lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1813902b-6afc-4539-96b2-050df6fc75c1@linaro.org>
Date: Wed, 13 Dec 2023 08:40:16 +0100
From: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
To: Siddh Raman Pant <code@...dh.me>, "David S. Miller"
 <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 Suman Ghosh <sumang@...vell.com>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
 syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
Subject: Re: [PATCH net-next v5 1/2] nfc: llcp_core: Hold a ref to
 llcp_local->dev when holding a ref to llcp_local

On 12/12/2023 19:49, Siddh Raman Pant wrote:
> llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls
> nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for
> getting the headroom and tailroom needed for skb allocation.
> 
> Parallelly the nfc_dev can be freed, as the refcount is decreased via
> nfc_free_device(), leading to a UAF reported by Syzkaller, which can
> be summarized as follows:
> 
> (1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()
> 	-> nfc_alloc_send_skb() -> Dereference *nfc_dev
> (2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()
> 	-> put_device() -> nfc_release() -> Free *nfc_dev
> 
> When a reference to llcp_local is acquired, we do not acquire the same
> for the nfc_dev. This leads to freeing even when the llcp_local is in
> use, and this is the case with the UAF described above too.
> 
> Thus, when we acquire a reference to llcp_local, we should acquire a
> reference to nfc_dev, and release the references appropriately later.
> 
> References for llcp_local is initialized in nfc_llcp_register_device()
> (which is called by nfc_register_device()). Thus, we should acquire a
> reference to nfc_dev there.
> 
> nfc_unregister_device() calls nfc_llcp_unregister_device() which in
> turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is
> appropriately released later.
> 
> Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
> Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
> Reviewed-by: Suman Ghosh <sumang@...vell.com>
> Signed-off-by: Siddh Raman Pant <code@...dh.me>
> ---
>  net/nfc/llcp_core.c | 72 +++++++++++++++++++++++++++++----------------
>  1 file changed, 47 insertions(+), 25 deletions(-)
> 
> diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
> index 1dac28136e6a..2f77200a3720 100644
> --- a/net/nfc/llcp_core.c
> +++ b/net/nfc/llcp_core.c
> @@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
>  
>  static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
>  {
> +	/* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
> +	 * we hold a reference to local, we also need to hold a reference to
> +	 * the device to avoid UAF.
> +	 */
> +	if (!nfc_get_device(local->dev->idx))
> +		return NULL;
> +
>  	kref_get(&local->ref);
>  
>  	return local;
> @@ -177,10 +184,18 @@ static void local_release(struct kref *ref)
>  
>  int nfc_llcp_local_put(struct nfc_llcp_local *local)
>  {
> +	struct nfc_dev *dev;
> +	int ret;
> +
>  	if (local == NULL)
>  		return 0;
>  
> -	return kref_put(&local->ref, local_release);
> +	dev = local->dev;
> +
> +	ret = kref_put(&local->ref, local_release);
> +	nfc_put_device(dev);
> +
> +	return ret;
>  }
>  
>  static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
> @@ -901,7 +916,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
>  
>  	if (dsap != LLCP_SAP_SDP) {
>  		sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
> -		if (sock == NULL || sock->sk.sk_state != LLCP_LISTEN) {
> +		if (!sock || sock->sk.sk_state != LLCP_LISTEN) {

This is unrelated change. Please keep all cleanups separate from fixes.

>  			reason = LLCP_DM_NOBOUND;
>  			goto fail;
>  		}
> @@ -910,7 +925,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
>  		size_t sn_len;
>  
>  		sn = nfc_llcp_connect_sn(skb, &sn_len);
> -		if (sn == NULL) {
> +		if (!sn) {

Not related.

>  			reason = LLCP_DM_NOBOUND;
>  			goto fail;
>  		}
> @@ -918,7 +933,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
>  		pr_debug("Service name length %zu\n", sn_len);
>  
>  		sock = nfc_llcp_sock_get_sn(local, sn, sn_len);
> -		if (sock == NULL) {
> +		if (!sock) {

Not related.

>  			reason = LLCP_DM_NOBOUND;
>  			goto fail;
>  		}
> @@ -928,39 +943,31 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
>  
>  	parent = &sock->sk;
>  
> -	if (sk_acceptq_is_full(parent)) {
> -		reason = LLCP_DM_REJ;
> -		release_sock(&sock->sk);
> -		sock_put(&sock->sk);
> -		goto fail;
> -	}
> +	if (sk_acceptq_is_full(parent))
> +		goto fail_put_sock;

I would argue that you reshuffle here more code than needed for the fix.

This should fix only missing dev reference, not reshuffle code. It's a
bugfix, not cleanup.

>  
>  	if (sock->ssap == LLCP_SDP_UNBOUND) {
>  		u8 ssap = nfc_llcp_reserve_sdp_ssap(local);
>  
>  		pr_debug("First client, reserving %d\n", ssap);
>  
> -		if (ssap == LLCP_SAP_MAX) {
> -			reason = LLCP_DM_REJ;
> -			release_sock(&sock->sk);
> -			sock_put(&sock->sk);
> -			goto fail;
> -		}
> +		if (ssap == LLCP_SAP_MAX)
> +			goto fail_put_sock;
>  
>  		sock->ssap = ssap;
>  	}
>  


Best regards,
Krzysztof


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ