asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/net
History
Zhengchao Shao 5a2ea549be net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed 
[ Upstream commit d266935ac43d57586e311a087510fe6a084af742 ]

When the ops_init() interface is invoked to initialize the net, but
ops->init() fails, data is released. However, the ptr pointer in
net->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked
to release the net, invalid address access occurs.

The process is as follows:
setup_net()
	ops_init()
		data = kzalloc(...)   ---> alloc "data"
		net_assign_generic()  ---> assign "date" to ptr in net->gen
		...
		ops->init()           ---> failed
		...
		kfree(data);          ---> ptr in net->gen is invalid
	...
	ops_exit_list()
		...
		nfqnl_nf_hook_drop()
			*q = nfnl_queue_pernet(net) ---> q is invalid

The following is the Call Trace information:
BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280
Read of size 8 at addr ffff88810396b240 by task ip/15855
Call Trace:
<TASK>
dump_stack_lvl+0x8e/0xd1
print_report+0x155/0x454
kasan_report+0xba/0x1f0
nfqnl_nf_hook_drop+0x264/0x280
nf_queue_nf_hook_drop+0x8b/0x1b0
__nf_unregister_net_hook+0x1ae/0x5a0
nf_unregister_net_hooks+0xde/0x130
ops_exit_list+0xb0/0x170
setup_net+0x7ac/0xbd0
copy_net_ns+0x2e6/0x6b0
create_new_namespaces+0x382/0xa50
unshare_nsproxy_namespaces+0xa6/0x1c0
ksys_unshare+0x3a4/0x7e0
__x64_sys_unshare+0x2d/0x40
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>

Allocated by task 15855:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
__kasan_kmalloc+0xa1/0xb0
__kmalloc+0x49/0xb0
ops_init+0xe7/0x410
setup_net+0x5aa/0xbd0
copy_net_ns+0x2e6/0x6b0
create_new_namespaces+0x382/0xa50
unshare_nsproxy_namespaces+0xa6/0x1c0
ksys_unshare+0x3a4/0x7e0
__x64_sys_unshare+0x2d/0x40
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 15855:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_save_free_info+0x2a/0x40
____kasan_slab_free+0x155/0x1b0
slab_free_freelist_hook+0x11b/0x220
__kmem_cache_free+0xa4/0x360
ops_init+0xb9/0x410
setup_net+0x5aa/0xbd0
copy_net_ns+0x2e6/0x6b0
create_new_namespaces+0x382/0xa50
unshare_nsproxy_namespaces+0xa6/0x1c0
ksys_unshare+0x3a4/0x7e0
__x64_sys_unshare+0x2d/0x40
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0

Fixes: f875bae065 ("net: Automatically allocate per namespace data.")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-11-03 23:52:31 +09:00
..
6lowpan
9p net/9p: Initialize the iounit field during fid creation 2022-08-25 11:15:32 +02:00
802 net/802/garp: fix memleak in garp_request_join() 2021-07-31 08:22:37 +02:00
8021q net: vlan: avoid leaks on register_vlan_dev() failures 2021-01-17 14:04:19 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 12:48:49 +02:00
atm net/atm: fix proc_mpc_write incorrect return value 2022-11-03 23:52:26 +09:00
ax25 ax25: Fix UAF bugs in ax25 timers 2022-04-27 13:39:46 +02:00
batman-adv batman-adv: Don't skb_split skbuffs with frag_list 2022-05-18 09:42:47 +02:00
bluetooth Bluetooth: L2CAP: Fix user-after-free 2022-10-26 13:19:38 +02:00
bpf
bpfilter
bridge netfilter: ebtables: fix memory leak when blob is malformed 2022-09-28 11:02:56 +02:00
caif net-caif: avoid user-triggerable WARN_ON(1) 2021-09-22 11:48:11 +02:00
can can: bcm: check the result of can_send() in bcm_can_tx() 2022-10-26 13:19:37 +02:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-11-05 11:08:53 +01:00
core net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed 2022-11-03 23:52:31 +09:00
dcb net: dcb: disable softirqs in dcbnl_flush_dev() 2022-03-08 19:04:10 +01:00
dccp dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock 2022-08-25 11:15:13 +02:00
decnet net: decnet: Fix sleeping inside in af_decnet 2021-07-28 11:13:48 +02:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:30:24 +02:00
dsa net: dsa: Add missing of_node_put() in dsa_port_parse_of 2022-03-23 09:10:44 +01:00
ethernet
hsr hsr: use netdev_err() instead of WARN_ONCE() 2021-05-22 10:59:24 +02:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-11-03 23:52:30 +09:00
ife
ipv4 inet: fully convert sk->sk_rx_dst to RCU rules 2022-10-26 13:19:42 +02:00
ipv6 inet: fully convert sk->sk_rx_dst to RCU rules 2022-10-26 13:19:42 +02:00
iucv net/af_iucv: set correct sk_protocol for child sockets 2020-12-08 10:18:52 +01:00
kcm kcm: annotate data-races around kcm->rx_wait 2022-11-03 23:52:31 +09:00
key af_key: Do not call xfrm_probe_algs in parallel 2022-09-05 10:26:29 +02:00
l2tp ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg 2022-06-25 11:49:15 +02:00
l3mdev
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:21:06 +01:00
llc llc: only change llc->dev when bind() succeeds 2022-03-28 08:41:44 +02:00
mac80211 wifi: mac80211: allow bw change during channel switch in mesh 2022-10-26 13:19:24 +02:00
mac802154 mac802154: Fix LQI recording 2022-11-03 23:52:28 +09:00
mpls net: mpls: Fix notifications when deleting a device 2021-12-08 08:50:13 +01:00
ncsi net/ncsi: Avoid channel_monitor hrtimer deadlock 2021-04-14 08:22:35 +02:00
netfilter netfilter: nf_conntrack_irc: Tighten matching on DCC message 2022-09-28 11:02:55 +02:00
netlabel net: fix NULL pointer reference in cipso_v4_doi_free 2021-09-22 11:48:09 +02:00
netlink netlink: do not reset transport header in netlink_recvmsg() 2022-05-18 09:42:47 +02:00
netrom netrom: Decrease sock refcount when sock timers expire 2021-07-28 11:13:48 +02:00
nfc NFC: NULL out the dev->rfkill to prevent UAF 2022-06-14 16:59:20 +02:00
nsh
openvswitch openvswitch: Fix overreporting of drops in dropwatch 2022-10-26 13:19:36 +02:00
packet net/packet: fix packet_sock xmit return value checking 2022-04-27 13:39:43 +02:00
phonet phonet: refcount leak in pep_sock_accep 2022-01-11 13:58:50 +01:00
psample
qrtr net: qrtr: fix another OOB Read in qrtr_endpoint_post 2021-09-03 09:58:00 +02:00
rds net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() 2022-10-26 13:19:26 +02:00
rfkill
rose rose: check NULL rose_loopback_neigh->loopback 2022-09-05 10:26:29 +02:00
rxrpc rxrpc: Fix local destruction being repeated 2022-09-28 11:02:52 +02:00
sched net: sched: cake: fix null pointer access issue when cake_init() fails 2022-11-03 23:52:26 +09:00
sctp sctp: handle the error returned from sctp_auth_asoc_init_active_key 2022-10-26 13:19:26 +02:00
smc net/smc: Remove redundant refcount increase 2022-09-15 12:17:03 +02:00
strparser
sunrpc SUNRPC: use _bh spinlocking on ->transport_lock 2022-09-15 12:17:06 +02:00
switchdev
tipc tipc: fix a null-ptr-deref in tipc_topsrv_accept 2022-11-03 23:52:30 +09:00
tls net/tls: Fix race in TLS device down flow 2022-07-29 17:10:32 +02:00
unix af_unix: Fix a data-race in unix_dgram_peer_wake_me(). 2022-06-14 16:59:35 +02:00
vmw_vsock vhost/vsock: Use kvmalloc/kvfree for larger packets. 2022-10-26 13:19:26 +02:00
wimax
wireless wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() 2022-09-15 12:17:02 +02:00
x25 net/x25: Fix null-ptr-deref caused by x25_disconnect 2022-04-15 14:14:53 +02:00
xdp xsk: Simplify detection of empty and full rings 2021-05-22 10:59:48 +02:00
xfrm xfrm: Update ipcomp_scratches with NULL when freed 2022-10-26 13:19:37 +02:00
compat.c net: Return the correct errno code 2021-06-30 08:48:13 -04:00
Kconfig
Makefile net: split out functions related to registering inflight socket files 2021-07-31 08:22:37 +02:00
socket.c net: Fix a data-race around sysctl_somaxconn. 2022-09-05 10:26:31 +02:00
sysctl_net.c