| Message ID | 20210303061654.127666-5-nixiaoming@huawei.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | nfc: fix Resource leakage and endless loop | expand |
Hi xiaoming, the path can only fix the endless loop problem. it can't fix the meaningless llcp_sock->service_name problem. if we set llcp_sock->service_name to meaningless string, the connect will be failed. and sk->sk_state will not be LLCP_CONNECTED. then we can call llcp_sock_connect() many times. that leaks everything: llcp_sock->dev, llcp_sock->local, llcp_sock->ssap, llcp_sock->service_name... Regards, kiyin. > -----Original Message----- > From: Xiaoming Ni [mailto:nixiaoming@huawei.com] > Sent: Wednesday, March 3, 2021 2:17 PM > To: linux-kernel@vger.kernel.org; kiyin(尹亮) <kiyin@tencent.com>; > stable@vger.kernel.org; gregkh@linuxfoundation.org; sameo@linux.intel.com; > linville@tuxdriver.com; davem@davemloft.net; kuba@kernel.org; > mkl@pengutronix.de; stefan@datenfreihafen.org; > matthieu.baerts@tessares.net; netdev@vger.kernel.org > Cc: nixiaoming@huawei.com; wangle6@huawei.com; xiaoqian9@huawei.com > Subject: [PATCH 4/4] nfc: Avoid endless loops caused by repeated > llcp_sock_connect()(Internet mail) > > When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is > LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, > nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. > sk->sk_node->next will point to itself, that will make an endless loop and > hang-up the system. > To fix it, check whether sk->sk_state is LLCP_CONNECTING in > llcp_sock_connect() to avoid repeated invoking. > > fix CVE-2020-25673 > Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") > Reported-by: "kiyin(尹亮)" <kiyin@tencent.com> > Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 > Cc: <stable@vger.kernel.org> #v3.11 > Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com> > --- > net/nfc/llcp_sock.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index > 59172614b249..a3b46f888803 100644 > --- a/net/nfc/llcp_sock.c > +++ b/net/nfc/llcp_sock.c > @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, > struct sockaddr *_addr, > ret = -EISCONN; > goto error; > } > + if (sk->sk_state == LLCP_CONNECTING) { > + ret = -EINPROGRESS; > + goto error; > + } > > dev = nfc_get_device(addr->dev_idx); > if (dev == NULL) { > -- > 2.27.0 >
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index 59172614b249..a3b46f888803 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -673,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, ret = -EISCONN; goto error; } + if (sk->sk_state == LLCP_CONNECTING) { + ret = -EINPROGRESS; + goto error; + } dev = nfc_get_device(addr->dev_idx); if (dev == NULL) {
When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. sk->sk_node->next will point to itself, that will make an endless loop and hang-up the system. To fix it, check whether sk->sk_state is LLCP_CONNECTING in llcp_sock_connect() to avoid repeated invoking. fix CVE-2020-25673 Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") Reported-by: "kiyin(尹亮)" <kiyin@tencent.com> Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Cc: <stable@vger.kernel.org> #v3.11 Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com> --- net/nfc/llcp_sock.c | 4 ++++ 1 file changed, 4 insertions(+)