diff mbox

[0/1] can: fix a potential UAF access in j1939_session_deactivate()

Message ID aa64ef28-35d8-9deb-2756-8080296b7e3e@ucr.edu (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show

Commit Message

Xiaochen Zou July 13, 2021, 8:21 p.m. UTC
Xiaochen Zou (1):
  can: fix a potential UAF access in j1939_session_deactivate(). Both
    session and session->priv may be freed in
    j1939_session_deactivate_locked(). It leads to potential UAF read
    and write in j1939_session_list_unlock(). The free chain is

j1939_session_deactivate_locked()->j1939_session_put()->__j1939_session_release()->j1939_session_destroy().
    To fix this bug, I moved j1939_session_put() behind
    j1939_session_deactivate_locked(), and guarded it with a check of
    active since the session would be freed only if active is true.

 net/can/j1939/transport.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Greg KH July 14, 2021, 6:49 a.m. UTC | #1
On Tue, Jul 13, 2021 at 01:21:44PM -0700, Xiaochen Zou wrote:
> 
> Xiaochen Zou (1):
>   can: fix a potential UAF access in j1939_session_deactivate(). Both
>     session and session->priv may be freed in
>     j1939_session_deactivate_locked(). It leads to potential UAF read
>     and write in j1939_session_list_unlock(). The free chain is
> 
> j1939_session_deactivate_locked()->j1939_session_put()->__j1939_session_release()->j1939_session_destroy().
>     To fix this bug, I moved j1939_session_put() behind
>     j1939_session_deactivate_locked(), and guarded it with a check of
>     active since the session would be freed only if active is true.
> 
>  net/can/j1939/transport.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> -- 
> 2.17.1


Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- Your patch was attached, please place it inline so that it can be
  applied directly from the email message itself.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot
diff mbox

Patch

diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index c3946c355882..c64bd5e8118a 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1067,7 +1067,6 @@  static bool j1939_session_deactivate_locked(struct j1939_session *session)
 
 		list_del_init(&session->active_session_list_entry);
 		session->state = J1939_SESSION_DONE;
-		j1939_session_put(session);
 	}
 
 	return active;
@@ -1080,6 +1079,8 @@  static bool j1939_session_deactivate(struct j1939_session *session)
 	j1939_session_list_lock(session->priv);
 	active = j1939_session_deactivate_locked(session);
 	j1939_session_list_unlock(session->priv);
+	if (active)
+		j1939_session_put(session);
 
 	return active;
 }
@@ -2127,6 +2128,7 @@  void j1939_simple_recv(struct j1939_priv *priv, struct sk_buff *skb)
 int j1939_cancel_active_session(struct j1939_priv *priv, struct sock *sk)
 {
 	struct j1939_session *session, *saved;
+	bool active;
 
 	netdev_dbg(priv->ndev, "%s, sk: %p\n", __func__, sk);
 	j1939_session_list_lock(priv);
@@ -2140,7 +2142,9 @@  int j1939_cancel_active_session(struct j1939_priv *priv, struct sock *sk)
 				j1939_session_put(session);
 
 			session->err = ESHUTDOWN;
-			j1939_session_deactivate_locked(session);
+			active = j1939_session_deactivate_locked(session);
+			if (active)
+				j1939_session_put(session);
 		}
 	}
 	j1939_session_list_unlock(priv);