From patchwork Mon Jul 13 16:00:05 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Lothar_Wa=C3=9Fmann?=
 <LW@KARO-electronics.de>
X-Patchwork-Id: 29739
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@bilbo.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from ozlabs.org (ozlabs.org [203.10.76.45])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mx.ozlabs.org",
	Issuer "CA Cert Signing Authority" (verified OK))
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 2E6C1B707B
	for <patchwork-incoming@bilbo.ozlabs.org>;
	Tue, 14 Jul 2009 02:00:42 +1000 (EST)
Received: by ozlabs.org (Postfix)
	id 20FCEDDDE7; Tue, 14 Jul 2009 02:00:42 +1000 (EST)
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id AFF8EDDDA2
	for <patchwork-incoming@ozlabs.org>;
	Tue, 14 Jul 2009 02:00:41 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756299AbZGMQAN (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 13 Jul 2009 12:00:13 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756312AbZGMQAN
	(ORCPT <rfc822; netdev-outgoing>); Mon, 13 Jul 2009 12:00:13 -0400
Received: from mail.karo-electronics.de ([81.173.242.67]:64621 "EHLO
	mail.karo-electronics.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756256AbZGMQAM (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 13 Jul 2009 12:00:12 -0400
Received: from lothar by ipc1.ka-ro with local (Exim 4.63 #1 (Debian))
	id 1MQNwj-0000CI-Cm; Mon, 13 Jul 2009 18:00:05 +0200
Message-ID: <19035.23045.386506.297464@ipc1.ka-ro>
Date: Mon, 13 Jul 2009 18:00:05 +0200
From: =?iso-8859-15?q?Lothar_Wa=DFmann?= <LW@KARO-electronics.de>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: davem@davemloft.net, netdev@vger.kernel.org,
	urs.thuermann@volkswagen.de, oliver.hartkopp@volkswagen.de
Subject: Re: use after free bug in socket code
In-Reply-To: <20090709154533.GA27413@gondor.apana.org.au>
References: <19028.16049.907160.45293@ipc1.ka-ro>
	<20090709154533.GA27413@gondor.apana.org.au>
X-Mailer: VM 7.19 under Emacs 21.4.1
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Hi,

Herbert Xu writes:
> Lothar Waßmann <LW@karo-electronics.de> wrote:
> >
> > So, could you point me to the place where the reference count of the
> > socket object is being incremented when a struct sock is associated
> > with it?
> 
> It's implicit.  Anyway, you should remodel your release function
> on a working protocol.
> 
OK. I checked the release functions of the can raw and bcm protocols
and found that they obviously are the culprits since they lack the
call to sock_orphan that other network protocol drivers have:



Could someone of the CAN-Folks comment on this?


Best regards,
Lothar Waßmann

diff -ur linux-2.6.30/net/can/bcm.c linux-2.6.30-karo/net/can/bcm.c
--- linux-2.6.30/net/can/bcm.c	2009-06-10 05:05:27.000000000 +0200
+++ linux-2.6.30-karo/net/can/bcm.c	2009-07-12 20:12:38.000000000 +0200
@@ -1469,6 +1469,9 @@
 		bo->ifindex = 0;
 	}
 
+	sock_orphan(sk);
+	sock->sk = NULL;
+
 	release_sock(sk);
 	sock_put(sk);
 
diff -ur linux-2.6.30/net/can/raw.c linux-2.6.30-karo/net/can/raw.c
--- linux-2.6.30/net/can/raw.c	2009-06-10 05:05:27.000000000 +0200
+++ linux-2.6.30-karo/net/can/raw.c	2009-07-12 20:12:29.000000000 +0200
@@ -306,6 +306,9 @@
 	ro->bound   = 0;
 	ro->count   = 0;
 
+	sock_orphan(sk);
+	sock->sk = NULL;
+
 	release_sock(sk);
 	sock_put(sk);