[PATCH 4.19 139/149] rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record

From: Greg Kroah-Hartman
Date: Mon Nov 04 2019 - 17:03:09 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.19 141/149] NFC: pn533: fix use-after-free and memleaks"
Previous message: Greg Kroah-Hartman: "[PATCH 4.19 137/149] llc: fix sk_buff leak in llc_conn_service()"
In reply to: Greg Kroah-Hartman: "[PATCH 4.19 137/149] llc: fix sk_buff leak in llc_conn_service()"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.19 141/149] NFC: pn533: fix use-after-free and memleaks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells <dhowells@xxxxxxxxxx>

commit 9ebeddef58c41bd700419cdcece24cf64ce32276 upstream.

The rxrpc_peer record needs to hold a reference on the rxrpc_local record
it points as the peer is used as a base to access information in the
rxrpc_local record.

This can cause problems in __rxrpc_put_peer(), where we need the network
namespace pointer, and in rxrpc_send_keepalive(), where we need to access
the UDP socket, leading to symptoms like:

BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
[inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
net/rxrpc/peer_object.c:435
Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

Fix this by taking a ref on the local record for the peer record.

Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Reported-by: syzbot+b9be979c55f2bea8ed30@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
net/rxrpc/peer_object.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/rxrpc/peer_object.c
+++ b/net/rxrpc/peer_object.c
@@ -220,7 +220,7 @@ struct rxrpc_peer *rxrpc_alloc_peer(stru
peer = kzalloc(sizeof(struct rxrpc_peer), gfp);
if (peer) {
atomic_set(&peer->usage, 1);
- peer->local = local;
+ peer->local = rxrpc_get_local(local);
INIT_HLIST_HEAD(&peer->error_targets);
peer->service_conns = RB_ROOT;
seqlock_init(&peer->service_conn_lock);
@@ -311,7 +311,6 @@ void rxrpc_new_incoming_peer(struct rxrp
unsigned long hash_key;

hash_key = rxrpc_peer_hash_key(local, &peer->srx);
- peer->local = local;
rxrpc_init_peer(rx, peer, hash_key);

spin_lock(&rxnet->peer_hash_lock);
@@ -421,6 +420,7 @@ static void __rxrpc_put_peer(struct rxrp
list_del_init(&peer->keepalive_link);
spin_unlock_bh(&rxnet->peer_hash_lock);

+ rxrpc_put_local(peer->local);
kfree_rcu(peer, rcu);
}

@@ -454,6 +454,7 @@ void rxrpc_put_peer_locked(struct rxrpc_
if (n == 0) {
hash_del_rcu(&peer->hash_link);
list_del_init(&peer->keepalive_link);
+ rxrpc_put_local(peer->local);
kfree_rcu(peer, rcu);
}
}

Next message: Greg Kroah-Hartman: "[PATCH 4.19 141/149] NFC: pn533: fix use-after-free and memleaks"
Previous message: Greg Kroah-Hartman: "[PATCH 4.19 137/149] llc: fix sk_buff leak in llc_conn_service()"
In reply to: Greg Kroah-Hartman: "[PATCH 4.19 137/149] llc: fix sk_buff leak in llc_conn_service()"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.19 141/149] NFC: pn533: fix use-after-free and memleaks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]