Hi xiaoming,
the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem.
if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name...
-----Original Message-----
From: Xiaoming Ni [mailto:nixiaoming@xxxxxxxxxx]
Sent: Wednesday, March 3, 2021 2:17 PM
To: linux-kernel@xxxxxxxxxxxxxxx; kiyin(尹亮) <kiyin@xxxxxxxxxxx>;
stable@xxxxxxxxxxxxxxx; gregkh@xxxxxxxxxxxxxxxxxxx; sameo@xxxxxxxxxxxxxxx;
linville@xxxxxxxxxxxxx; davem@xxxxxxxxxxxxx; kuba@xxxxxxxxxx;
mkl@xxxxxxxxxxxxxx; stefan@xxxxxxxxxxxxxxxxxx;
matthieu.baerts@xxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx
Cc: nixiaoming@xxxxxxxxxx; wangle6@xxxxxxxxxx; xiaoqian9@xxxxxxxxxx
Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated
llcp_sock_connect()(Internet mail)
When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
sk->sk_node->next will point to itself, that will make an endless loop and
hang-up the system.
To fix it, check whether sk->sk_state is LLCP_CONNECTING in
llcp_sock_connect() to avoid repeated invoking.
fix CVE-2020-25673
Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Reported-by: "kiyin(尹亮)" <kiyin@xxxxxxxxxxx>
Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
Cc: <stable@xxxxxxxxxxxxxxx> #v3.11
Signed-off-by: Xiaoming Ni <nixiaoming@xxxxxxxxxx>
---
net/nfc/llcp_sock.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index
59172614b249..a3b46f888803 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock,
struct sockaddr *_addr,
ret = -EISCONN;
goto error;
}
+ if (sk->sk_state == LLCP_CONNECTING) {
+ ret = -EINPROGRESS;
+ goto error;
+ }
dev = nfc_get_device(addr->dev_idx);
if (dev == NULL) {
--
2.27.0