Commit 8ba9ba1a authored by Arnaldo Carvalho de Melo's avatar Arnaldo Carvalho de Melo Committed by Willy Tarreau

net: Fix use after free in the recvmmsg exit path

commit 34b88a68 upstream.

The syzkaller fuzzer hit the following use-after-free:

  Call Trace:
   [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
   [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
   [<     inline     >] SYSC_recvmmsg net/socket.c:2281
   [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
   [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
  arch/x86/entry/entry_64.S:185

And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.
Reported-and-Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Fixes: a2e27255 ("net: Introduce recvmmsg socket syscall")
http://lkml.kernel.org/r/20160122211644.GC2470@redhat.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent 0babba1b
...@@ -2381,13 +2381,14 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, ...@@ -2381,13 +2381,14 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
break; break;
} }
out_put:
fput_light(sock->file, fput_needed);
if (err == 0) if (err == 0)
return datagrams; goto out_put;
if (datagrams == 0) {
datagrams = err;
goto out_put;
}
if (datagrams != 0) {
/* /*
* We may return less entries than requested (vlen) if the * We may return less entries than requested (vlen) if the
* sock is non block and there aren't enough datagrams... * sock is non block and there aren't enough datagrams...
...@@ -2401,11 +2402,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, ...@@ -2401,11 +2402,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
*/ */
sock->sk->sk_err = -err; sock->sk->sk_err = -err;
} }
out_put:
fput_light(sock->file, fput_needed);
return datagrams; return datagrams;
}
return err;
} }
SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment