Message ID | 20200724164551.24109-1-xiyou.wangcong@gmail.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net,v2] qrtr: orphan socket in qrtr_release() | expand |
On 7/24/20 9:45 AM, Cong Wang wrote: > We have to detach sock from socket in qrtr_release(), > otherwise skb->sk may still reference to this socket > when the skb is released in tun->queue, particularly > sk->sk_wq still points to &sock->wq, which leads to > a UAF. > > Reported-and-tested-by: syzbot+6720d64f31c081c2f708@syzkaller.appspotmail.com > Fixes: 28fb4e59a47d ("net: qrtr: Expose tunneling endpoint to user space") > Cc: Bjorn Andersson <bjorn.andersson@linaro.org> > Cc: Eric Dumazet <eric.dumazet@gmail.com> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> > --- > net/qrtr/qrtr.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c > index 24a8c3c6da0d..300a104b9a0f 100644 > --- a/net/qrtr/qrtr.c > +++ b/net/qrtr/qrtr.c > @@ -1180,6 +1180,7 @@ static int qrtr_release(struct socket *sock) > sk->sk_state_change(sk); > > sock_set_flag(sk, SOCK_DEAD); > + sock_orphan(sk); > sock->sk = NULL; > > if (!sock_flag(sk, SOCK_ZAPPED)) > Reviewed-by: Eric Dumazet <edumazet@google.com>
From: Cong Wang <xiyou.wangcong@gmail.com> Date: Fri, 24 Jul 2020 09:45:51 -0700 > We have to detach sock from socket in qrtr_release(), > otherwise skb->sk may still reference to this socket > when the skb is released in tun->queue, particularly > sk->sk_wq still points to &sock->wq, which leads to > a UAF. > > Reported-and-tested-by: syzbot+6720d64f31c081c2f708@syzkaller.appspotmail.com > Fixes: 28fb4e59a47d ("net: qrtr: Expose tunneling endpoint to user space") > Cc: Bjorn Andersson <bjorn.andersson@linaro.org> > Cc: Eric Dumazet <eric.dumazet@gmail.com> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Applied and queued up for -stable, thanks.
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c index 24a8c3c6da0d..300a104b9a0f 100644 --- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -1180,6 +1180,7 @@ static int qrtr_release(struct socket *sock) sk->sk_state_change(sk); sock_set_flag(sk, SOCK_DEAD); + sock_orphan(sk); sock->sk = NULL; if (!sock_flag(sk, SOCK_ZAPPED))
We have to detach sock from socket in qrtr_release(), otherwise skb->sk may still reference to this socket when the skb is released in tun->queue, particularly sk->sk_wq still points to &sock->wq, which leads to a UAF. Reported-and-tested-by: syzbot+6720d64f31c081c2f708@syzkaller.appspotmail.com Fixes: 28fb4e59a47d ("net: qrtr: Expose tunneling endpoint to user space") Cc: Bjorn Andersson <bjorn.andersson@linaro.org> Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> --- net/qrtr/qrtr.c | 1 + 1 file changed, 1 insertion(+)