diff options
| author | Eric Biggers <ebiggers@google.com> | 2019-02-21 14:13:56 -0800 |
|---|---|---|
| committer | Todd Kjos <tkjos@google.com> | 2019-03-27 22:39:01 +0000 |
| commit | 9e6526c9a1430f4e5d7ae6f43457fa0558426f13 (patch) | |
| tree | d1c51cd23325d2c933543fbbf9b71db7f1de7db7 /net/socket.c | |
| parent | 0c3b8c486664f17433d3cfef9207847255990db6 (diff) | |
UPSTREAM: net: socket: set sock->sk to NULL after calling proto_ops::release()
Commit 9060cb719e61 ("net: crypto set sk to NULL when af_alg_release.")
fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is
closed concurrently with fchownat(). However, it ignored that many
other proto_ops::release() methods don't set sock->sk to NULL and
therefore allow the same use-after-free:
- base_sock_release
- bnep_sock_release
- cmtp_sock_release
- data_sock_release
- dn_release
- hci_sock_release
- hidp_sock_release
- iucv_sock_release
- l2cap_sock_release
- llcp_sock_release
- llc_ui_release
- rawsock_release
- rfcomm_sock_release
- sco_sock_release
- svc_release
- vcc_release
- x25_release
Rather than fixing all these and relying on every socket type to get
this right forever, just make __sock_release() set sock->sk to NULL
itself after calling proto_ops::release().
Reproducer that produces the KASAN splat when any of these socket types
are configured into the kernel:
#include <pthread.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <unistd.h>
pthread_t t;
volatile int fd;
void *close_thread(void *arg)
{
for (;;) {
usleep(rand() % 100);
close(fd);
}
}
int main()
{
pthread_create(&t, NULL, close_thread, NULL);
for (;;) {
fd = socket(rand() % 50, rand() % 11, 0);
fchownat(fd, "", 1000, 1000, 0x1000);
close(fd);
}
}
Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit ff7b11aa481f682e0e9711abfeb7d03f5cd612bf)
Bug: 125367761
Test: used reproducer above
Change-Id: Ied4bbca5c7eb80c201fec6e0aabc95c24acc1b59
Signed-off-by: Eric Biggers <ebiggers@google.com>
Diffstat (limited to 'net/socket.c')
| -rw-r--r-- | net/socket.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/socket.c b/net/socket.c index f14e6e2e08ea..6412baf4da27 100644 --- a/net/socket.c +++ b/net/socket.c @@ -578,6 +578,7 @@ static void __sock_release(struct socket *sock, struct inode *inode) if (inode) inode_lock(inode); sock->ops->release(sock); + sock->sk = NULL; if (inode) inode_unlock(inode); sock->ops = NULL; |