| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 09 Sep 2011 09:58:29 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Tim Chen <tim.c.chen@...ux.intel.com>
Cc: sedat.dilek@...il.com, "Yan, Zheng" <zheng.z.yan@...el.com>,
"Yan, Zheng" <yanzheng@...n.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"davem@...emloft.net" <davem@...emloft.net>,
"sfr@...b.auug.org.au" <sfr@...b.auug.org.au>,
"jirislaby@...il.com" <jirislaby@...il.com>,
"Shi, Alex" <alex.shi@...el.com>,
Valdis Kletnieks <Valdis.Kletnieks@...edu>
Subject: [PATCH net-next] af_unix: fix use after free in
unix_stream_recvmsg()
Le vendredi 09 septembre 2011 à 08:51 +0200, Eric Dumazet a écrit :
> Now we have to fix a bug in unix_stream_recvmsg() as well.
>
> consume_skb() call actually releases pid/cred references, and we can use
> them after their eventual freeing.
>
> Keep also in mind that receiver can provides a too short user buffer,
> and skb can be put back to head of sk_receive_queue
>
Here is the patch to address this point.
Apply it after (af_unix: Fix use-after-free crashes)
I can make a combo patch once everybody agrees.
[PATCH net-next] af_unix: fix use after free in unix_stream_recvmsg()
Commit 0856a30409 (Scm: Remove unnecessary pid & credential references
in Unix socket's send and receive path) introduced an use-after-free
bug in unix_stream_recvmsg().
We should call consume_skb(skb) only after our possible use of pid/cred.
Signed-off-by: Eric Dumazet <eric.dumazet@...il.com>
---
net/unix/af_unix.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index c8a08ba..1bd4ecf 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1873,6 +1873,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
int target;
int err = 0;
long timeo;
+ struct sk_buff *skb;
err = -EINVAL;
if (sk->sk_state != TCP_ESTABLISHED)
@@ -1904,7 +1905,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
do {
int chunk;
- struct sk_buff *skb;
unix_state_lock(sk);
skb = skb_dequeue(&sk->sk_receive_queue);
@@ -1949,6 +1949,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
if ((UNIXCB(skb).pid != siocb->scm->pid) ||
(UNIXCB(skb).cred != siocb->scm->cred)) {
skb_queue_head(&sk->sk_receive_queue, skb);
+ skb = NULL;
break;
}
} else {
@@ -1967,6 +1968,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
chunk = min_t(unsigned int, skb->len, size);
if (memcpy_toiovec(msg->msg_iov, skb->data, chunk)) {
skb_queue_head(&sk->sk_receive_queue, skb);
+ skb = NULL;
if (copied == 0)
copied = -EFAULT;
break;
@@ -1984,13 +1986,14 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
/* put the skb back if we didn't use it up.. */
if (skb->len) {
skb_queue_head(&sk->sk_receive_queue, skb);
+ skb = NULL;
break;
}
- consume_skb(skb);
-
- if (siocb->scm->fp)
+ if (UNIXCB(skb).pid || siocb->scm->fp)
break;
+ consume_skb(skb);
+ skb = NULL;
} else {
/* It is questionable, see note in unix_dgram_recvmsg.
*/
@@ -1999,12 +2002,14 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
/* put message back and return */
skb_queue_head(&sk->sk_receive_queue, skb);
+ skb = NULL;
break;
}
} while (size);
mutex_unlock(&u->readlock);
scm_recv(sock, msg, siocb->scm, flags);
+ consume_skb(skb);
out:
return copied ? : err;
}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists