From patchwork Wed Jan 17 22:25:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1887644 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TFgTP6h3pz23f8 for ; Thu, 18 Jan 2024 09:26:33 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rQEMW-0008Co-1Z; Wed, 17 Jan 2024 22:26:20 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rQEME-0008Bm-76 for kernel-team@lists.ubuntu.com; Wed, 17 Jan 2024 22:26:02 +0000 Received: from mail-lj1-f198.google.com (mail-lj1-f198.google.com [209.85.208.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id D9EC53F271 for ; Wed, 17 Jan 2024 22:26:01 +0000 (UTC) Received: by mail-lj1-f198.google.com with SMTP id 38308e7fff4ca-2ccbfa17001so94017601fa.2 for ; Wed, 17 Jan 2024 14:26:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705530360; x=1706135160; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0/xTRue4nwT1MYvyMZWtQpfUSlJ2yuUsWIUpKmydz0g=; b=fJGzOvn4mqMglAeCPvBobmHsizNuixLRvfi461raHbw0B4iTRHzxLa3VSVFFsUOO3T oI2zjDzz1Q/VZSDn6Q/nHqAys0bmgWLF3NWfhGgOWWCyZWDpsMj2ZPkjWE0HZ23HcsGa JFhIpwvQJfAyvu4HullN5FyouTpXuKZ1+ki/WV8ocX0XVn1KigX+c3juOFRU9Iu2xO0m BdxdXIeLH7IPbaAo86hAL4WKK2eU/vtwFYQhws2ka+5u0Ng70bkgtBM0Qoe/JT1a0Lt3 JKQgI41EoUX9TIvmKFUACIgbb6JBDwlNxuqepZvw20824SqWEsCg4HgjSW1hNOkAbn4e 49/A== X-Gm-Message-State: AOJu0Yzk3pSm+ISNQQBwkq5Tmsg0CH1GV/C++ghyzdr3NewMhsoCI8s3 G5KYYUlY0sHXv3cGxNdjeqZ6A2Bw7SVGGGzUBBPR8VVIDmlh/lMfmEZ5y6RJ+DUbSstjTbzaLI5 E8CEym/ifx0TODqmSTDs/HoaZiE81JtuTMg9GIfQzgFnzl+QMoo36TjtPQk4= X-Received: by 2002:a2e:968a:0:b0:2cc:fe00:c6ee with SMTP id q10-20020a2e968a000000b002ccfe00c6eemr4663570lji.95.1705530360451; Wed, 17 Jan 2024 14:26:00 -0800 (PST) X-Google-Smtp-Source: AGHT+IEZ+o6ybyVF2MubpWA+uP7hCtR1jJwDLgH4avIBu8nMAUtFVUQ3R2HbkWAcQJt5NAUkztt99w== X-Received: by 2002:a2e:968a:0:b0:2cc:fe00:c6ee with SMTP id q10-20020a2e968a000000b002ccfe00c6eemr4663567lji.95.1705530360179; Wed, 17 Jan 2024 14:26:00 -0800 (PST) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id f19-20020a056402005300b00554af5ec62asm8713518edu.8.2024.01.17.14.25.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Jan 2024 14:25:59 -0800 (PST) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][F/J/L/M][PATCH 1/1] net/rose: Fix Use-After-Free in rose_ioctl Date: Wed, 17 Jan 2024 17:25:55 -0500 Message-Id: <20240117222555.51460-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240117222555.51460-1-yuxuan.luo@canonical.com> References: <20240117222555.51460-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Hyunwoo Kim Because rose_ioctl() accesses sk->sk_receive_queue without holding a sk->sk_receive_queue.lock, it can cause a race with rose_accept(). A use-after-free for skb occurs with the following flow. ``` rose_ioctl() -> skb_peek() rose_accept() -> skb_dequeue() -> kfree_skb() ``` Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Hyunwoo Kim Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX Signed-off-by: Paolo Abeni (cherry picked from commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53) CVE-2023-51782 Signed-off-by: Yuxuan Luo --- net/rose/af_rose.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c index 6fb158172ddc2..fc9ef08788f73 100644 --- a/net/rose/af_rose.c +++ b/net/rose/af_rose.c @@ -1285,9 +1285,11 @@ static int rose_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) case TIOCINQ: { struct sk_buff *skb; long amount = 0L; - /* These two are safe on a single CPU system as only user tasks fiddle here */ + + spin_lock_irq(&sk->sk_receive_queue.lock); if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL) amount = skb->len; + spin_unlock_irq(&sk->sk_receive_queue.lock); return put_user(amount, (unsigned int __user *) argp); }