diff mbox series

[SRU,focal/linux-oem-5.10,1/1] vsock: fix the race conditions in multi-transport support

Message ID 20210301143644.578451-2-cascardo@canonical.com
State New
Headers show
Series [SRU,focal/linux-oem-5.10,1/1] vsock: fix the race conditions in multi-transport support | expand

Commit Message

Thadeu Lima de Souza Cascardo March 1, 2021, 2:36 p.m. UTC
From: Alexander Popov <alex.popov@linux.com>

There are multiple similar bugs implicitly introduced by the
commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and
commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading").

The bug pattern:
 [1] vsock_sock.transport pointer is copied to a local variable,
 [2] lock_sock() is called,
 [3] the local variable is used.
VSOCK multi-transport support introduced the race condition:
vsock_sock.transport value may change between [1] and [2].

Let's copy vsock_sock.transport pointer to local variables after
the lock_sock() call.

Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support")
Signed-off-by: Alexander Popov <alex.popov@linux.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@linux.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit c518adafa39f37858697ac9309c6cf1805581446)
CVE-2021-26708
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/vmw_vsock/af_vsock.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

Comments

Kleber Sacilotto de Souza March 1, 2021, 3:57 p.m. UTC | #1
On 01.03.21 15:36, Thadeu Lima de Souza Cascardo wrote:
> From: Alexander Popov <alex.popov@linux.com>
> 
> There are multiple similar bugs implicitly introduced by the
> commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and
> commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading").
> 
> The bug pattern:
>   [1] vsock_sock.transport pointer is copied to a local variable,
>   [2] lock_sock() is called,
>   [3] the local variable is used.
> VSOCK multi-transport support introduced the race condition:
> vsock_sock.transport value may change between [1] and [2].
> 
> Let's copy vsock_sock.transport pointer to local variables after
> the lock_sock() call.
> 
> Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support")
> Signed-off-by: Alexander Popov <alex.popov@linux.com>
> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
> Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
> Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@linux.com
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> (cherry picked from commit c518adafa39f37858697ac9309c6cf1805581446)
> CVE-2021-26708
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
>   net/vmw_vsock/af_vsock.c | 17 ++++++++++++-----
>   1 file changed, 12 insertions(+), 5 deletions(-)
> 
> diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
> index d10916ab4526..f64e681493a5 100644
> --- a/net/vmw_vsock/af_vsock.c
> +++ b/net/vmw_vsock/af_vsock.c
> @@ -997,9 +997,12 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
>   			mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
>   
>   	} else if (sock->type == SOCK_STREAM) {
> -		const struct vsock_transport *transport = vsk->transport;
> +		const struct vsock_transport *transport;
> +
>   		lock_sock(sk);
>   
> +		transport = vsk->transport;
> +
>   		/* Listening sockets that have connections in their accept
>   		 * queue can be read.
>   		 */
> @@ -1082,10 +1085,11 @@ static int vsock_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
>   	err = 0;
>   	sk = sock->sk;
>   	vsk = vsock_sk(sk);
> -	transport = vsk->transport;
>   
>   	lock_sock(sk);
>   
> +	transport = vsk->transport;
> +
>   	err = vsock_auto_bind(vsk);
>   	if (err)
>   		goto out;
> @@ -1544,10 +1548,11 @@ static int vsock_stream_setsockopt(struct socket *sock,
>   	err = 0;
>   	sk = sock->sk;
>   	vsk = vsock_sk(sk);
> -	transport = vsk->transport;
>   
>   	lock_sock(sk);
>   
> +	transport = vsk->transport;
> +
>   	switch (optname) {
>   	case SO_VM_SOCKETS_BUFFER_SIZE:
>   		COPY_IN(val);
> @@ -1680,7 +1685,6 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
>   
>   	sk = sock->sk;
>   	vsk = vsock_sk(sk);
> -	transport = vsk->transport;
>   	total_written = 0;
>   	err = 0;
>   
> @@ -1689,6 +1693,8 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
>   
>   	lock_sock(sk);
>   
> +	transport = vsk->transport;
> +
>   	/* Callers should not provide a destination with stream sockets. */
>   	if (msg->msg_namelen) {
>   		err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
> @@ -1823,11 +1829,12 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
>   
>   	sk = sock->sk;
>   	vsk = vsock_sk(sk);
> -	transport = vsk->transport;
>   	err = 0;
>   
>   	lock_sock(sk);
>   
> +	transport = vsk->transport;
> +
>   	if (!transport || sk->sk_state != TCP_ESTABLISHED) {
>   		/* Recvmsg is supposed to return 0 if a peer performs an
>   		 * orderly shutdown. Differentiate between that case and when a
>
diff mbox series

Patch

diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index d10916ab4526..f64e681493a5 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -997,9 +997,12 @@  static __poll_t vsock_poll(struct file *file, struct socket *sock,
 			mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
 
 	} else if (sock->type == SOCK_STREAM) {
-		const struct vsock_transport *transport = vsk->transport;
+		const struct vsock_transport *transport;
+
 		lock_sock(sk);
 
+		transport = vsk->transport;
+
 		/* Listening sockets that have connections in their accept
 		 * queue can be read.
 		 */
@@ -1082,10 +1085,11 @@  static int vsock_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
 	err = 0;
 	sk = sock->sk;
 	vsk = vsock_sk(sk);
-	transport = vsk->transport;
 
 	lock_sock(sk);
 
+	transport = vsk->transport;
+
 	err = vsock_auto_bind(vsk);
 	if (err)
 		goto out;
@@ -1544,10 +1548,11 @@  static int vsock_stream_setsockopt(struct socket *sock,
 	err = 0;
 	sk = sock->sk;
 	vsk = vsock_sk(sk);
-	transport = vsk->transport;
 
 	lock_sock(sk);
 
+	transport = vsk->transport;
+
 	switch (optname) {
 	case SO_VM_SOCKETS_BUFFER_SIZE:
 		COPY_IN(val);
@@ -1680,7 +1685,6 @@  static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
 
 	sk = sock->sk;
 	vsk = vsock_sk(sk);
-	transport = vsk->transport;
 	total_written = 0;
 	err = 0;
 
@@ -1689,6 +1693,8 @@  static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
 
 	lock_sock(sk);
 
+	transport = vsk->transport;
+
 	/* Callers should not provide a destination with stream sockets. */
 	if (msg->msg_namelen) {
 		err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
@@ -1823,11 +1829,12 @@  vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
 
 	sk = sock->sk;
 	vsk = vsock_sk(sk);
-	transport = vsk->transport;
 	err = 0;
 
 	lock_sock(sk);
 
+	transport = vsk->transport;
+
 	if (!transport || sk->sk_state != TCP_ESTABLISHED) {
 		/* Recvmsg is supposed to return 0 if a peer performs an
 		 * orderly shutdown. Differentiate between that case and when a