From patchwork Wed Dec 6 11:13:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hyunwoo Kim X-Patchwork-Id: 13481566 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=theori.io header.i=@theori.io header.b="J8bwQQZe" Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D760C3 for ; Wed, 6 Dec 2023 03:13:34 -0800 (PST) Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1d06819a9cbso29128165ad.1 for ; Wed, 06 Dec 2023 03:13:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=theori.io; s=google; t=1701861214; x=1702466014; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=7i8p6B2ghm30k4bcKSBkkS2M9cpAiFkI2BQp4RK+W6k=; b=J8bwQQZegKQAKZWn1hq33SGrN607/mTkaKE/hlDFPg8vNfCaKqB2X3RE1neSHb/0bI gaxUY2rVU3X6bk+iJ6vq+IaPCcsznIZhS9EdilLUe/pKx5FbENadGvY2aH4Hg6RiCZQi rOUaKVo3JBnhtW8qXOai+6xR7vKjoKjipsasA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701861214; x=1702466014; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7i8p6B2ghm30k4bcKSBkkS2M9cpAiFkI2BQp4RK+W6k=; b=atdWBTxJGpJ9LTgF6Jid/PEh+MisoEXTl5yKjjOGqbfBvwGVhd43TW/m34aMQ178sl v9xbRfeFJDUijjYAcMLbRjAz7huMx0H/nehXRuPF5cOnhva8aTZtz4eMCRuvk6Bnfrlx 75h9JcuE8zgYyh+v7BBHWMRWuVT/rHbFCTV9FBsdB4e5IIneRdBxoRnYQ3io6Y0U86En LQQpjr6PUF+6bldP3Jm6lAyEk1eP1K78SiyWBdQLGbJfh6IeL/fgu5IWMclK10ZrXOnb yZz5DTQuC1oTerLrq9hguMuaDnauXqm7dv4B09kslAq0FTybbW0ILNDzQmI4kTRfkuLQ JrDQ== X-Gm-Message-State: AOJu0YyLyB2EDX525o/65osXE7RiyecxBbtpbX/n5qaQOSjH/U50afhU ghYq1dC2gmZgxOs3X+5PMJ2Y8g== X-Google-Smtp-Source: AGHT+IHyO7csI0IuiNs8mzji5TYTnhV7Hye3QQW9UPXvFHaYpXzKeWoRwXXvJryxe5gT02hfi9sxLA== X-Received: by 2002:a17:90b:314e:b0:286:e34a:d178 with SMTP id ip14-20020a17090b314e00b00286e34ad178mr502109pjb.36.1701861213912; Wed, 06 Dec 2023 03:13:33 -0800 (PST) Received: from ubuntu ([211.219.71.65]) by smtp.gmail.com with ESMTPSA id t13-20020a1709028c8d00b001cfd35ec1d7sm11806933plo.243.2023.12.06.03.13.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 03:13:33 -0800 (PST) Date: Wed, 6 Dec 2023 03:13:29 -0800 From: Hyunwoo Kim To: ralf@linux-mips.org, edumazet@google.com Cc: v4bel@theori.io, imv4bel@gmail.com, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, linux-hams@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v3] net/rose: Fix Use-After-Free in rose_ioctl Message-ID: <20231206111329.GA9888@ubuntu> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline X-Patchwork-Delegate: kuba@kernel.org Because rose_ioctl() accesses sk->sk_receive_queue without holding a sk->sk_receive_queue.lock, it can cause a race with rose_accept(). A use-after-free for skb occurs with the following flow. ``` rose_ioctl() -> skb_peek() rose_accept() -> skb_dequeue() -> kfree_skb() ``` Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Hyunwoo Kim --- v1 -> v2: Use sk->sk_receive_queue.lock instead of lock_sock. v2 -> v3: Change spin_lock to spin_lock_irq --- net/rose/af_rose.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c index 0cc5a4e19900..7ff76bf3f56e 100644 --- a/net/rose/af_rose.c +++ b/net/rose/af_rose.c @@ -1316,8 +1316,10 @@ static int rose_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) struct sk_buff *skb; long amount = 0L; /* These two are safe on a single CPU system as only user tasks fiddle here */ + spin_lock_irq(&sk->sk_receive_queue.lock); if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL) amount = skb->len; + spin_unlock_irq(&sk->sk_receive_queue.lock); return put_user(amount, (unsigned int __user *) argp); }