| Message ID | aa64ef28-35d8-9deb-2756-8080296b7e3e@ucr.edu (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
On Tue, Jul 13, 2021 at 01:21:44PM -0700, Xiaochen Zou wrote: > > Xiaochen Zou (1): > can: fix a potential UAF access in j1939_session_deactivate(). Both > session and session->priv may be freed in > j1939_session_deactivate_locked(). It leads to potential UAF read > and write in j1939_session_list_unlock(). The free chain is > > j1939_session_deactivate_locked()->j1939_session_put()->__j1939_session_release()->j1939_session_destroy(). > To fix this bug, I moved j1939_session_put() behind > j1939_session_deactivate_locked(), and guarded it with a check of > active since the session would be freed only if active is true. > > net/can/j1939/transport.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > -- > 2.17.1 Hi, This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him a patch that has triggered this response. He used to manually respond to these common problems, but in order to save his sanity (he kept writing the same thing over and over, yet to different people), I was created. Hopefully you will not take offence and will fix the problem in your patch and resubmit it so that it can be accepted into the Linux kernel tree. You are receiving this message because of the following common error(s) as indicated below: - Your patch was attached, please place it inline so that it can be applied directly from the email message itself. If you wish to discuss this problem further, or you have questions about how to resolve this issue, please feel free to respond to this email and Greg will reply once he has dug out from the pending patches received from other developers. thanks, greg k-h's patch email bot
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c index c3946c355882..c64bd5e8118a 100644 --- a/net/can/j1939/transport.c +++ b/net/can/j1939/transport.c @@ -1067,7 +1067,6 @@ static bool j1939_session_deactivate_locked(struct j1939_session *session) list_del_init(&session->active_session_list_entry); session->state = J1939_SESSION_DONE; - j1939_session_put(session); } return active; @@ -1080,6 +1079,8 @@ static bool j1939_session_deactivate(struct j1939_session *session) j1939_session_list_lock(session->priv); active = j1939_session_deactivate_locked(session); j1939_session_list_unlock(session->priv); + if (active) + j1939_session_put(session); return active; } @@ -2127,6 +2128,7 @@ void j1939_simple_recv(struct j1939_priv *priv, struct sk_buff *skb) int j1939_cancel_active_session(struct j1939_priv *priv, struct sock *sk) { struct j1939_session *session, *saved; + bool active; netdev_dbg(priv->ndev, "%s, sk: %p\n", __func__, sk); j1939_session_list_lock(priv); @@ -2140,7 +2142,9 @@ int j1939_cancel_active_session(struct j1939_priv *priv, struct sock *sk) j1939_session_put(session); session->err = ESHUTDOWN; - j1939_session_deactivate_locked(session); + active = j1939_session_deactivate_locked(session); + if (active) + j1939_session_put(session); } } j1939_session_list_unlock(priv);
Xiaochen Zou (1): can: fix a potential UAF access in j1939_session_deactivate(). Both session and session->priv may be freed in j1939_session_deactivate_locked(). It leads to potential UAF read and write in j1939_session_list_unlock(). The free chain is j1939_session_deactivate_locked()->j1939_session_put()->__j1939_session_release()->j1939_session_destroy(). To fix this bug, I moved j1939_session_put() behind j1939_session_deactivate_locked(), and guarded it with a check of active since the session would be freed only if active is true. net/can/j1939/transport.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)