From patchwork Fri Nov 18 21:45:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13048818 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8ADBBC433FE for ; Fri, 18 Nov 2022 21:45:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229606AbiKRVpL (ORCPT ); Fri, 18 Nov 2022 16:45:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48410 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230387AbiKRVpI (ORCPT ); Fri, 18 Nov 2022 16:45:08 -0500 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9FF6088FB4 for ; Fri, 18 Nov 2022 13:45:07 -0800 (PST) Received: by mail-qv1-xf34.google.com with SMTP id df6so2020788qvb.0 for ; Fri, 18 Nov 2022 13:45:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xL2dxZZ+2wUAwiTvYsxOOu5mixYpfrSKbofQ4f5aFek=; b=VFRYXKMckUn5DbITT/pfr/somDp6/Lg59LAQstNGr0E1YG9OiUiqGVrmlFu8B3UaxX qEdmd8jcI1kDa9cq9AeNCft7QHT6XHliVhVxT43W59bpRvP6tfczDz/leLvdN/Jjxaer IgjnCrdpHx5if2XPc1gCsLsKZtApxI9YnQwQGceaVKWdFScapba28RqpMw2HDpTsATwA i0BNeP5YxfujC+ZuhFTgLpeIEHID9L2ZZteJCLyWbZSHCGBM9mbyeDaXgvF9gjNt1WqW YLG07bZyNuytbHhjfC1FyQcNDz3ITN8F4hgcLn1xtmsL1V3yKR/9PaLWkOpVqX9i1hOz rXYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xL2dxZZ+2wUAwiTvYsxOOu5mixYpfrSKbofQ4f5aFek=; b=yfwhtMxbbxWU8edbh+V/Zo2/O6cmc+s2iRRnfSAWWtdgJWEImLbazgCPAwYmEFch6u vOx9HUVDgD169yh0KRjIP5GhZBcsHVPUsNS0Q7CQvbbM4Qr0jYK5t9SYFDQbzQeBYcSL d5vetaoM5tAhFeXH3Nr5vao9muN5VHh1o3G5oOU7a7ruZDas+xwWhV46YRx9vEX45Ins cRweuI2rCddWSCQd5FyiYVKkZ+Tx3/vq79PROQ+lmoySwvjfIX3+MbnhZ1JM0+sGp3Ri UUsM7yqKVnVzrr6JYnSadh201IYuy+2V/7nPu9WvETuw+5k49uXxwNY5Az/eVVW7hP5c cR5g== X-Gm-Message-State: ANoB5pnYc72MLQ0Ra2qglbqmi4ndKStWuYcnRZFQjNXPwrHydobRKOLS UunZemenPk3ntf3Qb42F5IW1+A3NNugAwA== X-Google-Smtp-Source: AA0mqf4E6fLHxiBedVlxXqpYuDu7JsBXwWFu5rRRGBilMqwZCjs+4j/uxL0I0givKzXnZdsBp54TKw== X-Received: by 2002:ad4:4482:0:b0:4bb:8ef1:b544 with SMTP id m2-20020ad44482000000b004bb8ef1b544mr8610094qvt.99.1668807906604; Fri, 18 Nov 2022 13:45:06 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id bi41-20020a05620a31a900b006f956766f76sm3232917qkb.1.2022.11.18.13.45.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Nov 2022 13:45:06 -0800 (PST) From: Xin Long To: network dev , tipc-discussion@lists.sourceforge.net Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Jon Maloy , Ying Xue , Wei Chen Subject: [PATCH net 1/2] tipc: set con sock in tipc_conn_alloc Date: Fri, 18 Nov 2022 16:45:00 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org A crash was reported by Wei Chen: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:tipc_conn_close+0x12/0x100 Call Trace: tipc_topsrv_exit_net+0x139/0x320 ops_exit_list.isra.9+0x49/0x80 cleanup_net+0x31a/0x540 process_one_work+0x3fa/0x9f0 worker_thread+0x42/0x5c0 It was caused by !con->sock in tipc_conn_close(). In tipc_topsrv_accept(), con is allocated in conn_idr then its sock is set: con = tipc_conn_alloc(); ... <----[1] con->sock = newsock; If tipc_conn_close() is called in anytime of [1], the null-pointer-def is triggered by con->sock->sk due to con->sock is not yet set. This patch fixes it by moving the con->sock setting to tipc_conn_alloc() under s->idr_lock. So that con->sock can never be NULL when getting the con from s->conn_idr. It will be also safer to move con->server and flag CF_CONNECTED setting under s->idr_lock, as they should all be set before tipc_conn_alloc() is called. Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") Reported-by: Wei Chen Signed-off-by: Xin Long --- net/tipc/topsrv.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c index d92ec92f0b71..b0f9aa521670 100644 --- a/net/tipc/topsrv.c +++ b/net/tipc/topsrv.c @@ -176,7 +176,7 @@ static void tipc_conn_close(struct tipc_conn *con) conn_put(con); } -static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) +static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *sock) { struct tipc_conn *con; int ret; @@ -202,10 +202,11 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) } con->conid = ret; s->idr_in_use++; - spin_unlock_bh(&s->idr_lock); set_bit(CF_CONNECTED, &con->flags); con->server = s; + con->sock = sock; + spin_unlock_bh(&s->idr_lock); return con; } @@ -467,7 +468,7 @@ static void tipc_topsrv_accept(struct work_struct *work) ret = kernel_accept(lsock, &newsock, O_NONBLOCK); if (ret < 0) return; - con = tipc_conn_alloc(srv); + con = tipc_conn_alloc(srv, newsock); if (IS_ERR(con)) { ret = PTR_ERR(con); sock_release(newsock); @@ -479,7 +480,6 @@ static void tipc_topsrv_accept(struct work_struct *work) newsk->sk_data_ready = tipc_conn_data_ready; newsk->sk_write_space = tipc_conn_write_space; newsk->sk_user_data = con; - con->sock = newsock; write_unlock_bh(&newsk->sk_callback_lock); /* Wake up receive process in case of 'SYN+' message */ @@ -577,12 +577,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, sub.filter = filter; *(u64 *)&sub.usr_handle = (u64)port; - con = tipc_conn_alloc(tipc_topsrv(net)); + con = tipc_conn_alloc(tipc_topsrv(net), NULL); if (IS_ERR(con)) return false; *conid = con->conid; - con->sock = NULL; rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); if (rc >= 0) return true; From patchwork Fri Nov 18 21:45:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13048819 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0FC26C4332F for ; Fri, 18 Nov 2022 21:45:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230509AbiKRVpN (ORCPT ); Fri, 18 Nov 2022 16:45:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230475AbiKRVpJ (ORCPT ); Fri, 18 Nov 2022 16:45:09 -0500 Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 82C4668297 for ; Fri, 18 Nov 2022 13:45:08 -0800 (PST) Received: by mail-qt1-x82c.google.com with SMTP id h24so4007306qta.9 for ; Fri, 18 Nov 2022 13:45:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=E08daWDO5uBC8QYCnS2v+9gsgcE9y3M5Ew9Umckq1DY=; b=GIkgP7tyhmZjvKxF2hAQeiwCrIgrgW0tRv09VLIwpiG8jTOrKWyMpDw08UlkZ/qNbn /1kHv2D5rbTgPgjmE/TwuckkA7N7ukFSr36Zk1tWaImzjT0Cp9syKyJFimHUVzpF8vXJ bHTI6Ia4UxM6cIdgh3PL/uft5ZB0auef2dunQlvCw8KGV48vBYBjGyGscOUorz3G538K Q257J0GFwoZR6xzQ2v/uxfAOO8NgSdfgPTjq5b015A7IIk+GWV6E2V/7rYC8CY6Hrgqv /q6Wt3T/nVB/ec/nlFChUBtcsBlV4FU4IrM/FSZdfD38+eRx2khwSUSNAOdcCt7RzesM Y1uQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E08daWDO5uBC8QYCnS2v+9gsgcE9y3M5Ew9Umckq1DY=; b=hXzoRcpA8A04Sqrw7jyCdKtjKQ29FN2VrLimEMBYn8y+9VeOGeNqhLsIyGX9HhOIpg GHCS5KlP509BA/7ubyvValcLL01XaiXhFOKdWF2xgW0pZ7wScD0pv3fnnqTbqKdumFCN nPyFG83I9WwARwq61xGARKMsE+s1mXJlqoevwFkdmhDceHGd4/Ym0+dXHtOTyMcayb36 Tvd7Y/ncoZywhrEjWMIC836AW49IfCorsFja/kzRhf4Y8OGMLKm2ZdO6OIyBC4xSfXUU pz8zB6EVlFTsfJwrEaTF8MF0Jb8E8oPNxMEq1drMsWWfAnm7ki1hulSpntnY2UU+LRR9 pePA== X-Gm-Message-State: ANoB5pnZZNJfECYJJ9lacDFlQim2JEjCh02tK0UqCVdfYrqnMJtTXckL 0cEAmPcHIgjf7665kNnXObxWzAnF9EHeKQ== X-Google-Smtp-Source: AA0mqf6BsUtLEoHNTIajW7m3zJG8mgx0zjtM1HaXH09zy+OC2iR9F8AEQ9MZNWsCUih8QgSADrF0Ow== X-Received: by 2002:ac8:4d99:0:b0:3a5:5334:b3f7 with SMTP id a25-20020ac84d99000000b003a55334b3f7mr8433105qtw.584.1668807907422; Fri, 18 Nov 2022 13:45:07 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id bi41-20020a05620a31a900b006f956766f76sm3232917qkb.1.2022.11.18.13.45.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Nov 2022 13:45:07 -0800 (PST) From: Xin Long To: network dev , tipc-discussion@lists.sourceforge.net Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Jon Maloy , Ying Xue , Wei Chen Subject: [PATCH net 2/2] tipc: add an extra conn_get in tipc_conn_alloc Date: Fri, 18 Nov 2022 16:45:01 -0500 Message-Id: <4e6c7e150d7268df5a166bbe19e14770bb70253d.1668807842.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org One extra conn_get() is needed in tipc_conn_alloc(), as after tipc_conn_alloc() is called, tipc_conn_close() may free this con before deferencing it in tipc_topsrv_accept(): tipc_conn_alloc(); newsk = newsock->sk; <---- tipc_conn_close(); write_lock_bh(&sk->sk_callback_lock); newsk->sk_data_ready = tipc_conn_data_ready; Then an uaf issue can be triggered: BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc] Call Trace: dump_stack_lvl+0x33/0x46 print_report+0x178/0x4b0 kasan_report+0x8c/0x100 kasan_check_range+0x179/0x1e0 tipc_topsrv_accept+0x1e7/0x370 [tipc] process_one_work+0x6a3/0x1030 worker_thread+0x8a/0xdf0 This patch fixes it by holding it in tipc_conn_alloc(), then after all accessing in tipc_topsrv_accept() releasing it. Note when does this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns 0 or -1 only, we don't need to check for "> 0". Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") Signed-off-by: Xin Long --- net/tipc/topsrv.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c index b0f9aa521670..e3b427a70398 100644 --- a/net/tipc/topsrv.c +++ b/net/tipc/topsrv.c @@ -206,6 +206,7 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *s set_bit(CF_CONNECTED, &con->flags); con->server = s; con->sock = sock; + conn_get(con); spin_unlock_bh(&s->idr_lock); return con; @@ -484,6 +485,7 @@ static void tipc_topsrv_accept(struct work_struct *work) /* Wake up receive process in case of 'SYN+' message */ newsk->sk_data_ready(newsk); + conn_put(con); } } @@ -583,10 +585,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, *conid = con->conid; rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); - if (rc >= 0) - return true; + if (rc) + conn_put(con); + conn_put(con); - return false; + return !rc; } void tipc_topsrv_kern_unsubscr(struct net *net, int conid)