From patchwork Sat Dec 9 09:42:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hyunwoo Kim X-Patchwork-Id: 13485996 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=theori.io header.i=@theori.io header.b="M5gy7yJZ" Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D18BC10C9 for ; Sat, 9 Dec 2023 01:42:14 -0800 (PST) Received: by mail-io1-xd2a.google.com with SMTP id ca18e2360f4ac-7b6f4330598so104290639f.1 for ; Sat, 09 Dec 2023 01:42:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=theori.io; s=google; t=1702114934; x=1702719734; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=BV1cCWvSz4/n1ZZs101uQSRQBfLiBIMXTgnA7ozCgYA=; b=M5gy7yJZnjD42G80biwWWeaegMaZcOA49AcJxR2hiQ7QVjC3KO6hJm6Ul5N38lVJIu eijGg4yjifFjierHVleeBbsMyNX1H+Z8um/nrJZOH1BLrqbl6a32icAPhUtCimj3szkC 3GCiVI7C1Ga23Vyq662HkpIdpRNtkb7kn5E2E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702114934; x=1702719734; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BV1cCWvSz4/n1ZZs101uQSRQBfLiBIMXTgnA7ozCgYA=; b=dY3p+WoSDkAQDYtQrNNVIDEJCQzCa9ncOSb6ykc5zd3UPCJFWO+8Jp18H3ctGS8+0j JuhQOTfhZT8ig2NwF6VbTtHX/WWTOeztsnZoDMEjwdPQe6k4pOdDgVY1tsYhQ4jFY8OW WeGK191DoI/Cx8oE+2T5h1uWrHREkuktTy0bBICut83m9TzgEBK5wkciyUFog04kuFq/ a+GTvS1SFqzt4dgYBG2m4lsxD4tvLbSCjA1zV7kUCDleck/a9fj1w9wMEWssCOD+/OXF 9DElD1ZEjFyle+FoHhzATYnAOIZK/D44g00/qzjhjFcRHUHGhlz9OzULfNl/l+zJQAQB 82Mg== X-Gm-Message-State: AOJu0YxTEGUdmSx/d6NPS4Yq4GWni1KW6etNGNrHKvsaXrB0xdjpNPIV CUn/dpaBsjnqZBzi4jDxC1Xl6w== X-Google-Smtp-Source: AGHT+IH2jc3/Ag56VPJlWyox+hBrfzllP9ddybA5Ks9z2OOTeKxDms7AsmVvW/5Q9auhl/APpSBIRA== X-Received: by 2002:a05:6602:1a97:b0:7b6:f236:658f with SMTP id bn23-20020a0566021a9700b007b6f236658fmr1852667iob.12.1702114934103; Sat, 09 Dec 2023 01:42:14 -0800 (PST) Received: from v4bel-B760M-AORUS-ELITE-AX ([211.219.71.65]) by smtp.gmail.com with ESMTPSA id p12-20020a170902e74c00b001d0b32ec81esm3026605plf.79.2023.12.09.01.42.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Dec 2023 01:42:13 -0800 (PST) Date: Sat, 9 Dec 2023 04:42:10 -0500 From: Hyunwoo Kim To: davem@davemloft.net, kuba@kernel.org, edumazet@google.com Cc: v4bel@theori.io, imv4bel@gmail.com, pabeni@redhat.com, netdev@vger.kernel.org Subject: [PATCH net v3] atm: Fix Use-After-Free in do_vcc_ioctl Message-ID: <20231209094210.GA403126@v4bel-B760M-AORUS-ELITE-AX> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline X-Patchwork-Delegate: kuba@kernel.org Because do_vcc_ioctl() accesses sk->sk_receive_queue without holding a sk->sk_receive_queue.lock, it can cause a race with vcc_recvmsg(). A use-after-free for skb occurs with the following flow. ``` do_vcc_ioctl() -> skb_peek() vcc_recvmsg() -> skb_recv_datagram() -> skb_free_datagram() ``` Add sk->sk_receive_queue.lock to do_vcc_ioctl() to fix this issue. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Hyunwoo Kim --- v1 -> v2: Change the code style v2 -> v3: Change to 'int amount' --- net/atm/ioctl.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/atm/ioctl.c b/net/atm/ioctl.c index 838ebf0cabbf..f81f8d56f5c0 100644 --- a/net/atm/ioctl.c +++ b/net/atm/ioctl.c @@ -73,14 +73,17 @@ static int do_vcc_ioctl(struct socket *sock, unsigned int cmd, case SIOCINQ: { struct sk_buff *skb; + int amount; if (sock->state != SS_CONNECTED) { error = -EINVAL; goto done; } + spin_lock_irq(&sk->sk_receive_queue.lock); skb = skb_peek(&sk->sk_receive_queue); - error = put_user(skb ? skb->len : 0, - (int __user *)argp) ? -EFAULT : 0; + amount = skb ? skb->len : 0; + spin_unlock_irq(&sk->sk_receive_queue.lock); + error = put_user(amount, (int __user *)argp) ? -EFAULT : 0; goto done; } case ATM_SETSC: