linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-22 17:01:14 +00:00

No description

Find a file

Duoming Zhou c44a453ffe ax25: Fix refcount leaks caused by ax25_cb_del() commit `9fd75b66b8` upstream. The previous commit `d01ffb9eee` ("ax25: add refcount in ax25_dev to avoid UAF bugs") and commit `feef318c85` ("ax25: fix UAF bugs of net_device caused by rebinding operation") increase the refcounts of ax25_dev and net_device in ax25_bind() and decrease the matching refcounts in ax25_kill_by_device() in order to prevent UAF bugs, but there are reference count leaks. The root cause of refcount leaks is shown below: (Thread 1) \| (Thread 2) ax25_bind() \| ... \| ax25_addr_ax25dev() \| ax25_dev_hold() //(1) \| ... \| dev_hold_track() //(2) \| ... \| ax25_destroy_socket() \| ax25_cb_del() \| ... \| hlist_del_init() //(3) \| \| (Thread 3) \| ax25_kill_by_device() \| ... \| ax25_for_each(s, &ax25_list) { \| if (s->ax25_dev == ax25_dev) //(4) \| ... \| Firstly, we use ax25_bind() to increase the refcount of ax25_dev in position (1) and increase the refcount of net_device in position (2). Then, we use ax25_cb_del() invoked by ax25_destroy_socket() to delete ax25_cb in hlist in position (3) before calling ax25_kill_by_device(). Finally, the decrements of refcounts in ax25_kill_by_device() will not be executed, because no s->ax25_dev equals to ax25_dev in position (4). This patch adds decrements of refcounts in ax25_release() and use lock_sock() to do synchronization. If refcounts decrease in ax25_release(), the decrements of refcounts in ax25_kill_by_device() will not be executed and vice versa. Fixes: `d01ffb9eee` ("ax25: add refcount in ax25_dev to avoid UAF bugs") Fixes: `87563a043c` ("ax25: fix reference count leaks of ax25_dev") Fixes: `feef318c85` ("ax25: fix UAF bugs of net_device caused by rebinding operation") Reported-by: Thomas Osterried <thomas@osterried.de> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: David S. Miller <davem@davemloft.net> [OP: backport to 4.14: adjust dev_put_track()->dev_put()] Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2022-04-27 13:15:32 +02:00
arch	ARC: entry: fix syscall_trace_exit argument	2022-04-27 13:15:31 +02:00
block	block/compat_ioctl: fix range check in BLKGETSIZE	2022-04-27 13:15:31 +02:00
certs	certs: Trigger creation of RSA module signing key if it's not an RSA key	2021-09-22 11:45:19 +02:00
crypto	crypto: authenc - Fix sleep in atomic context in decrypt_tail	2022-04-20 09:08:12 +02:00
Documentation	Documentation: update stable tree link	2022-04-20 09:08:09 +02:00
drivers	staging: ion: Prevent incorrect reference counting behavour	2022-04-27 13:15:31 +02:00
firmware	Fix built-in early-load Intel microcode alignment	2020-01-23 08:20:30 +01:00
fs	ext4: force overhead calculation if the s_overhead_cluster makes no sense	2022-04-27 13:15:31 +02:00
include	ax25: fix reference count leaks of ax25_dev	2022-04-27 13:15:32 +02:00
init	init/main.c: return 1 from handled __setup() functions	2022-04-20 09:08:28 +02:00
ipc	ipc: WARN if trying to remove ipc object which is absent	2021-12-08 08:46:53 +01:00
kernel	tracing: Dump stacktrace trigger to the corresponding instance	2022-04-27 13:15:29 +02:00
lib	lib/test: use after free in register_test_dev_kmod()	2022-04-20 09:08:21 +02:00
mm	mm: page_alloc: fix building error on -Werror=array-compare	2022-04-27 13:15:29 +02:00
net	ax25: Fix refcount leaks caused by ax25_cb_del()	2022-04-27 13:15:32 +02:00
samples	samples/kretprobes: Fix return value if register_kretprobe() failed	2021-11-26 11:40:31 +01:00
scripts	gcc-plugins: latent_entropy: use /dev/urandom	2022-04-20 09:08:32 +02:00
security	Fix incorrect type in assignment of ipv6 port for audit	2022-04-20 09:08:21 +02:00
sound	ASoC: soc-dapm: fix two incorrect uses of list iterator	2022-04-27 13:15:31 +02:00
tools	tools build: Use $(shell ) instead of `` to get embedded libperl's ccopts	2022-04-20 09:08:30 +02:00
usr	initramfs: restore default compression behavior	2020-04-13 10:34:19 +02:00
virt	KVM: Prevent module exit until all VMs are freed	2022-04-20 09:08:24 +02:00
.cocciconfig
.get_maintainer.ignore
.gitattributes	.gitattributes: set git diff driver for C source code files	2016-10-07 18:46:30 -07:00
.gitignore	kbuild: rpm-pkg: keep spec file until make mrproper	2018-02-13 10:19:46 +01:00
.mailmap	.mailmap: Add Maciej W. Rozycki's Imagination e-mail address	2017-11-10 12:16:15 -08:00
COPYING
CREDITS	MAINTAINERS: update TPM driver infrastructure changes	2017-11-09 17:58:40 -08:00
Kbuild	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
Kconfig	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
MAINTAINERS	MAINTAINERS: Update drm/i915 bug filing URL	2020-02-28 16:36:12 +01:00
Makefile	Linux 4.14.276	2022-04-20 09:08:33 +02:00
README	README: add a new README file, pointing to the Documentation/	2016-10-24 08:12:35 -02:00

README

Linux kernel
============

This file was moved to Documentation/admin-guide/README.rst

Please notice that there are several guides for kernel developers and users.
These guides can be rendered in a number of formats, like HTML and PDF.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.