59 +01:00
hsr hsr: use netdev_err() instead of WARN_ONCE() 2021-05-22 10:57:24 +02:00
ieee802154 net: Fix memory leak in ieee802154_raw_deliver 2021-08-26 08:37:02 -04:00
ife
ipv4 net: udp: fix alignment problem in udp4_seq_show() 2022-01-11 13:57:38 +01:00
ipv6 ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate 2022-01-11 13:57:38 +01:00
ipx
iucv net/af_iucv: set correct sk_protocol for child sockets 2020-12-08 10:17:32 +01:00
kcm kcm: switch order of device registration to fix a crash 2019-04-17 08:37:45 +02:00
key af_key: relax availability checks for skb size calculation 2021-02-23 14:00:29 +01:00
l2tp net/l2tp: Fix reference count leak in l2tp_udp_recv_core 2021-09-22 11:45:33 +02:00
l3mdev
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:12:08 +01:00
llc net: llc: fix skb_over_panic 2021-08-04 12:22:17 +02:00
mac80211 mac80211: allow non-standard VHT MCS-10/11 2022-01-27 09:00:56 +01:00
mac802154 net: mac802154: Fix general protection fault 2021-04-16 11:57:52 +02:00
mpls net: mpls: Fix notifications when deleting a device 2021-12-08 08:46:55 +01:00
ncsi net/ncsi: Avoid GFP_KERNEL in response handler 2021-04-16 11:57:51 +02:00
netfilter netfilter: fix regression in looped (broad|multi)cast's MAC handling 2021-12-29 12:17:33 +01:00
netlabel net: fix NULL pointer reference in cipso_v4_doi_free 2021-09-22 11:45:32 +02:00
netlink net: netlink: af_netlink: Prevent empty skb by adding a check on len. 2021-12-22 09:17:58 +01:00
netrom netrom: Decrease sock refcount when sock timers expire 2021-07-28 11:12:18 +02:00
nfc nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() 2022-01-27 09:00:47 +01:00
nsh
openvswitch openvswitch: fix stack OOB read while fragmenting IPv4 packets 2021-05-22 10:57:21 +02:00
packet net/packet: rx_owner_map depends on pg_vec 2021-12-22 09:18:00 +01:00
phonet phonet: refcount leak in pep_sock_accep 2022-01-11 13:57:37 +01:00
psample net: psample: fix skb_over_panic 2019-12-05 15:38:15 +01:00
qrtr net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() 2021-03-30 14:40:12 +02:00
rds net/rds: correct socket tunable error in rds_tcp_tune() 2021-12-08 08:46:55 +01:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:11:57 +01:00
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-12-08 10:17:32 +01:00
rxrpc rxrpc: Fix handling of an unsupported token type in rxrpc_read() 2021-01-23 15:48:47 +01:00
sched net_sched: restore "mpu xxx" handling 2022-01-27 09:01:01 +01:00
sctp sctp: use call_rcu to free endpoint 2022-01-05 12:33:49 +01:00
smc net/smc: Keep smc_close_final rc during active close 2021-12-08 08:46:55 +01:00
strparser
sunrpc rpc: fix gss_svc_init cleanup on failure 2021-09-22 11:45:30 +02:00
switchdev
tipc tipc: increase timeout in tipc_sk_enqueue() 2021-09-22 11:45:33 +02:00
tls net/tls: Fixed return value when tls_complete_pending_work() fails 2018-12-05 19:41:11 +01:00
unix af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress 2022-01-27 09:01:00 +01:00
vmw_vsock vsock: prevent unnecessary refcnt inc for nonblocking connect 2021-11-26 11:40:36 +01:00
wimax
wireless cfg80211: call cfg80211_stop_ap when switch from P2P_GO type 2021-11-26 11:40:41 +01:00
x25 net/x25: Return the correct errno code 2021-06-30 08:48:47 -04:00
xfrm xfrm: Fix error reporting in xfrm_state_construct. 2021-07-20 16:17:44 +02:00
compat.c net: Return the correct errno code 2021-06-30 08:48:47 -04:00
Kconfig
Makefile net: split out functions related to registering inflight socket files 2021-08-04 12:22:14 +02:00
socket.c net: Set fput_needed iff FDPUT_FPUT is set 2020-08-21 09:48:14 +02:00
sysctl_net.c