iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Ziyang Xuan d9d52a3ebd can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv 
It will trigger UAF for rx_kref of j1939_priv as following.

        cpu0                                    cpu1
j1939_sk_bind(socket0, ndev0, ...)
j1939_netdev_start
                                        j1939_sk_bind(socket1, ndev0, ...)
                                        j1939_netdev_start
j1939_priv_set
                                        j1939_priv_get_by_ndev_locked
j1939_jsk_add
.....
j1939_netdev_stop
kref_put_lock(&priv->rx_kref, ...)
                                        kref_get(&priv->rx_kref, ...)
                                        REFCOUNT_WARN("addition on 0;...")

====================================================
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0
RIP: 0010:refcount_warn_saturate+0x169/0x1e0
Call Trace:
 j1939_netdev_start+0x68b/0x920
 j1939_sk_bind+0x426/0xeb0
 ? security_socket_bind+0x83/0xb0

The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to
protect.

Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/all/20210926104757.2021540-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Reported-by: syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2021-10-17 14:12:56 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-07-22 16:19:03 +02:00
9p
net/9p: increase default msize to 128k
2021-09-05 08:36:44 +09:00
802
net: 802: remove dead leftover after ipx driver removal
2021-08-13 16:30:35 -07:00
8021q
dev_ioctl: split out ndo_eth_ioctl
2021-07-27 20:11:45 +01:00
appletalk
net: socket: rework compat_ifreq_ioctl()
2021-07-23 14:20:25 +01:00
atm
atm: Use list_for_each_entry() to simplify code in resources.c
2021-06-10 14:08:09 -07:00
ax25
ax25: use skb_expand_head
2021-08-03 11:21:39 +01:00
batman-adv
Kbuild updates for v5.15
2021-09-03 15:33:47 -07:00
bluetooth
TTY / Serial patches for 5.15-rc1
2021-09-01 09:51:16 -07:00
bpf
bpf, test, cgroup: Use sk_{alloc,free} for test cases
2021-09-28 09:29:28 +02:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-06-25 13:13:50 +02:00
bridge
net: bridge: mcast: use multicast_membership_interval for IGMPv3
2021-10-16 15:05:58 +01:00
caif
net-caif: avoid user-triggerable WARN_ON(1)
2021-09-14 12:51:15 +01:00
can
can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
2021-10-17 14:12:56 +02:00
ceph
Networking changes for 5.14.
2021-06-30 15:51:09 -07:00
core
Revert "net: procfs: add seq_puts() statement for dev_mcast"
2021-10-13 17:24:38 -07:00
dcb
net: dcb: Return the correct errno code
2021-06-01 17:01:33 -07:00
dccp
dccp: don't duplicate ccid when cloning dccp sock
2021-09-08 11:28:35 +01:00
decnet
net: Remove redundant if statements
2021-08-05 13:27:50 +01:00
dns_resolver
net: remove redundant 'depends on NET'
2021-01-27 17:04:12 -08:00
dsa
net: dsa: tag_ocelot_8021q: fix inability to inject STP BPDUs into BLOCKING ports
2021-10-12 17:35:19 -07:00
ethernet
move netdev_boot_setup into Space.c
2021-08-03 13:05:26 +01:00
ethtool
ethtool: extend coalesce setting uAPI with CQE mode
2021-08-24 07:38:29 -07:00
hsr
net: hsr: don't check sequence number if tag removal is offloaded
2021-06-16 12:13:01 -07:00
ieee802154
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2021-08-13 06:41:22 -07:00
ife
net: remove redundant 'depends on NET'
2021-01-27 17:04:12 -08:00
ipv4
tcp: md5: Allow MD5SIG_FLAG_IFINDEX with ifindex=0
2021-10-15 14:36:57 +01:00
ipv6
ipv6: When forwarding count rx stats on the orig netdev
2021-10-15 15:32:04 -07:00
iucv
net/iucv: Replace deprecated CPU-hotplug functions.
2021-08-09 10:13:32 +01:00
kcm
net: sock: introduce sk_error_report
2021-06-29 11:28:21 -07:00
key
net: Remove unnecessary variables
2021-05-26 07:03:39 +02:00
l2tp
net/l2tp: Fix reference count leak in l2tp_udp_recv_core
2021-09-09 11:00:20 +01:00
l3mdev
l3mdev: Correct function names in the kerneldoc comments
2021-03-28 17:56:55 -07:00
lapb
net: lapb: Use list_for_each_entry() to simplify code in lapb_iface.c
2021-06-08 16:31:25 -07:00
llc
net: Remove redundant if statements
2021-08-05 13:27:50 +01:00
mac80211
mac80211: check return value of rhashtable_init
2021-09-27 12:00:34 +02:00
mac802154
ieee802154: Remove redundant initialization of variable ret
2021-09-07 14:06:08 +01:00
mctp
mctp: perform route destruction under RCU read lock
2021-09-08 11:29:16 +01:00
mpls
mpls: defer ttl decrement in mpls_forward()
2021-07-23 17:17:56 +01:00
mptcp
mptcp: fix possible stall on recvmsg()
2021-10-08 14:55:54 +01:00
ncsi
net/ncsi: add get MAC address command to get Intel i210 MAC address
2021-09-01 17:18:56 -07:00
netfilter
netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event notification
2021-10-02 12:00:17 +02:00
netlabel
net: fix NULL pointer reference in cipso_v4_doi_free
2021-08-30 12:23:18 +01:00
netlink
netlink: annotate data races around nlk->bound
2021-10-05 13:11:09 +01:00
netrom
net: Remove redundant if statements
2021-08-05 13:27:50 +01:00
nfc
NFC: digital: fix possible memory leak in digital_in_send_sdd_req()
2021-10-13 17:44:29 -07:00
nsh
openvswitch
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2021-08-19 18:09:18 -07:00
packet
net/packet: clarify source of pr_*() messages
2021-09-10 10:00:59 +01:00
phonet
net: Remove redundant if statements
2021-08-05 13:27:50 +01:00
psample
psample: Add additional metadata attributes
2021-03-14 15:00:43 -07:00
qrtr
net: qrtr: revert check in qrtr_endpoint_post()
2021-09-02 11:37:02 +01:00
rds
net/rds: dma_map_sg is entitled to merge entries
2021-08-18 15:35:50 -07:00
rfkill
Another set of updates, all over the map:
2021-04-20 16:44:04 -07:00
rose
net: rose: Fix fall-through warnings for Clang
2021-03-10 12:45:15 -08:00
rxrpc
net: RxRPC: make dependent Kconfig symbols be shown indented
2021-08-18 10:12:11 +01:00
sched
mqprio: Correct stats in mqprio_dump_class_stats().
2021-10-08 16:27:22 -07:00
sctp
sctp: account stream padding length for reconf chunk
2021-10-14 07:15:22 -07:00
smc
net/smc: improved fix wait on already cleared link
2021-10-08 17:00:16 +01:00
strparser
net: sock: introduce sk_error_report
2021-06-29 11:28:21 -07:00
sunrpc
Bug fixes for NFSD error handling paths
2021-10-07 14:11:40 -07:00
switchdev
net: make switchdev_bridge_port_{,unoffload} loosely coupled with the bridge
2021-08-04 12:35:07 +01:00
tipc
tipc: increase timeout in tipc_sk_enqueue()
2021-09-13 12:43:10 +01:00
tls
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2021-06-29 15:45:27 -07:00
unix
af_unix: Rename UNIX-DGRAM to UNIX to maintain backwards compatability
2021-10-12 11:16:49 +01:00
vmw_vsock
af_vsock: rename variables in receive loop
2021-09-06 02:25:16 -04:00
wireless
cfg80211: use wiphy DFS domain if it is self-managed
2021-08-26 11:04:55 +02:00
x25
net: x25: Use list_for_each_entry() to simplify code in x25_route.c
2021-06-10 14:08:09 -07:00
xdp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2021-06-29 15:45:27 -07:00
xfrm
xfrm: fix rcu lock in xfrm_notify_userpolicy()
2021-09-23 10:11:12 +02:00
compat.c
net: Return the correct errno code
2021-06-03 15:13:56 -07:00
devres.c
net: devres: Correct a grammatical error
2021-06-11 12:55:28 -07:00
Kconfig
mctp: Add MCTP base
2021-07-29 15:06:49 +01:00
Makefile
mctp: Add MCTP base
2021-07-29 15:06:49 +01:00
socket.c
Core:
2021-08-31 16:43:06 -07:00
sysctl_net.c
net: Ensure net namespace isolation of sysctls
2021-04-12 13:27:11 -07:00