| Message ID | 20210303061654.127666-5-nixiaoming@huawei.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | nfc: fix Resource leakage and endless loop | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 7 of 7 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 10 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
| netdev/stable | fail | Stable CC detected: Cc: <stable@vger.kernel.org> #v3.11 |
Hi xiaoming, the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem. if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name... Regards, kiyin. > -----Original Message----- > From: Xiaoming Ni [mailto:nixiaoming@huawei.com] > Sent: Wednesday, March 3, 2021 2:17 PM > To: linux-kernel@vger.kernel.org; kiyin(尹亮) <kiyin@tencent.com>; > stable@vger.kernel.org; gregkh@linuxfoundation.org; sameo@linux.intel.com; > linville@tuxdriver.com; davem@davemloft.net; kuba@kernel.org; > mkl@pengutronix.de; stefan@datenfreihafen.org; > matthieu.baerts@tessares.net; netdev@vger.kernel.org > Cc: nixiaoming@huawei.com; wangle6@huawei.com; xiaoqian9@huawei.com > Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated > llcp_sock_connect()(Internet mail) > > When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is > LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, > nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. > sk->sk_node->next will point to itself, that will make an endless loop and > hang-up the system. > To fix it, check whether sk->sk_state is LLCP_CONNECTING in > llcp_sock_connect() to avoid repeated invoking. > > fix CVE-2020-25673 > Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") > Reported-by: "kiyin(尹亮)" <kiyin@tencent.com> > Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 > Cc: <stable@vger.kernel.org> #v3.11 > Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com> > --- > net/nfc/llcp_sock.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index > 59172614b249..a3b46f888803 100644 > --- a/net/nfc/llcp_sock.c > +++ b/net/nfc/llcp_sock.c > @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, > struct sockaddr *_addr, > ret = -EISCONN; > goto error; > } > + if (sk->sk_state == LLCP_CONNECTING) { > + ret = -EINPROGRESS; > + goto error; > + } > > dev = nfc_get_device(addr->dev_idx); > if (dev == NULL) { > -- > 2.27.0 >
On 2021/3/3 17:28, kiyin(尹亮) wrote: > Hi xiaoming, > the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem. > if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name... I didn't find the code to modify sk->sk_state after a connect failure. Can you provide guidance? Based on my understanding of the current code: After llcp_sock_connect() is invoked using the meaningless service_name as the parameter, sk->sk_state is set to LLCP_CONNECTING. After that, no corresponding service responds to the request because the service_name is meaningless, the value of sk->sk_state remains unchanged. Therefore, when llcp_sock_connect() is invoked again, resources such as llcp_sock->service_name are not repeatedly applied because sk_state is set to LLCP_CONNECTING. In this way, the repeated invoking of llcp_sock_connect() does not repeatedly leak resources. Thanks Xiaoming Ni > >> -----Original Message----- >> From: Xiaoming Ni [mailto:nixiaoming@huawei.com] >> Sent: Wednesday, March 3, 2021 2:17 PM >> To: linux-kernel@vger.kernel.org; kiyin(尹亮) <kiyin@tencent.com>; >> stable@vger.kernel.org; gregkh@linuxfoundation.org; sameo@linux.intel.com; >> linville@tuxdriver.com; davem@davemloft.net; kuba@kernel.org; >> mkl@pengutronix.de; stefan@datenfreihafen.org; >> matthieu.baerts@tessares.net; netdev@vger.kernel.org >> Cc: nixiaoming@huawei.com; wangle6@huawei.com; xiaoqian9@huawei.com >> Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated >> llcp_sock_connect()(Internet mail) >> >> When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is >> LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, >> nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. >> sk->sk_node->next will point to itself, that will make an endless loop and >> hang-up the system. >> To fix it, check whether sk->sk_state is LLCP_CONNECTING in >> llcp_sock_connect() to avoid repeated invoking. >> >> fix CVE-2020-25673 >> Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") >> Reported-by: "kiyin(尹亮)" <kiyin@tencent.com> >> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 >> Cc: <stable@vger.kernel.org> #v3.11 >> Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com> >> --- >> net/nfc/llcp_sock.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index >> 59172614b249..a3b46f888803 100644 >> --- a/net/nfc/llcp_sock.c >> +++ b/net/nfc/llcp_sock.c >> @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, >> struct sockaddr *_addr, >> ret = -EISCONN; >> goto error; >> } >> + if (sk->sk_state == LLCP_CONNECTING) { >> + ret = -EINPROGRESS; >> + goto error; >> + } >> >> dev = nfc_get_device(addr->dev_idx); >> if (dev == NULL) { >> -- >> 2.27.0 >> >
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index 59172614b249..a3b46f888803 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, ret = -EISCONN; goto error; } + if (sk->sk_state == LLCP_CONNECTING) { + ret = -EINPROGRESS; + goto error; + } dev = nfc_get_device(addr->dev_idx); if (dev == NULL) {
When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. sk->sk_node->next will point to itself, that will make an endless loop and hang-up the system. To fix it, check whether sk->sk_state is LLCP_CONNECTING in llcp_sock_connect() to avoid repeated invoking. fix CVE-2020-25673 Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") Reported-by: "kiyin(尹亮)" <kiyin@tencent.com> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Cc: <stable@vger.kernel.org> #v3.11 Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com> --- net/nfc/llcp_sock.c | 4 ++++ 1 file changed, 4 insertions(+)