lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0000000000002de46e0609b915a0@google.com>
Date:   Thu, 09 Nov 2023 06:33:09 -0800
From:   syzbot <syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com>
To:     linux-kernel@...r.kernel.org
Subject: Re: [syzbot] [PATCH] Test for aea6bf908d73

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org.

***

Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@...com

please test uaf in nfc_alloc_send_skb

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73


>From d6bab181339771591ed9519dced29a8eb20ddadc Mon Sep 17 00:00:00 2001
From: Lizhi Xu <lizhi.xu@...driver.com>
Date: Thu, 9 Nov 2023 21:31:26 +0800
Subject: [PATCH] nfc/nci: fix uaf in nfc_alloc_send_skb

After releasing the nfc/nci device, nfc_llcp_sock->local should be set to null
to avoid referencing expired devices.

Signed-off-by: Lizhi Xu <lizhi.xu@...driver.com>
---
 net/nfc/llcp_core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..024cbba26fc8 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -102,6 +102,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
 				accept_sk->sk_state_change(sk);
 
 				bh_unlock_sock(accept_sk);
+				lsk->local = NULL;
 			}
 		}
 
@@ -113,6 +114,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
 		bh_unlock_sock(sk);
 
 		sk_del_node_init(sk);
+		llcp_sock->local = NULL;
 	}
 
 	write_unlock(&local->sockets.lock);
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ