| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 26 Nov 2023 01:56:17 +0530
From: Siddh Raman Pant <code@...dh.me>
To: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
Subject: [PATCH 2/4] nfc: Protect access to nfc_dev in an llcp_sock with a rwlock
llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame(), which accesses the
nfc_dev from the llcp_sock for getting the headroom and tailroom needed
for skb allocation.
Parallely, the nfc_dev can be freed via the nfc_unregister_device()
codepath (nfc_release() being called due to the class unregister in
nfc_exit()), leading to the UAF reported by Syzkaller.
We have the following call tree before freeing:
nfc_unregister_device()
-> nfc_llcp_unregister_device()
-> local_cleanup()
-> nfc_llcp_socket_release()
nfc_llcp_socket_release() sets the state of sockets to LLCP_CLOSED,
and this is encountered necessarily before any freeing of nfc_dev.
Thus, add a rwlock in struct llcp_sock to synchronize access to
nfc_dev. nfc_dev in an llcp_sock will be NULLed in a write critical
section when socket state has been set to closed. Thus, we can avoid
the UAF by bailing out from a read critical section upon seeing NULL.
Since this is repeated multiple times in nfc_llcp_socket_release(),
extract the behaviour into a new function.
Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
Signed-off-by: Siddh Raman Pant <code@...dh.me>
---
net/nfc/llcp.h | 1 +
net/nfc/llcp_commands.c | 27 ++++++++++++++++++++++++---
net/nfc/llcp_core.c | 31 +++++++++++++++++++------------
net/nfc/llcp_sock.c | 2 ++
4 files changed, 46 insertions(+), 15 deletions(-)
diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h
index d8345ed57c95..800cbe8e3d6b 100644
--- a/net/nfc/llcp.h
+++ b/net/nfc/llcp.h
@@ -102,6 +102,7 @@ struct nfc_llcp_local {
struct nfc_llcp_sock {
struct sock sk;
struct nfc_dev *dev;
+ rwlock_t rw_dev_lock;
struct nfc_llcp_local *local;
u32 target_idx;
u32 nfc_protocol;
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 39c7c59bbf66..b132830bc206 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -315,13 +315,24 @@ static struct sk_buff *llcp_allocate_pdu(struct nfc_llcp_sock *sock,
{
struct sk_buff *skb;
int err, headroom, tailroom;
+ unsigned long irq_flags;
if (sock->ssap == 0)
return NULL;
+ read_lock_irqsave(&sock->rw_dev_lock, irq_flags);
+
+ if (!sock->dev) {
+ read_unlock_irqrestore(&sock->rw_dev_lock, irq_flags);
+ pr_err("NFC device does not exit\n");
+ return NULL;
+ }
+
headroom = sock->dev->tx_headroom;
tailroom = sock->dev->tx_tailroom;
+ read_unlock_irqrestore(&sock->rw_dev_lock, irq_flags);
+
skb = nfc_alloc_send_skb(&sock->sk, MSG_DONTWAIT,
size + LLCP_HEADER_SIZE, headroom, tailroom,
&err);
@@ -739,6 +750,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
u8 *msg_ptr, *msg_data;
u16 remote_miu;
int err, headroom, tailroom;
+ unsigned long irq_flags;
pr_debug("Send UI frame len %zd\n", len);
@@ -746,6 +758,18 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
if (local == NULL)
return -ENODEV;
+ read_lock_irqsave(&sock->rw_dev_lock, irq_flags);
+
+ if (!sock->dev) {
+ read_unlock_irqrestore(&sock->rw_dev_lock, irq_flags);
+ return -ENODEV;
+ }
+
+ headroom = sock->dev->tx_headroom;
+ tailroom = sock->dev->tx_tailroom;
+
+ read_unlock_irqrestore(&sock->rw_dev_lock, irq_flags);
+
msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
if (msg_data == NULL)
return -ENOMEM;
@@ -755,9 +779,6 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
return -EFAULT;
}
- headroom = sock->dev->tx_headroom;
- tailroom = sock->dev->tx_tailroom;
-
remaining_len = len;
msg_ptr = msg_data;
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..a565712d7db8 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -20,6 +20,22 @@ static LIST_HEAD(llcp_devices);
/* Protects llcp_devices list */
static DEFINE_SPINLOCK(llcp_devices_lock);
+static inline void nfc_llcp_sock_close(struct nfc_llcp_sock *llcp_sock, int err)
+{
+ struct sock *sk = &llcp_sock->sk;
+ unsigned long irq_flags;
+
+ if (err)
+ sk->sk_err = err;
+
+ sk->sk_state = LLCP_CLOSED;
+ sk->sk_state_change(sk);
+
+ write_lock_irqsave(&llcp_sock->rw_dev_lock, irq_flags);
+ llcp_sock->dev = NULL;
+ write_unlock_irqrestore(&llcp_sock->rw_dev_lock, irq_flags);
+}
+
static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb);
void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *sk)
@@ -96,19 +112,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
nfc_llcp_accept_unlink(accept_sk);
- if (err)
- accept_sk->sk_err = err;
- accept_sk->sk_state = LLCP_CLOSED;
- accept_sk->sk_state_change(sk);
+ nfc_llcp_sock_close(lsk, err);
bh_unlock_sock(accept_sk);
}
}
- if (err)
- sk->sk_err = err;
- sk->sk_state = LLCP_CLOSED;
- sk->sk_state_change(sk);
+ nfc_llcp_sock_close(llcp_sock, err);
bh_unlock_sock(sk);
@@ -130,10 +140,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
nfc_llcp_socket_purge(llcp_sock);
- if (err)
- sk->sk_err = err;
- sk->sk_state = LLCP_CLOSED;
- sk->sk_state_change(sk);
+ nfc_llcp_sock_close(llcp_sock, err);
bh_unlock_sock(sk);
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 645677f84dba..ef1ab88a5e4f 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -983,6 +983,8 @@ struct sock *nfc_llcp_sock_alloc(struct socket *sock, int type, gfp_t gfp, int k
sk->sk_type = type;
sk->sk_destruct = llcp_sock_destruct;
+ rwlock_init(&llcp_sock->rw_dev_lock);
+
llcp_sock->ssap = 0;
llcp_sock->dsap = LLCP_SAP_SDP;
llcp_sock->rw = LLCP_MAX_RW + 1;
--
2.42.0
Powered by blists - more mailing lists