leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
77d5ad4048
linux/net
History
Hoang Le 77d5ad4048 tipc: fix use-after-free in tipc_sk_filter_rcv 
skb free-ed in:
  1/ condition 1: tipc_sk_filter_rcv -> tipc_sk_proto_rcv
  2/ condition 2: tipc_sk_filter_rcv -> tipc_group_filter_msg
This leads to a "use-after-free" access in the next condition.

We fix this by intializing the variable at declaration, then it is safe
to check this variable to continue processing if condition matches.

syzbot report:

==================================================================
BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0
 net/tipc/socket.c:2167
Read of size 4 at addr ffff88808ea58534 by task kworker/u4:0/7

CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.0.0+ #61
Hardware name: Google Google Compute Engine/Google Compute Engine,
 BIOS Google 01/01/2011
Workqueue: tipc_send tipc_conn_send_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 tipc_sk_filter_rcv+0x2166/0x34f0 net/tipc/socket.c:2167
 tipc_sk_enqueue net/tipc/socket.c:2254 [inline]
 tipc_sk_rcv+0xc45/0x25a0 net/tipc/socket.c:2305
 tipc_topsrv_kern_evt+0x3b7/0x580 net/tipc/topsrv.c:610
 tipc_conn_send_to_sock+0x43e/0x5f0 net/tipc/topsrv.c:283
 tipc_conn_send_work+0x65/0x80 net/tipc/topsrv.c:303
 process_one_work+0x98e/0x1790 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x357/0x430 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Reported-by: syzbot+e863893591cc7a622e40@syzkaller.appspotmail.com
Fixes: c55c8eda ("tipc: smooth change between replicast and broadcast")
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-21 09:56:55 -07:00
..
6lowpan 6lowpan: fix debugfs_simple_attr.cocci warnings 2019-01-22 09:51:19 +01:00
9p 9p/net: put a lower bound on msize 2018-12-25 17:07:49 +09:00
802
8021q net: Remove switchdev.h inclusion from team/bond/vlan 2019-02-24 17:40:46 -08:00
appletalk appletalk: Fix potential NULL pointer dereference in unregister_snap_client 2019-03-15 11:25:48 -07:00
atm net: atm: Add another IS_ENABLED(CONFIG_COMPAT) in atm_dev_ioctl 2019-03-07 10:14:50 -08:00
ax25 ax25: fix possible use-after-free 2019-01-23 11:18:00 -08:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-02-15 12:38:38 -08:00
bluetooth Bluetooth: Add quirk for reading BD_ADDR from fwnode property 2019-02-26 10:08:26 +01:00
bpf bpf: fix warning about using plain integer as NULL 2019-03-08 21:17:07 +01:00
bpfilter bpfilter: re-add header search paths to tools include to fix build error 2019-02-23 13:34:40 -08:00
bridge net: bridge: use eth_broadcast_addr() to assign broadcast address 2019-03-20 11:02:47 -07:00
caif net: caif: use skb helpers instead of open-coding them 2019-02-17 11:01:17 -08:00
can can: bcm: check timer values before ktime conversion 2019-01-22 11:33:46 +01:00
ceph libceph: use struct_size() for kmalloc() in crush_decode() 2019-03-05 18:55:17 +01:00
core net: remove 'fallback' argument from dev->ndo_select_queue() 2019-03-20 11:18:55 -07:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-02-08 15:00:17 -08:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-01-29 21:18:54 -08:00
dns_resolver
dsa net: dsa: Use prepare/commit phase in dsa_slave_vlan_rx_add_vid() 2019-03-03 20:45:52 -08:00
ethernet net/ethernet: Add parse_protocol header_ops support 2019-02-22 12:55:31 -08:00
hsr net/hsr: fix possible crash in add_timer() 2019-03-07 11:02:08 -08:00
ieee802154 net: remove unused struct inet_frag_queue.fragments field 2019-02-26 08:27:05 -08:00
ife
ipv4 tcp: free request sock directly upon TFO or syncookies error 2019-03-19 14:13:01 -07:00
ipv6 ipv6: Add icmp_echo_ignore_anycast for ICMPv6 2019-03-20 16:29:37 -07:00
iucv iucv: Remove SKB list assumptions. 2018-11-10 16:55:11 -08:00
kcm kcm: Remove unnecessary SLAB_PANIC for kmem_cache_create() in kcm_init 2019-02-23 13:46:24 -08:00
key af_key: unconditionally clone on broadcast 2019-02-12 10:36:42 +01:00
l2tp l2tp: fix infoleak in l2tp_ip6_recvmsg() 2019-03-13 14:19:35 -07:00
l3mdev l3mdev: add function to retreive upper master 2018-12-03 14:15:26 -08:00
lapb
llc llc: do not use sk_eat_skb() 2018-10-22 19:59:20 -07:00
mac80211 net: remove 'fallback' argument from dev->ndo_select_queue() 2019-03-20 11:18:55 -07:00
mac802154
mpls Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-03-02 12:54:35 -08:00
ncsi net: ncsi: fix a missing check for nla_nest_start 2019-03-16 11:44:33 -07:00
netfilter netfilter: nf_tables: return immediately on empty commit 2019-03-11 20:01:20 +01:00
netlabel netlabel: fix out-of-bounds memory accesses 2019-02-27 21:45:24 -08:00
netlink rhashtable: Remove obsolete rhashtable_walk_init function 2019-02-22 13:49:00 +01:00
netrom netrom: switch to sock timer API 2019-01-27 10:38:04 -08:00
nfc net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails 2019-02-27 12:47:08 -08:00
nsh
openvswitch net: openvswitch: fix missing checks for nla_nest_start 2019-03-16 11:43:14 -07:00
packet net: remove 'fallback' argument from dev->ndo_select_queue() 2019-03-20 11:18:55 -07:00
phonet phonet: fix building with clang 2019-02-21 16:23:56 -08:00
psample
qrtr mm: replace all open encodings for NUMA_NO_NODE 2019-03-05 21:07:14 -08:00
rds 5.1 Merge Window Pull Request 2019-03-09 15:53:03 -08:00
rfkill rfkill: gpio: Remove unused include 2018-12-18 13:13:56 +01:00
rose net: rose: fix a possible stack overflow 2019-03-18 16:53:22 -07:00
rxrpc rxrpc: Fix client call queueing, waiting for channel 2019-03-08 18:24:53 -08:00
sched sch_cake: Interpret fwmark parameter as a bitmask 2019-03-15 11:57:14 -07:00
sctp sctp: fix ignoring asoc_id for tcp-style sockets on SCTP_STREAM_SCHEDULER sockopt 2019-03-18 18:31:09 -07:00
smc Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-03-12 13:27:20 -07:00
strparser net: strparser: fix a missing check for create_singlethread_workqueue 2019-03-15 12:51:56 -07:00
sunrpc Miscellaneous NFS server fixes. Probably the most visible bug is one 2019-03-12 15:06:54 -07:00
switchdev switchdev: Remove unused transaction item queue 2019-03-01 21:35:19 -08:00
tipc tipc: fix use-after-free in tipc_sk_filter_rcv 2019-03-21 09:56:55 -07:00
tls net/tls: Add support of AES128-CCM based ciphers 2019-03-20 11:02:05 -07:00
unix io_uring-2019-03-06 2019-03-08 14:48:40 -08:00
vmw_vsock vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock 2019-03-08 15:15:44 -08:00
wimax
wireless Merge remote-tracking branch 'net-next/master' into mac80211-next 2019-02-22 13:48:13 +01:00
x25 net/x25: reset state in x25_connect() 2019-03-11 15:40:14 -07:00
xdp xsk: fix umem memory leak on cleanup 2019-03-16 01:27:51 +01:00
xfrm net: dev: rename queue selection helpers. 2019-03-20 11:18:54 -07:00
compat.c Merge branch 'timers-2038-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-05 14:08:26 -08:00
Kconfig net: devlink: turn devlink into a built-in 2019-02-26 08:49:05 -08:00
Makefile net: split out functions related to registering inflight socket files 2019-02-28 08:24:23 -07:00
socket.c net: add documentation to socket.c 2019-03-15 15:29:47 -07:00
sysctl_net.c