diff mbox series

[1/1] net: socket: set sock->sk to NULL after calling proto_ops::release()

Message ID 1551266020-2866-2-git-send-email-tyhicks@canonical.com
State New
Headers show
Series CVE-2019-8912 - AF_* use after free | expand

Commit Message

Tyler Hicks Feb. 27, 2019, 11:13 a.m. UTC 
From: Eric Biggers <ebiggers@google.com>

Commit 9060cb719e61 ("net: crypto set sk to NULL when af_alg_release.")
fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is
closed concurrently with fchownat().  However, it ignored that many
other proto_ops::release() methods don't set sock->sk to NULL and
therefore allow the same use-after-free:

    - base_sock_release
    - bnep_sock_release
    - cmtp_sock_release
    - data_sock_release
    - dn_release
    - hci_sock_release
    - hidp_sock_release
    - iucv_sock_release
    - l2cap_sock_release
    - llcp_sock_release
    - llc_ui_release
    - rawsock_release
    - rfcomm_sock_release
    - sco_sock_release
    - svc_release
    - vcc_release
    - x25_release

Rather than fixing all these and relying on every socket type to get
this right forever, just make __sock_release() set sock->sk to NULL
itself after calling proto_ops::release().

Reproducer that produces the KASAN splat when any of these socket types
are configured into the kernel:

    #include <pthread.h>
    #include <stdlib.h>
    #include <sys/socket.h>
    #include <unistd.h>

    pthread_t t;
    volatile int fd;

    void *close_thread(void *arg)
    {
        for (;;) {
            usleep(rand() % 100);
            close(fd);
        }
    }

    int main()
    {
        pthread_create(&t, NULL, close_thread, NULL);
        for (;;) {
            fd = socket(rand() % 50, rand() % 11, 0);
            fchownat(fd, "", 1000, 1000, 0x1000);
            close(fd);
        }
    }

Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2019-8912

(cherry picked from commit ff7b11aa481f682e0e9711abfeb7d03f5cd612bf linux-next)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 net/socket.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Stefan Bader Feb. 27, 2019, 3:13 p.m. UTC | #1 
On 27.02.19 12:13, Tyler Hicks wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Commit 9060cb719e61 ("net: crypto set sk to NULL when af_alg_release.")
> fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is
> closed concurrently with fchownat().  However, it ignored that many
> other proto_ops::release() methods don't set sock->sk to NULL and
> therefore allow the same use-after-free:
> 
>     - base_sock_release
>     - bnep_sock_release
>     - cmtp_sock_release
>     - data_sock_release
>     - dn_release
>     - hci_sock_release
>     - hidp_sock_release
>     - iucv_sock_release
>     - l2cap_sock_release
>     - llcp_sock_release
>     - llc_ui_release
>     - rawsock_release
>     - rfcomm_sock_release
>     - sco_sock_release
>     - svc_release
>     - vcc_release
>     - x25_release
> 
> Rather than fixing all these and relying on every socket type to get
> this right forever, just make __sock_release() set sock->sk to NULL
> itself after calling proto_ops::release().
> 
> Reproducer that produces the KASAN splat when any of these socket types
> are configured into the kernel:
> 
>     #include <pthread.h>
>     #include <stdlib.h>
>     #include <sys/socket.h>
>     #include <unistd.h>
> 
>     pthread_t t;
>     volatile int fd;
> 
>     void *close_thread(void *arg)
>     {
>         for (;;) {
>             usleep(rand() % 100);
>             close(fd);
>         }
>     }
> 
>     int main()
>     {
>         pthread_create(&t, NULL, close_thread, NULL);
>         for (;;) {
>             fd = socket(rand() % 50, rand() % 11, 0);
>             fchownat(fd, "", 1000, 1000, 0x1000);
>             close(fd);
>         }
>     }
> 
> Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> CVE-2019-8912
> 
> (cherry picked from commit ff7b11aa481f682e0e9711abfeb7d03f5cd612bf linux-next)
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  net/socket.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/socket.c b/net/socket.c
> index f2957aa205e6..874656a19eac 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -605,6 +605,7 @@ static void __sock_release(struct socket *sock, struct inode *inode)
>  		if (inode)
>  			inode_lock(inode);
>  		sock->ops->release(sock);
> +		sock->sk = NULL;
>  		if (inode)
>  			inode_unlock(inode);
>  		sock->ops = NULL;
>
diff mbox series

Patch

diff --git a/net/socket.c b/net/socket.c
index f2957aa205e6..874656a19eac 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -605,6 +605,7 @@  static void __sock_release(struct socket *sock, struct inode *inode)
 		if (inode)
 			inode_lock(inode);
 		sock->ops->release(sock);
+		sock->sk = NULL;
 		if (inode)
 			inode_unlock(inode);
 		sock->ops = NULL;