[1/4] nfc: fix refcount leak in llcp_sock_bind()

Message ID	20210303061654.127666-2-nixiaoming@huawei.com (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Xiaoming Ni <nixiaoming@huawei.com> To: <linux-kernel@vger.kernel.org>, <kiyin@tencent.com>, <stable@vger.kernel.org>, <gregkh@linuxfoundation.org>, <sameo@linux.intel.com>, <linville@tuxdriver.com>, <davem@davemloft.net>, <kuba@kernel.org>, <mkl@pengutronix.de>, <stefan@datenfreihafen.org>, <matthieu.baerts@tessares.net>, <netdev@vger.kernel.org> CC: <nixiaoming@huawei.com>, <wangle6@huawei.com>, <xiaoqian9@huawei.com> Subject: [PATCH 1/4] nfc: fix refcount leak in llcp_sock_bind() Date: Wed, 3 Mar 2021 14:16:51 +0800 Message-ID: <20210303061654.127666-2-nixiaoming@huawei.com> In-Reply-To: <20210303061654.127666-1-nixiaoming@huawei.com> References: <20210303061654.127666-1-nixiaoming@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Precedence: bulk
Series	nfc: fix Resource leakage and endless loop \| expand [0/4] nfc: fix Resource leakage and endless loop [1/4] nfc: fix refcount leak in llcp_sock_bind() [2/4] nfc: fix refcount leak in llcp_sock_connect() [3/4] nfc: fix memory leak in llcp_sock_connect() [4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()

Message ID

20210303061654.127666-2-nixiaoming@huawei.com (mailing list archive)

State

Changes Requested

Delegated to:

Netdev Maintainers

Headers

From: Xiaoming Ni <nixiaoming@huawei.com>
To: <linux-kernel@vger.kernel.org>, <kiyin@tencent.com>,
        <stable@vger.kernel.org>, <gregkh@linuxfoundation.org>,
        <sameo@linux.intel.com>, <linville@tuxdriver.com>,
        <davem@davemloft.net>, <kuba@kernel.org>, <mkl@pengutronix.de>,
        <stefan@datenfreihafen.org>, <matthieu.baerts@tessares.net>,
        <netdev@vger.kernel.org>
CC: <nixiaoming@huawei.com>, <wangle6@huawei.com>,
        <xiaoqian9@huawei.com>
Subject: [PATCH 1/4] nfc: fix refcount leak in llcp_sock_bind()
Date: Wed, 3 Mar 2021 14:16:51 +0800
Message-ID: <20210303061654.127666-2-nixiaoming@huawei.com>
In-Reply-To: <20210303061654.127666-1-nixiaoming@huawei.com>
References: <20210303061654.127666-1-nixiaoming@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

nfc: fix Resource leakage and endless loop | expand

Checks

Context	Check	Description
netdev/cover_letter	success	Link
netdev/fixes_present	success	Link
netdev/patch_count	success	Link
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/subject_prefix	warning	Target tree name not specified in the subject
netdev/cc_maintainers	success	CCed 8 of 8 maintainers
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Link
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/verify_fixes	fail	Link
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 13 lines checked
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/header_inline	success	Link
netdev/stable	fail	Stable CC detected: Cc: <stable@vger.kernel.org> #v3.6

Context

Check

Description

netdev/cover_letter

success

Link

netdev/fixes_present

success

Link

netdev/patch_count

success

Link

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/subject_prefix

warning

Target tree name not specified in the subject

netdev/cc_maintainers

success

CCed 8 of 8 maintainers

netdev/source_inline

success

Was 0 now: 0

netdev/verify_signedoff

success

Link

netdev/module_param

success

Was 0 now: 0

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/verify_fixes

fail

Link

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 13 lines checked

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/header_inline

success

Link

netdev/stable

fail

Stable CC detected: Cc: <stable@vger.kernel.org> #v3.6

Commit Message

Xiaoming Ni March 3, 2021, 6:16 a.m. UTC

nfc_llcp_local_get() is invoked in llcp_sock_bind(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25670
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
 creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index d257ed3b732a..68832ee4b9f8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -108,11 +108,13 @@  static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
 					  llcp_sock->service_name_len,
 					  GFP_KERNEL);
 	if (!llcp_sock->service_name) {
+		nfc_llcp_local_put(llcp_sock->local);
 		ret = -ENOMEM;
 		goto put_dev;
 	}
 	llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
 	if (llcp_sock->ssap == LLCP_SAP_MAX) {
+		nfc_llcp_local_put(llcp_sock->local);
 		kfree(llcp_sock->service_name);
 		llcp_sock->service_name = NULL;
 		ret = -EADDRINUSE;