From patchwork Wed Jul 15 09:10:21 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Lothar_Wa=C3=9Fmann?= X-Patchwork-Id: 29801 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ozlabs.org (ozlabs.org [203.10.76.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.ozlabs.org", Issuer "CA Cert Signing Authority" (verified OK)) by bilbo.ozlabs.org (Postfix) with ESMTPS id D0405B70BA for ; Wed, 15 Jul 2009 19:10:46 +1000 (EST) Received: by ozlabs.org (Postfix) id C0188DDDA2; Wed, 15 Jul 2009 19:10:46 +1000 (EST) Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 4C755DDD0C for ; Wed, 15 Jul 2009 19:10:46 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753446AbZGOJKl (ORCPT ); Wed, 15 Jul 2009 05:10:41 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753426AbZGOJKl (ORCPT ); Wed, 15 Jul 2009 05:10:41 -0400 Received: from mail.karo-electronics.de ([81.173.242.67]:65103 "EHLO mail.karo-electronics.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753429AbZGOJKj (ORCPT ); Wed, 15 Jul 2009 05:10:39 -0400 Received: from lothar by ipc1.ka-ro with local (Exim 4.63 #1 (Debian)) id 1MR0VJ-0004Sj-Ks; Wed, 15 Jul 2009 11:10:21 +0200 Message-ID: <19037.40189.520170.8242@ipc1.ka-ro> Date: Wed, 15 Jul 2009 11:10:21 +0200 From: =?iso-8859-15?q?Lothar_Wa=DFmann?= To: Wolfgang Grandegger Cc: Oliver Hartkopp , Herbert Xu , davem@davemloft.net, netdev@vger.kernel.org, urs.thuermann@volkswagen.de, Urs Thuermann Subject: [PATCH 1/2] net/can bugfix: use after free bug in can protocol drivers References: <19028.16049.907160.45293@ipc1.ka-ro> <20090709154533.GA27413@gondor.apana.org.au> <19035.23045.386506.297464@ipc1.ka-ro> <4A5B730B.8090902@hartkopp.net> <19036.9400.263297.330963@ipc1.ka-ro> <4A5C990E.3080703@hartkopp.net> <19036.41388.634723.358236@ipc1.ka-ro> <4A5CC626.8020800@grandegger.com> X-Mailer: VM 7.19 under Emacs 21.4.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Fix a use after free bug in can protocol drivers The release functions of the can protocol drivers lack a call to sock_orphan() which leads to referencing freed memory under certain circumstances. This patch fixes a bug reported here: https://lists.berlios.de/pipermail/socketcan-users/2009-July/000985.html Signed-off-by: Lothar Wassmann Acked-by: Oliver Hartkopp --- Lothar Waßmann diff -upr linux-2.6.30/net/can/bcm.c linux-2.6.30-karo/net/can/bcm.c --- linux-2.6.30/net/can/bcm.c 2009-06-10 05:05:27.000000000 +0200 +++ linux-2.6.30-karo/net/can/bcm.c 2009-07-14 14:13:01.000000000 +0200 @@ -1469,6 +1469,9 @@ static int bcm_release(struct socket *so bo->ifindex = 0; } + sock_orphan(sk); + sock->sk = NULL; + release_sock(sk); sock_put(sk); diff -upr linux-2.6.30/net/can/raw.c linux-2.6.30-karo/net/can/raw.c --- linux-2.6.30/net/can/raw.c 2009-06-10 05:05:27.000000000 +0200 +++ linux-2.6.30-karo/net/can/raw.c 2009-07-14 14:13:07.000000000 +0200 @@ -306,6 +306,9 @@ static int raw_release(struct socket *so ro->bound = 0; ro->count = 0; + sock_orphan(sk); + sock->sk = NULL; + release_sock(sk); sock_put(sk);