asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/net/tipc
History
Xin Long bd02719fe2 tipc: fix an use-after-free issue in tipc_recvmsg 
commit cc19862ffe454a5b632ca202e5a51bfec9f89fd2 upstream.

syzbot reported an use-after-free crash:

  BUG: KASAN: use-after-free in tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979
  Call Trace:
   tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979
   sock_recvmsg_nosec net/socket.c:943 [inline]
   sock_recvmsg net/socket.c:961 [inline]
   sock_recvmsg+0xca/0x110 net/socket.c:957
   tipc_conn_rcv_from_sock+0x162/0x2f0 net/tipc/topsrv.c:398
   tipc_conn_recv_work+0xeb/0x190 net/tipc/topsrv.c:421
   process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
   worker_thread+0x658/0x11f0 kernel/workqueue.c:2422

As Hoang pointed out, it was caused by skb_cb->bytes_read still accessed
after calling tsk_advance_rx_queue() to free the skb in tipc_recvmsg().

This patch is to fix it by accessing skb_cb->bytes_read earlier than
calling tsk_advance_rx_queue().

Fixes: f4919ff59c28 ("tipc: keep the skb in rcv queue until the whole data is read")
Reported-by: syzbot+e6741b97d5552f97c24d@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-09-22 11:48:10 +02:00
..
addr.c tipc: initialise addr_trail_end when setting node addresses 2019-08-25 10:48:05 +02:00
addr.h tipc: add 128-bit node identifier 2018-03-23 13:12:18 -04:00
bcast.c tipc: clean up skb list lock handling on send path 2020-07-29 10:16:47 +02:00
bcast.h
bearer.c tipc: fix unique bearer names sanity check 2021-06-10 13:24:05 +02:00
bearer.h tipc: implement configuration of UDP media MTU 2018-04-20 11:04:05 -04:00
core.c tipc: fix use-after-free in tipc_bcast_get_mode 2020-11-10 12:35:53 +01:00
core.h tipc: replace name table service range array with rb tree 2018-03-31 22:19:52 -04:00
diag.c tipc: switch to rhashtable iterator 2018-08-29 18:04:54 -07:00
discover.c tipc: fix lockdep warning when reinitilaizing sockets 2018-11-23 08:17:03 +01:00
discover.h tipc: some cleanups in the file discover.c 2018-03-23 13:12:17 -04:00
eth_media.c
group.c tipc: Fix memory leak in tipc_group_create_member() 2020-09-26 18:01:30 +02:00
group.h tipc: extend sock diag for group communication 2018-06-30 21:05:42 +09:00
ib_media.c
Kconfig tipc: implement socket diagnostics for AF_TIPC 2018-03-22 14:43:35 -04:00
link.c tipc: fix NULL deref in tipc_link_xmit() 2021-01-23 15:49:56 +01:00
link.h tipc: fix failover problem 2018-09-29 11:45:14 -07:00
Makefile tipc: implement socket diagnostics for AF_TIPC 2018-03-22 14:43:35 -04:00
monitor.c tipc: update mon's self addr when node addr generated 2020-01-27 14:49:52 +01:00
monitor.h tipc: update mon's self addr when node addr generated 2020-01-27 14:49:52 +01:00
msg.c tipc: skb_linearize the head skb when reassembling msgs 2021-06-03 08:38:08 +02:00
msg.h tipc: handle collisions of 32-bit node address hash values 2018-03-23 13:12:18 -04:00
name_distr.c tipc: eliminate message disordering during binding table update 2020-01-27 14:50:00 +01:00
name_distr.h tipc: permit overlapping service ranges in name table 2018-03-31 22:19:52 -04:00
name_table.c tipc: eliminate message disordering during binding table update 2020-01-27 14:50:00 +01:00
name_table.h tipc: eliminate message disordering during binding table update 2020-01-27 14:50:00 +01:00
net.c tipc: update mon's self addr when node addr generated 2020-01-27 14:49:52 +01:00
net.h tipc: fix lockdep warning when reinitilaizing sockets 2018-11-23 08:17:03 +01:00
netlink.c tipc: add missing attribute validation for MTU property 2020-03-18 07:14:18 +01:00
netlink.h
netlink_compat.c tipc: convert dest node's address to network order 2021-05-22 10:59:39 +02:00
node.c tipc: clean up skb list lock handling on send path 2020-07-29 10:16:47 +02:00
node.h tipc: add sequence number check for link STATE messages 2018-07-11 23:06:14 -07:00
socket.c tipc: fix an use-after-free issue in tipc_recvmsg 2021-09-22 11:48:10 +02:00
socket.h tipc: call start and done ops directly in __tipc_nl_compat_dumpit() 2018-09-06 21:49:18 -07:00
subscr.c tipc: fix unbalanced reference counter 2018-04-12 21:46:10 -04:00
subscr.h tipc: fix modprobe tipc failed after switch order of device registration 2019-06-04 08:02:34 +02:00
sysctl.c tipc: set sysctl_tipc_rmem and named_timeout right range 2020-01-27 14:50:39 +01:00
topsrv.c tipc: fix memory leak in tipc_topsrv_start() 2020-11-18 19:18:51 +01:00
topsrv.h tipc: rename tipc_server to tipc_topsrv 2018-02-16 15:26:34 -05:00
udp_media.c net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup 2020-04-29 16:31:17 +02:00
udp_media.h tipc: implement configuration of UDP media MTU 2018-04-20 11:04:05 -04:00