diff options
| author | Hoang Le <hoang.h.le@dektech.com.au> | 2019-03-21 06:25:17 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-03-21 12:56:55 -0400 |
| commit | 77d5ad4048fba5bd6e16f78498d4b41e5534b8f5 (patch) | |
| tree | 1f9e3127353194217a65b3e045a3d0915a9bbf72 /net/tipc | |
| parent | 0b03a5ca8b14321366eec4a903922d2b46d585ff (diff) | |
tipc: fix use-after-free in tipc_sk_filter_rcv
skb free-ed in:
1/ condition 1: tipc_sk_filter_rcv -> tipc_sk_proto_rcv
2/ condition 2: tipc_sk_filter_rcv -> tipc_group_filter_msg
This leads to a "use-after-free" access in the next condition.
We fix this by intializing the variable at declaration, then it is safe
to check this variable to continue processing if condition matches.
syzbot report:
==================================================================
BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0
net/tipc/socket.c:2167
Read of size 4 at addr ffff88808ea58534 by task kworker/u4:0/7
CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.0.0+ #61
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Workqueue: tipc_send tipc_conn_send_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
tipc_sk_filter_rcv+0x2166/0x34f0 net/tipc/socket.c:2167
tipc_sk_enqueue net/tipc/socket.c:2254 [inline]
tipc_sk_rcv+0xc45/0x25a0 net/tipc/socket.c:2305
tipc_topsrv_kern_evt+0x3b7/0x580 net/tipc/topsrv.c:610
tipc_conn_send_to_sock+0x43e/0x5f0 net/tipc/topsrv.c:283
tipc_conn_send_work+0x65/0x80 net/tipc/topsrv.c:303
process_one_work+0x98e/0x1790 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x357/0x430 kernel/kthread.c:253
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Reported-by: syzbot+e863893591cc7a622e40@syzkaller.appspotmail.com
Fixes: c55c8eda ("tipc: smooth change between replicast and broadcast")
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/socket.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 922b75ff56d3..a7b3e1a070e4 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c | |||
| @@ -2151,6 +2151,7 @@ static void tipc_sk_filter_rcv(struct sock *sk, struct sk_buff *skb, | |||
| 2151 | struct tipc_msg *hdr = buf_msg(skb); | 2151 | struct tipc_msg *hdr = buf_msg(skb); |
| 2152 | struct net *net = sock_net(sk); | 2152 | struct net *net = sock_net(sk); |
| 2153 | struct sk_buff_head inputq; | 2153 | struct sk_buff_head inputq; |
| 2154 | int mtyp = msg_type(hdr); | ||
| 2154 | int limit, err = TIPC_OK; | 2155 | int limit, err = TIPC_OK; |
| 2155 | 2156 | ||
| 2156 | trace_tipc_sk_filter_rcv(sk, skb, TIPC_DUMP_ALL, " "); | 2157 | trace_tipc_sk_filter_rcv(sk, skb, TIPC_DUMP_ALL, " "); |
| @@ -2164,7 +2165,7 @@ static void tipc_sk_filter_rcv(struct sock *sk, struct sk_buff *skb, | |||
| 2164 | if (unlikely(grp)) | 2165 | if (unlikely(grp)) |
| 2165 | tipc_group_filter_msg(grp, &inputq, xmitq); | 2166 | tipc_group_filter_msg(grp, &inputq, xmitq); |
| 2166 | 2167 | ||
| 2167 | if (msg_type(hdr) == TIPC_MCAST_MSG) | 2168 | if (unlikely(!grp) && mtyp == TIPC_MCAST_MSG) |
| 2168 | tipc_mcast_filter_msg(&tsk->mc_method.deferredq, &inputq); | 2169 | tipc_mcast_filter_msg(&tsk->mc_method.deferredq, &inputq); |
| 2169 | 2170 | ||
| 2170 | /* Validate and add to receive buffer if there is space */ | 2171 | /* Validate and add to receive buffer if there is space */ |