Message ID | 20210301143644.578451-2-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,focal/linux-oem-5.10,1/1] vsock: fix the race conditions in multi-transport support | expand |
On 01.03.21 15:36, Thadeu Lima de Souza Cascardo wrote: > From: Alexander Popov <alex.popov@linux.com> > > There are multiple similar bugs implicitly introduced by the > commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and > commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading"). > > The bug pattern: > [1] vsock_sock.transport pointer is copied to a local variable, > [2] lock_sock() is called, > [3] the local variable is used. > VSOCK multi-transport support introduced the race condition: > vsock_sock.transport value may change between [1] and [2]. > > Let's copy vsock_sock.transport pointer to local variables after > the lock_sock() call. > > Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support") > Signed-off-by: Alexander Popov <alex.popov@linux.com> > Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> > Reviewed-by: Jorgen Hansen <jhansen@vmware.com> > Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@linux.com > Signed-off-by: Jakub Kicinski <kuba@kernel.org> > (cherry picked from commit c518adafa39f37858697ac9309c6cf1805581446) > CVE-2021-26708 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > net/vmw_vsock/af_vsock.c | 17 ++++++++++++----- > 1 file changed, 12 insertions(+), 5 deletions(-) > > diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c > index d10916ab4526..f64e681493a5 100644 > --- a/net/vmw_vsock/af_vsock.c > +++ b/net/vmw_vsock/af_vsock.c > @@ -997,9 +997,12 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock, > mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND; > > } else if (sock->type == SOCK_STREAM) { > - const struct vsock_transport *transport = vsk->transport; > + const struct vsock_transport *transport; > + > lock_sock(sk); > > + transport = vsk->transport; > + > /* Listening sockets that have connections in their accept > * queue can be read. > */ > @@ -1082,10 +1085,11 @@ static int vsock_dgram_sendmsg(struct socket *sock, struct msghdr *msg, > err = 0; > sk = sock->sk; > vsk = vsock_sk(sk); > - transport = vsk->transport; > > lock_sock(sk); > > + transport = vsk->transport; > + > err = vsock_auto_bind(vsk); > if (err) > goto out; > @@ -1544,10 +1548,11 @@ static int vsock_stream_setsockopt(struct socket *sock, > err = 0; > sk = sock->sk; > vsk = vsock_sk(sk); > - transport = vsk->transport; > > lock_sock(sk); > > + transport = vsk->transport; > + > switch (optname) { > case SO_VM_SOCKETS_BUFFER_SIZE: > COPY_IN(val); > @@ -1680,7 +1685,6 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, > > sk = sock->sk; > vsk = vsock_sk(sk); > - transport = vsk->transport; > total_written = 0; > err = 0; > > @@ -1689,6 +1693,8 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, > > lock_sock(sk); > > + transport = vsk->transport; > + > /* Callers should not provide a destination with stream sockets. */ > if (msg->msg_namelen) { > err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; > @@ -1823,11 +1829,12 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, > > sk = sock->sk; > vsk = vsock_sk(sk); > - transport = vsk->transport; > err = 0; > > lock_sock(sk); > > + transport = vsk->transport; > + > if (!transport || sk->sk_state != TCP_ESTABLISHED) { > /* Recvmsg is supposed to return 0 if a peer performs an > * orderly shutdown. Differentiate between that case and when a >
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index d10916ab4526..f64e681493a5 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -997,9 +997,12 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock, mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND; } else if (sock->type == SOCK_STREAM) { - const struct vsock_transport *transport = vsk->transport; + const struct vsock_transport *transport; + lock_sock(sk); + transport = vsk->transport; + /* Listening sockets that have connections in their accept * queue can be read. */ @@ -1082,10 +1085,11 @@ static int vsock_dgram_sendmsg(struct socket *sock, struct msghdr *msg, err = 0; sk = sock->sk; vsk = vsock_sk(sk); - transport = vsk->transport; lock_sock(sk); + transport = vsk->transport; + err = vsock_auto_bind(vsk); if (err) goto out; @@ -1544,10 +1548,11 @@ static int vsock_stream_setsockopt(struct socket *sock, err = 0; sk = sock->sk; vsk = vsock_sk(sk); - transport = vsk->transport; lock_sock(sk); + transport = vsk->transport; + switch (optname) { case SO_VM_SOCKETS_BUFFER_SIZE: COPY_IN(val); @@ -1680,7 +1685,6 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, sk = sock->sk; vsk = vsock_sk(sk); - transport = vsk->transport; total_written = 0; err = 0; @@ -1689,6 +1693,8 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg, lock_sock(sk); + transport = vsk->transport; + /* Callers should not provide a destination with stream sockets. */ if (msg->msg_namelen) { err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; @@ -1823,11 +1829,12 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, sk = sock->sk; vsk = vsock_sk(sk); - transport = vsk->transport; err = 0; lock_sock(sk); + transport = vsk->transport; + if (!transport || sk->sk_state != TCP_ESTABLISHED) { /* Recvmsg is supposed to return 0 if a peer performs an * orderly shutdown. Differentiate between that case and when a