iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet f3969427fb af_unix: fix struct pid leaks in OOB support 
[ Upstream commit 2aab4b96900272885bc157f8b236abf1cdc02e08 ]

syzbot reported struct pid leak [1].

Issue is that queue_oob() calls maybe_add_creds() which potentially
holds a reference on a pid.

But skb->destructor is not set (either directly or by calling
unix_scm_to_skb())

This means that subsequent kfree_skb() or consume_skb() would leak
this reference.

In this fix, I chose to fully support scm even for the OOB message.

[1]
BUG: memory leak
unreferenced object 0xffff8881053e7f80 (size 128):
comm "syz-executor242", pid 5066, jiffies 4294946079 (age 13.220s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff812ae26a>] alloc_pid+0x6a/0x560 kernel/pid.c:180
[<ffffffff812718df>] copy_process+0x169f/0x26c0 kernel/fork.c:2285
[<ffffffff81272b37>] kernel_clone+0xf7/0x610 kernel/fork.c:2684
[<ffffffff812730cc>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825
[<ffffffff849ad699>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff849ad699>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
[<ffffffff84a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: 314001f0bf92 ("af_unix: Add OOB support")
Reported-by: syzbot+7699d9e5635c10253a27@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Rao Shoaib <rao.shoaib@oracle.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230307164530.771896-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-03-17 08:48:57 +01:00
..
6lowpan
9p
9p/rdma: unmap receive dma buffer in rdma_request()/post_recv()
2023-03-11 13:57:29 +01:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2022-12-31 13:14:42 +01:00
8021q
net: use eth_hw_addr_set() instead of ether_addr_copy()
2022-08-31 17:16:37 +02:00
appletalk
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-29 10:12:55 +02:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:22:01 +02:00
batman-adv
batman-adv: Use netif_rx_any_context() any.
2022-07-29 17:25:07 +02:00
bluetooth
Bluetooth: hci_sock: purge socket queues in the destruct() callback
2023-03-11 13:57:39 +01:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2022-12-31 13:14:11 +01:00
bpfilter
bridge
netfilter: ebtables: fix table blob use-after-free
2023-03-11 13:57:28 +01:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:48:54 +01:00
can
can: j1939: do not wait 250 ms if the same addr was already claimed
2023-02-14 19:17:57 +01:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:57:28 +02:00
core
net: fix __dev_kfree_skb_any() vs drop monitor
2023-03-11 13:57:28 +01:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:12:52 +01:00
dccp
dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
2023-02-22 12:57:08 +01:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-03 12:03:51 +02:00
dns_resolver
dsa
net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path
2022-12-31 13:14:21 +01:00
ethernet
ethtool
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
2023-01-24 07:22:41 +01:00
hsr
hsr: Synchronize sequence number updates.
2022-12-31 13:14:15 +01:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:59:14 +09:00
ife
ipv4
netfilter: tproxy: fix deadlock due to missing BH disable
2023-03-17 08:48:55 +01:00
ipv6
netfilter: tproxy: fix deadlock due to missing BH disable
2023-03-17 08:48:55 +01:00
iucv
net/iucv: Replace deprecated CPU-hotplug functions.
2021-08-09 10:13:32 +01:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-26 09:24:50 +01:00
key
xfrm: Fix oops in __xfrm_state_delete()
2022-12-02 17:41:06 +01:00
l2tp
l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()
2023-03-10 09:39:18 +01:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 14:38:53 +02:00
lapb
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 09:58:46 +02:00
mac80211
wifi: mac80211: make rate u32 in sta_set_rate_info_rx()
2023-03-10 09:39:18 +01:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:37:25 +01:00
mctp
net: mctp: purge receive queues on sk destruction
2023-02-06 07:59:02 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:57:09 +01:00
mptcp
mptcp: do not wait for bare sockets' timeout
2023-02-22 12:57:05 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:42:37 +01:00
netfilter
netfilter: conntrack: adopt safer max chain length
2023-03-17 08:48:56 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 20:59:10 +02:00
netlink
netlink: annotate data races around sk_state
2023-02-01 08:27:27 +01:00
netrom
netrom: Fix use-after-free caused by accept on already connected socket
2023-02-09 11:26:36 +01:00
nfc
nfc: change order inside nfc_se_io error path
2023-03-17 08:48:49 +01:00
nsh
openvswitch
net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()
2023-02-22 12:57:09 +01:00
packet
net/af_packet: make sure to pull mac header
2023-01-12 11:58:49 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:35:16 +01:00
psample
qrtr
net: qrtr: free memory on error path in radix_tree_insert()
2023-02-09 11:26:41 +01:00
rds
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
2023-03-10 09:39:16 +01:00
rfkill
rfkill: make new event layout opt-in
2022-04-08 14:23:00 +02:00
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:57:02 +01:00
rxrpc
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
2022-12-31 13:14:39 +01:00
sched
net/sched: act_sample: fix action bind logic
2023-03-11 13:57:30 +01:00
sctp
sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop
2023-03-11 13:57:28 +01:00
smc
net/smc: fix fallback failed while sendmsg with fastopen
2023-03-17 08:48:56 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 19:17:11 +01:00
sunrpc
SUNRPC: Fix a server shutdown leak
2023-03-17 08:48:57 +01:00
switchdev
tipc
tipc: fix unexpected link reset due to discovery messages
2023-01-18 11:48:54 +01:00
tls
net: tls: avoid hanging tasks on the tx_lock
2023-03-11 13:57:39 +01:00
unix
af_unix: fix struct pid leaks in OOB support
2023-03-17 08:48:57 +01:00
vmw_vsock
net: vmw_vsock: vmci: Check memcpy_from_msg()
2022-12-31 13:14:18 +01:00
wireless
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-13 10:20:37 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-09 11:26:40 +01:00
xdp
xsk: Fix backpressure mechanism on Tx
2022-10-26 12:34:40 +02:00
xfrm
Fix XFRM-I support for nested ESP tunnels
2023-03-03 11:45:51 +01:00
compat.c
devres.c
Kconfig
Makefile
socket.c
net: Fix a data-race around sysctl_somaxconn.
2022-08-31 17:16:45 +02:00
sysctl_net.c