| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0c35dd80-8062-4f1b-9127-8a5cb2deca40@linaro.org>
Date: Mon, 27 Nov 2023 11:38:16 +0100
From: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
To: Siddh Raman Pant <code@...dh.me>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
Subject: Re: [PATCH 2/4] nfc: Protect access to nfc_dev in an llcp_sock with a
rwlock
On 25/11/2023 21:26, Siddh Raman Pant wrote:
> llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame(), which accesses the
> nfc_dev from the llcp_sock for getting the headroom and tailroom needed
> for skb allocation.
This path should have reference to nfc device: nfc_get_device(). Why is
this not sufficient?
>
> Parallely, the nfc_dev can be freed via the nfc_unregister_device()
> codepath (nfc_release() being called due to the class unregister in
> nfc_exit()), leading to the UAF reported by Syzkaller.
>
> We have the following call tree before freeing:
>
> nfc_unregister_device()
> -> nfc_llcp_unregister_device()
> -> local_cleanup()
> -> nfc_llcp_socket_release()
>
> nfc_llcp_socket_release() sets the state of sockets to LLCP_CLOSED,
> and this is encountered necessarily before any freeing of nfc_dev.
Sorry, I don't understand. What is encountered before freeing?
>
> Thus, add a rwlock in struct llcp_sock to synchronize access to
> nfc_dev. nfc_dev in an llcp_sock will be NULLed in a write critical
> section when socket state has been set to closed. Thus, we can avoid
> the UAF by bailing out from a read critical section upon seeing NULL.
>
> Since this is repeated multiple times in nfc_llcp_socket_release(),
> extract the behaviour into a new function.
>
> Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
> Signed-off-by: Siddh Raman Pant <code@...dh.me>
> ---
> net/nfc/llcp.h | 1 +
> net/nfc/llcp_commands.c | 27 ++++++++++++++++++++++++---
> net/nfc/llcp_core.c | 31 +++++++++++++++++++------------
> net/nfc/llcp_sock.c | 2 ++
> 4 files changed, 46 insertions(+), 15 deletions(-)
>
> diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h
> index d8345ed57c95..800cbe8e3d6b 100644
> --- a/net/nfc/llcp.h
> +++ b/net/nfc/llcp.h
> @@ -102,6 +102,7 @@ struct nfc_llcp_local {
> struct nfc_llcp_sock {
> struct sock sk;
> struct nfc_dev *dev;
> + rwlock_t rw_dev_lock;
I dislike the idea of introducing the third (!!!) lock here. It looks
like a bandaid for this one particular problem.
> struct nfc_llcp_local *local;
> u32 target_idx;
> u32 nfc_protocol;
> diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
> index 39c7c59bbf66..b132830bc206 100644
> --- a/net/nfc/llcp_commands.c
> +++ b/net/nfc/llcp_commands.c
> @@ -315,13 +315,24 @@ static struct sk_buff *llcp_allocate_pdu(struct nfc_llcp_sock *sock,
> {
> struct sk_buff *skb;
> int err, headroom, tailroom;
> + unsigned long irq_flags;
>
> if (sock->ssap == 0)
> return NULL;
>
> + read_lock_irqsave(&sock->rw_dev_lock, irq_flags);
> +
> + if (!sock->dev) {
> + read_unlock_irqrestore(&sock->rw_dev_lock, irq_flags);
> + pr_err("NFC device does not exit\n");
exist?
Best regards,
Krzysztof
Powered by blists - more mailing lists