From 3b27c80a0039e39fc5a8a196291fd9d811ea0836 Mon Sep 17 00:00:00 2001 From: Xiaoming Ni Date: Sun, 25 Apr 2021 15:31:55 +0800 Subject: [PATCH] nfc: Avoid endless loops caused by repeated llcp_sock_connect() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stable inclusion from linux-4.19.187 commit eab391e0766ed88262160b14bb7131f331f6af1a CVE: CVE-2020-25673 Fix the problem that eventually hanging-up the system. -------------------------------- commit 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 upstream. When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. sk->sk_node->next will point to itself, that will make an endless loop and hang-up the system. To fix it, check whether sk->sk_state is LLCP_CONNECTING in llcp_sock_connect() to avoid repeated invoking. Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") Reported-by: "kiyin(尹亮)" Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Cc: #v3.11 Signed-off-by: Xiaoming Ni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Yang Yingliang Reviewed-by: Xiu Jianfeng Reviewed-by: Yue Haibing Signed-off-by: Yang Yingliang --- net/nfc/llcp_sock.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index a572ce2edb14..bc269e83e1e5 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -685,6 +685,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, ret = -EISCONN; goto error; } + if (sk->sk_state == LLCP_CONNECTING) { + ret = -EINPROGRESS; + goto error; + } dev = nfc_get_device(addr->dev_idx); if (dev == NULL) { -- GitLab