| Message ID | 20211013043052.16379-1-linma@zju.edu.cn (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | NFC: NULL out conn_info reference when conn is closed | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Single patches do not need cover letters |
| netdev/fixes_present | success | Fixes tag not required for -next series |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 6 of 6 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Signed-off-by tag matches author and committer |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | No Fixes tag |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 14 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | No static functions without inline keyword in header files |
On Wed, 13 Oct 2021 12:30:52 +0800 Lin Ma wrote: > The nci_core_conn_close_rsp_packet() function will release the conn_info > with given conn_id. However, this reference of this object may still held > by other places like ndev->rf_conn_info in routine: > .. -> nci_recv_frame() > -> nci_rx_work() > -> nci_rsp_packet() > -> nci_rf_disc_rsp_packet() > -> devm_kzalloc() > ndev->rf_conn_info = conn_info; > > or ndev->hci_dev->conn_info in routine: > .. -> nci_recv_frame() > -> nci_rx_work() > -> nci_rsp_packet() > -> nci_core_conn_create_rsp_packet() > -> devm_kzalloc() > ndev->hci_dev->conn_info = conn_info; > > If these two places are not NULL out, potential UAF can be exploited by > the attacker when emulating an UART NFC device. This patch compares the > deallocating object with the two places and writes NULL to prevent that. > > Signed-off-by: Lin Ma <linma@zju.edu.cn> This doesn't apply, looks like we already have half of this patch in the networking fixes tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=1b1499a817c90fd1ce9453a2c98d2a01cca0e775 Please rebase on top of that and resend. Add a Fixes tag while at it.
diff --git a/net/nfc/nci/rsp.c b/net/nfc/nci/rsp.c index a2e72c003805..99de76e5e855 100644 --- a/net/nfc/nci/rsp.c +++ b/net/nfc/nci/rsp.c @@ -334,6 +334,14 @@ static void nci_core_conn_close_rsp_packet(struct nci_dev *ndev, ndev->cur_conn_id); if (conn_info) { list_del(&conn_info->list); + /* Other places held conn_info like + * ndev->hci_dev->conn_info, ndev->rf_conn_info + * need to be NULL out. + */ + if (ndev->hci_dev->conn_info == conn_info) + ndev->hci_dev->conn_info = NULL; + if (ndev->rf_conn_info == conn_info) + ndev->rf_conn_info = NULL; devm_kfree(&ndev->nfc_dev->dev, conn_info); } }
The nci_core_conn_close_rsp_packet() function will release the conn_info with given conn_id. However, this reference of this object may still held by other places like ndev->rf_conn_info in routine: .. -> nci_recv_frame() -> nci_rx_work() -> nci_rsp_packet() -> nci_rf_disc_rsp_packet() -> devm_kzalloc() ndev->rf_conn_info = conn_info; or ndev->hci_dev->conn_info in routine: .. -> nci_recv_frame() -> nci_rx_work() -> nci_rsp_packet() -> nci_core_conn_create_rsp_packet() -> devm_kzalloc() ndev->hci_dev->conn_info = conn_info; If these two places are not NULL out, potential UAF can be exploited by the attacker when emulating an UART NFC device. This patch compares the deallocating object with the two places and writes NULL to prevent that. Signed-off-by: Lin Ma <linma@zju.edu.cn> --- net/nfc/nci/rsp.c | 8 ++++++++ 1 file changed, 8 insertions(+)