[resend,2/4] nfc: fix refcount leak in llcp_sock_connect()

Message ID	20210325035113.49323-3-nixiaoming@huawei.com (mailing list archive)
State	Accepted
Commit	8a4cd82d62b5ec7e5482333a72b58a4eea4979f0
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Xiaoming Ni <nixiaoming@huawei.com> To: <linux-kernel@vger.kernel.org>, <kiyin@tencent.com>, <stable@vger.kernel.org>, <gregkh@linuxfoundation.org>, <sameo@linux.intel.com>, <linville@tuxdriver.com>, <davem@davemloft.net>, <kuba@kernel.org>, <mkl@pengutronix.de>, <stefan@datenfreihafen.org>, <matthieu.baerts@tessares.net>, <netdev@vger.kernel.org> CC: <nixiaoming@huawei.com>, <wangle6@huawei.com>, <xiaoqian9@huawei.com> Subject: [PATCH resend 2/4] nfc: fix refcount leak in llcp_sock_connect() Date: Thu, 25 Mar 2021 11:51:11 +0800 Message-ID: <20210325035113.49323-3-nixiaoming@huawei.com> In-Reply-To: <20210325035113.49323-1-nixiaoming@huawei.com> References: <YFnwiFmgejk/TKOX@kroah.com> <20210325035113.49323-1-nixiaoming@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Precedence: bulk
Series	nfc: fix Resource leakage and endless loop \| expand [resend,0/4] nfc: fix Resource leakage and endless loop [resend,1/4] nfc: fix refcount leak in llcp_sock_bind() [resend,2/4] nfc: fix refcount leak in llcp_sock_connect() [resend,3/4] nfc: fix memory leak in llcp_sock_connect() [resend,4/4] nfc: Avoid endless loops caused by repeated llcp_sock_connect()

Message ID

20210325035113.49323-3-nixiaoming@huawei.com (mailing list archive)

State

Accepted

Commit

8a4cd82d62b5ec7e5482333a72b58a4eea4979f0

Delegated to:

Netdev Maintainers

Headers

show

Return-Path: <netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT
	autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D1F75C433E8
	for <netdev@archiver.kernel.org>; Thu, 25 Mar 2021 03:52:08 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id AD29D61A14
	for <netdev@archiver.kernel.org>; Thu, 25 Mar 2021 03:52:08 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229758AbhCYDvj (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Wed, 24 Mar 2021 23:51:39 -0400
Received: from szxga07-in.huawei.com ([45.249.212.35]:14870 "EHLO
        szxga07-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229629AbhCYDv2 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 24 Mar 2021 23:51:28 -0400
Received: from DGGEMS414-HUB.china.huawei.com (unknown [172.30.72.60])
        by szxga07-in.huawei.com (SkyGuard) with ESMTP id 4F5WLs2jfPz9sjT;
        Thu, 25 Mar 2021 11:49:25 +0800 (CST)
Received: from use12-sp2.huawei.com (10.67.189.174) by
 DGGEMS414-HUB.china.huawei.com (10.3.19.214) with Microsoft SMTP Server id
 14.3.498.0; Thu, 25 Mar 2021 11:51:17 +0800
From: Xiaoming Ni <nixiaoming@huawei.com>
To: <linux-kernel@vger.kernel.org>, <kiyin@tencent.com>,
        <stable@vger.kernel.org>, <gregkh@linuxfoundation.org>,
        <sameo@linux.intel.com>, <linville@tuxdriver.com>,
        <davem@davemloft.net>, <kuba@kernel.org>, <mkl@pengutronix.de>,
        <stefan@datenfreihafen.org>, <matthieu.baerts@tessares.net>,
        <netdev@vger.kernel.org>
CC: <nixiaoming@huawei.com>, <wangle6@huawei.com>,
        <xiaoqian9@huawei.com>
Subject: [PATCH resend 2/4] nfc: fix refcount leak in llcp_sock_connect()
Date: Thu, 25 Mar 2021 11:51:11 +0800
Message-ID: <20210325035113.49323-3-nixiaoming@huawei.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20210325035113.49323-1-nixiaoming@huawei.com>
References: <YFnwiFmgejk/TKOX@kroah.com>
 <20210325035113.49323-1-nixiaoming@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.67.189.174]
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
X-Patchwork-Delegate: kuba@kernel.org

Series

nfc: fix Resource leakage and endless loop | expand

Checks

Context	Check	Description
netdev/cover_letter	success	Link
netdev/fixes_present	success	Link
netdev/patch_count	success	Link
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/subject_prefix	warning	Target tree name not specified in the subject
netdev/cc_maintainers	success	CCed 7 of 7 maintainers
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Link
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/verify_fixes	fail	Link
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 14 lines checked
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/header_inline	success	Link

Context

Check

Description

netdev/cover_letter

success

Link

netdev/fixes_present

success

Link

netdev/patch_count

success

Link

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/subject_prefix

warning

Target tree name not specified in the subject

netdev/cc_maintainers

success

CCed 7 of 7 maintainers

netdev/source_inline

success

Was 0 now: 0

netdev/verify_signedoff

success

Link

netdev/module_param

success

Was 0 now: 0

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/verify_fixes

fail

Link

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 14 lines checked

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/header_inline

success

Link

Commit Message

Xiaoming Ni March 25, 2021, 3:51 a.m. UTC

nfc_llcp_local_get() is invoked in llcp_sock_connect(),
but nfc_llcp_local_put() is not invoked in subsequent failure branches.
As a result, refcount leakage occurs.
To fix it, add calling nfc_llcp_local_put().

fix CVE-2020-25671
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when
creating a socket")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@vger.kernel.org> #v3.6
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 68832ee4b9f8..9e2799ee1595 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -704,6 +704,7 @@  static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 	llcp_sock->local = nfc_llcp_local_get(local);
 	llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
 	if (llcp_sock->ssap == LLCP_SAP_MAX) {
+		nfc_llcp_local_put(llcp_sock->local);
 		ret = -ENOMEM;
 		goto put_dev;
 	}
@@ -748,6 +749,7 @@  static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
 
 sock_llcp_release:
 	nfc_llcp_put_ssap(local, llcp_sock->ssap);
+	nfc_llcp_local_put(llcp_sock->local);
 
 put_dev:
 	nfc_put_device(dev);