tipc: add an extra conn_get in tipc_conn_alloc

from stable-v4.19.268 commit f46826a6fce33c3549332c3eb1fbf615dc79be18 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6NCRH CVE: CVE-2023-1382 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f46826a6fce33c3549332c3eb1fbf615dc79be18 -------------------------------- [ Upstream commit a7b42969 ] One extra conn_get() is needed in tipc_conn_alloc(), as after tipc_conn_alloc() is called, tipc_conn_close() may free this con before deferencing it in tipc_topsrv_accept(): tipc_conn_alloc(); newsk = newsock->sk; <---- tipc_conn_close(); write_lock_bh(&sk->sk_callback_lock); newsk->sk_data_ready = tipc_conn_data_ready; Then an uaf issue can be triggered: BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc] Call Trace: <TASK> dump_stack_lvl+0x33/0x46 print_report+0x178/0x4b0 kasan_report+0x8c/0x100 kasan_check_range+0x179/0x1e0 tipc_topsrv_accept+0x1e7/0x370 [tipc] process_one_work+0x6a3/0x1030 worker_thread+0x8a/0xdf0 This patch fixes it by holding it in tipc_conn_alloc(), then after all accessing in tipc_topsrv_accept() releasing it. Note when does this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns 0 or -1 only, we don't need to check for "> 0". Fixes: c5fa7b3c ("tipc: introduce new TIPC server infrastructure") Signed-off-by: N Xin Long <lucien.xin@gmail.com> Acked-by: N Jon Maloy <jmaloy@redhat.com> Signed-off-by: N Jakub Kicinski <kuba@kernel.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Lu Wei <luwei32@huawei.com> Reviewed-by: N Liu Jian <liujian56@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

tipc: add an extra conn_get in tipc_conn_alloc
from stable-v4.19.268 commit f46826a6fce33c3549332c3eb1fbf615dc79be18 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6NCRH CVE: CVE-2023-1382 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f46826a6fce33c3549332c3eb1fbf615dc79be18 -------------------------------- [ Upstream commit a7b42969 ] One extra conn_get() is needed in tipc_conn_alloc(), as after tipc_conn_alloc() is called, tipc_conn_close() may free this con before deferencing it in tipc_topsrv_accept(): tipc_conn_alloc(); newsk = newsock->sk; <---- tipc_conn_close(); write_lock_bh(&sk->sk_callback_lock); newsk->sk_data_ready = tipc_conn_data_ready; Then an uaf issue can be triggered: BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc] Call Trace: <TASK> dump_stack_lvl+0x33/0x46 print_report+0x178/0x4b0 kasan_report+0x8c/0x100 kasan_check_range+0x179/0x1e0 tipc_topsrv_accept+0x1e7/0x370 [tipc] process_one_work+0x6a3/0x1030 worker_thread+0x8a/0xdf0 This patch fixes it by holding it in tipc_conn_alloc(), then after all accessing in tipc_topsrv_accept() releasing it. Note when does this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns 0 or -1 only, we don't need to check for "> 0". Fixes: c5fa7b3c ("tipc: introduce new TIPC server infrastructure") Signed-off-by: N Xin Long <lucien.xin@gmail.com> Acked-by: N Jon Maloy <jmaloy@redhat.com> Signed-off-by: N Jakub Kicinski <kuba@kernel.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Lu Wei <luwei32@huawei.com> Reviewed-by: N Liu Jian <liujian56@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
338a985a · Xin Long · Yongqiang Liu · 30b75522 · 338a985a
显示空白变更内容
内联并排

Showing with 6 addition and 3 deletion

net/tipc/topsrv.c net/tipc/topsrv.c +6 -3

未找到文件。
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -214,6 +214,7 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *s
 	set_bit(CF_CONNECTED, &con->flags);
 	con->server = s;
 	con->sock = sock;
+	conn_get(con);
 	spin_unlock_bh(&s->idr_lock);

 	return con;
@@ -484,6 +485,7 @@ static void tipc_topsrv_accept(struct work_struct *work)

 		/* Wake up receive process in case of 'SYN+' message */
 		newsk->sk_data_ready(newsk);
+		conn_put(con);
 	}
 }

@@ -583,10 +585,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower,

 	*conid = con->conid;
 	rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub);
-	if (rc >= 0)
-		return true;
+	if (rc)
 		conn_put(con);
-	return false;
+
+	conn_put(con);
+	return !rc;
 }

 void tipc_topsrv_kern_unsubscr(struct net *net, int conid)