[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1813902b-6afc-4539-96b2-050df6fc75c1@linaro.org>
Date: Wed, 13 Dec 2023 08:40:16 +0100
From: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
To: Siddh Raman Pant <code@...dh.me>, "David S. Miller"
<davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Suman Ghosh <sumang@...vell.com>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
Subject: Re: [PATCH net-next v5 1/2] nfc: llcp_core: Hold a ref to
llcp_local->dev when holding a ref to llcp_local
On 12/12/2023 19:49, Siddh Raman Pant wrote:
> llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls
> nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for
> getting the headroom and tailroom needed for skb allocation.
>
> Parallelly the nfc_dev can be freed, as the refcount is decreased via
> nfc_free_device(), leading to a UAF reported by Syzkaller, which can
> be summarized as follows:
>
> (1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()
> -> nfc_alloc_send_skb() -> Dereference *nfc_dev
> (2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()
> -> put_device() -> nfc_release() -> Free *nfc_dev
>
> When a reference to llcp_local is acquired, we do not acquire the same
> for the nfc_dev. This leads to freeing even when the llcp_local is in
> use, and this is the case with the UAF described above too.
>
> Thus, when we acquire a reference to llcp_local, we should acquire a
> reference to nfc_dev, and release the references appropriately later.
>
> References for llcp_local is initialized in nfc_llcp_register_device()
> (which is called by nfc_register_device()). Thus, we should acquire a
> reference to nfc_dev there.
>
> nfc_unregister_device() calls nfc_llcp_unregister_device() which in
> turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is
> appropriately released later.
>
> Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
> Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
> Reviewed-by: Suman Ghosh <sumang@...vell.com>
> Signed-off-by: Siddh Raman Pant <code@...dh.me>
> ---
> net/nfc/llcp_core.c | 72 +++++++++++++++++++++++++++++----------------
> 1 file changed, 47 insertions(+), 25 deletions(-)
>
> diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
> index 1dac28136e6a..2f77200a3720 100644
> --- a/net/nfc/llcp_core.c
> +++ b/net/nfc/llcp_core.c
> @@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
>
> static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
> {
> + /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
> + * we hold a reference to local, we also need to hold a reference to
> + * the device to avoid UAF.
> + */
> + if (!nfc_get_device(local->dev->idx))
> + return NULL;
> +
> kref_get(&local->ref);
>
> return local;
> @@ -177,10 +184,18 @@ static void local_release(struct kref *ref)
>
> int nfc_llcp_local_put(struct nfc_llcp_local *local)
> {
> + struct nfc_dev *dev;
> + int ret;
> +
> if (local == NULL)
> return 0;
>
> - return kref_put(&local->ref, local_release);
> + dev = local->dev;
> +
> + ret = kref_put(&local->ref, local_release);
> + nfc_put_device(dev);
> +
> + return ret;
> }
>
> static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
> @@ -901,7 +916,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
>
> if (dsap != LLCP_SAP_SDP) {
> sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
> - if (sock == NULL || sock->sk.sk_state != LLCP_LISTEN) {
> + if (!sock || sock->sk.sk_state != LLCP_LISTEN) {
This is unrelated change. Please keep all cleanups separate from fixes.
> reason = LLCP_DM_NOBOUND;
> goto fail;
> }
> @@ -910,7 +925,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
> size_t sn_len;
>
> sn = nfc_llcp_connect_sn(skb, &sn_len);
> - if (sn == NULL) {
> + if (!sn) {
Not related.
> reason = LLCP_DM_NOBOUND;
> goto fail;
> }
> @@ -918,7 +933,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
> pr_debug("Service name length %zu\n", sn_len);
>
> sock = nfc_llcp_sock_get_sn(local, sn, sn_len);
> - if (sock == NULL) {
> + if (!sock) {
Not related.
> reason = LLCP_DM_NOBOUND;
> goto fail;
> }
> @@ -928,39 +943,31 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
>
> parent = &sock->sk;
>
> - if (sk_acceptq_is_full(parent)) {
> - reason = LLCP_DM_REJ;
> - release_sock(&sock->sk);
> - sock_put(&sock->sk);
> - goto fail;
> - }
> + if (sk_acceptq_is_full(parent))
> + goto fail_put_sock;
I would argue that you reshuffle here more code than needed for the fix.
This should fix only missing dev reference, not reshuffle code. It's a
bugfix, not cleanup.
>
> if (sock->ssap == LLCP_SDP_UNBOUND) {
> u8 ssap = nfc_llcp_reserve_sdp_ssap(local);
>
> pr_debug("First client, reserving %d\n", ssap);
>
> - if (ssap == LLCP_SAP_MAX) {
> - reason = LLCP_DM_REJ;
> - release_sock(&sock->sk);
> - sock_put(&sock->sk);
> - goto fail;
> - }
> + if (ssap == LLCP_SAP_MAX)
> + goto fail_put_sock;
>
> sock->ssap = ssap;
> }
>
Best regards,
Krzysztof
Powered by blists - more mailing lists