lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9295c052-a9e2-619c-eb40-87b592e2c08d@huawei.com>
Date:   Fri, 5 Mar 2021 11:24:55 +0800
From:   Xiaoming Ni <nixiaoming@...wei.com>
To:     kiyin(尹亮) <kiyin@...cent.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "sameo@...ux.intel.com" <sameo@...ux.intel.com>,
        "linville@...driver.com" <linville@...driver.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "mkl@...gutronix.de" <mkl@...gutronix.de>,
        "stefan@...enfreihafen.org" <stefan@...enfreihafen.org>,
        "matthieu.baerts@...sares.net" <matthieu.baerts@...sares.net>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:     "wangle6@...wei.com" <wangle6@...wei.com>,
        "xiaoqian9@...wei.com" <xiaoqian9@...wei.com>
Subject: Re: [PATCH 4/4] nfc: Avoid endless loops caused by repeated
 llcp_sock_connect()(Internet mail)

On 2021/3/3 17:28, kiyin(尹亮) wrote:
> Hi xiaoming,
>    the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem.
>    if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name...

I didn't find the code to modify sk->sk_state after a connect failure. 
Can you provide guidance?

Based on my understanding of the current code:
After llcp_sock_connect() is invoked using the meaningless service_name 
as the parameter, sk->sk_state is set to LLCP_CONNECTING. After that, no 
corresponding service responds to the request because the service_name 
is meaningless, the value of sk->sk_state remains unchanged.
Therefore, when llcp_sock_connect() is invoked again, resources such as 
llcp_sock->service_name are not repeatedly applied because sk_state is 
set to LLCP_CONNECTING.

In this way, the repeated invoking of llcp_sock_connect() does not 
repeatedly leak resources.

Thanks
Xiaoming Ni


> 
>> -----Original Message-----
>> From: Xiaoming Ni [mailto:nixiaoming@...wei.com]
>> Sent: Wednesday, March 3, 2021 2:17 PM
>> To: linux-kernel@...r.kernel.org; kiyin(尹亮) <kiyin@...cent.com>;
>> stable@...r.kernel.org; gregkh@...uxfoundation.org; sameo@...ux.intel.com;
>> linville@...driver.com; davem@...emloft.net; kuba@...nel.org;
>> mkl@...gutronix.de; stefan@...enfreihafen.org;
>> matthieu.baerts@...sares.net; netdev@...r.kernel.org
>> Cc: nixiaoming@...wei.com; wangle6@...wei.com; xiaoqian9@...wei.com
>> Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated
>> llcp_sock_connect()(Internet mail)
>>
>> When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
>> LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
>>   nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
>>   sk->sk_node->next will point to itself, that will make an endless loop  and
>> hang-up the system.
>> To fix it, check whether sk->sk_state is LLCP_CONNECTING in
>>   llcp_sock_connect() to avoid repeated invoking.
>>
>> fix CVE-2020-25673
>> Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
>> Reported-by: "kiyin(尹亮)" <kiyin@...cent.com>
>> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
>> Cc: <stable@...r.kernel.org> #v3.11
>> Signed-off-by: Xiaoming Ni <nixiaoming@...wei.com>
>> ---
>>   net/nfc/llcp_sock.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index
>> 59172614b249..a3b46f888803 100644
>> --- a/net/nfc/llcp_sock.c
>> +++ b/net/nfc/llcp_sock.c
>> @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock,
>> struct sockaddr *_addr,
>>   		ret = -EISCONN;
>>   		goto error;
>>   	}
>> +	if (sk->sk_state == LLCP_CONNECTING) {
>> +		ret = -EINPROGRESS;
>> +		goto error;
>> +	}
>>
>>   	dev = nfc_get_device(addr->dev_idx);
>>   	if (dev == NULL) {
>> --
>> 2.27.0
>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ