From patchwork Fri Nov 27 19:18:39 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Hurley X-Patchwork-Id: 549576 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 17EE114031D for ; Sat, 28 Nov 2015 06:19:02 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hurleysoftware-com.20150623.gappssmtp.com header.i=@hurleysoftware-com.20150623.gappssmtp.com header.b=bliVHWMH; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754823AbbK0TSu (ORCPT ); Fri, 27 Nov 2015 14:18:50 -0500 Received: from mail-io0-f172.google.com ([209.85.223.172]:36161 "EHLO mail-io0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754645AbbK0TSr (ORCPT ); Fri, 27 Nov 2015 14:18:47 -0500 Received: by iofh3 with SMTP id h3so122718237iof.3 for ; Fri, 27 Nov 2015 11:18:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hurleysoftware-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=6+wvWioSkAuCPwYrDDBswC0IyM8RJKoheq96iWtp9Bc=; b=bliVHWMHHAnAHTjCKIkivfbZKqRTooO07MZ2m5YLLW3s7B9B2WUl7gQvt6rRrUK0pB C3QpSZmx76FLD4xGeIjUDqJZwwD6ogWWMbC+Q00ZHuOqwVj9QVAtBYfsIEd7K59CKYHV jp10zdcdH3HTCqTTb8IKoH6fnkS6mkkalx8uzFU7DPcjL1N/T2vU7XGEQ2uxdZelB37R rX4FF6ghHUIAMXbjN4+7ZqwQs8xPQ/4Py+dIegZtqr/Iw4frlVd1jvmCt0XeH9+83BNi O2ybnziogTCk5rVJXf8KtL857uOY/oKl+io54/+lTsGDgE9RCkKBbOv0yXpLHBN+ea7x mkaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=6+wvWioSkAuCPwYrDDBswC0IyM8RJKoheq96iWtp9Bc=; b=Ij06lGLqWw7tt5+PYgJitCXRVKozgVf2uwpXy3FJQhyUWB5tQSwYqHisKTnyWSgrg7 FS18DncNEZFWAXgmLpoMFOirAx3IJVImIU2XHZRUyhdn7wXodu+LzJpdozAhPVH5efFN WRVHY9W/97OGc9nM8ijiSI0FTUUruuFLSdBHdriKXcZJlukU9ls1iISBKgymHxLMaVmt DDzNpegmz2aX7xHLapVZK9k8viYnUcIKOuI2ZGIRAOHCkdj2FLO4FvdM79m1J+P4pCxI uGWdNKEXvBroJa12XlcT7uhCZgCDPoGnMfecjiZwaW+m5rhdcogQuDtmDW26s4COpvxt br/Q== X-Gm-Message-State: ALoCoQnlVCQLaonWsvU8fwTPvWzTZjgED1u9FC5uowcRhcNWhcNeOPFvpwVCbIgt8uh+N2Mn0bvt X-Received: by 10.107.39.193 with SMTP id n184mr47364185ion.14.1448651926779; Fri, 27 Nov 2015 11:18:46 -0800 (PST) Received: from thor.lan (cpe-76-190-194-55.neo.res.rr.com. [76.190.194.55]) by smtp.gmail.com with ESMTPSA id ej5sm3371869igc.2.2015.11.27.11.18.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 27 Nov 2015 11:18:46 -0800 (PST) From: Peter Hurley To: Greg Kroah-Hartman Cc: Jiri Slaby , David Miller , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Sasha Levin , Peter Hurley , stable@vger.kernel.org Subject: [PATCH] wan/x25: Fix use-after-free in x25_asy_open_tty() Date: Fri, 27 Nov 2015 14:18:39 -0500 Message-Id: <1448651919-4239-1-git-send-email-peter@hurleysoftware.com> X-Mailer: git-send-email 2.6.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The N_X25 line discipline may access the previous line discipline's closed and already-freed private data on open [1]. The tty->disc_data field _never_ refers to valid data on entry to the line discipline's open() method. Rather, the ldisc is expected to initialize that field for its own use for the lifetime of the instance (ie. from open() to close() only). [1] [ 634.336761] ================================================================== [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0 [ 634.339558] Read of size 4 by task syzkaller_execu/8981 [ 634.340359] ============================================================================= [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected ... [ 634.405018] Call Trace: [ 634.405277] dump_stack (lib/dump_stack.c:52) [ 634.405775] print_trailer (mm/slub.c:655) [ 634.406361] object_err (mm/slub.c:662) [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236) [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279) [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1)) [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447) [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567) [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879) [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607) [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613) [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188) Reported-and-tested-by: Sasha Levin Cc: Signed-off-by: Peter Hurley --- drivers/net/wan/x25_asy.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c index 5c47b01..cd39025 100644 --- a/drivers/net/wan/x25_asy.c +++ b/drivers/net/wan/x25_asy.c @@ -549,16 +549,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty, static int x25_asy_open_tty(struct tty_struct *tty) { - struct x25_asy *sl = tty->disc_data; + struct x25_asy *sl; int err; if (tty->ops->write == NULL) return -EOPNOTSUPP; - /* First make sure we're not already connected. */ - if (sl && sl->magic == X25_ASY_MAGIC) - return -EEXIST; - /* OK. Find a free X.25 channel to use. */ sl = x25_asy_alloc(); if (sl == NULL)