From patchwork Tue May 9 14:42:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98926 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857507qge; Tue, 9 May 2017 07:43:25 -0700 (PDT) X-Received: by 10.98.76.155 with SMTP id e27mr249091pfj.77.1494341005698; Tue, 09 May 2017 07:43:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341005; cv=none; d=google.com; s=arc-20160816; b=p3zMGQV0hkUk18MYpArunbfH8MIwOkH8g69/irm5oPLkPFgy5/rPykfGY6tEeRuoep uLUrhE0D+2vmK36ICCAGMo+33EwRNRPM9vpaLrvr7CPyMnkExlcnFRyF+m5z29Nn3xyB M7TZH22mJWfmqE3FyICtmW8zuzePbO7jPjTWxqBxrmvy4UFpG/ECXSMlJEsMvGBKbwoj c30Z3FqiStHG2BjOFi24BIHTmrvs17c0wUCfL0xHCsDtAv6Ti0kBiQOw6sPBRKIyKQsd HBwKUWl01RHBEr3q5dNAWbowrXxHgcz+H29ey47tjXj8HSYj0Im+BHXIllGgStdwdd5R N64w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=fHsuT0r0YhkHHfyqNUlTjYoATeOmS6gzGDeWeHf+fgM=; b=JfLBMH8tu++RS1nvzqdaX8iVNRXQswMzgbtabRT4F9LA4oaNLFrN21djP10cYwcOcJ EF/QafcF98lB0lfrnkM69oC47LwT9dssURr5UuhOo4cIJpEssSmZ+BerjN21ANOmsBdR qw6T+MRKztlkHUa3QEMup3ziJFOixyTinnmOUd4lt6ofmxEXB2XgedMdL9RDgcsC4t5b T+E06kpoeeNgHt3/c8fMrCs+JRfQCt6ZiDYEXvT3+vUKLRr+hEoy8ZW+g5WJwkoHtYwZ 0xBtcYxaUxFyGXVRRNksaesvW5gWt/LacH4RI88qHvWUATYbpaxGXF4XPykS0wposG86 uWcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.25; Tue, 09 May 2017 07:43:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754196AbdEIOnZ (ORCPT + 6 others); Tue, 9 May 2017 10:43:25 -0400 Received: from mail-pf0-f171.google.com ([209.85.192.171]:33571 "EHLO mail-pf0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnY (ORCPT ); Tue, 9 May 2017 10:43:24 -0400 Received: by mail-pf0-f171.google.com with SMTP id e193so1206312pfh.0 for ; Tue, 09 May 2017 07:43:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=fHsuT0r0YhkHHfyqNUlTjYoATeOmS6gzGDeWeHf+fgM=; b=JWA4x6kTbFFIHjAKXff7nx6K225LciOVqrhnraCfMVfV/+9TVu8XPBvgVbZpo2aSqo AIqFg51YE6vxwly7yrqJbb2JOuo6DwuxrVoWGHNaJcuiPAfRUX7DFZYUyVm039TvXDSA /BKNA/VXzLeMMu6SVzA+hSQSJWhIgs6ZcHbUs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=fHsuT0r0YhkHHfyqNUlTjYoATeOmS6gzGDeWeHf+fgM=; b=hz705gsxJ8xj11zyTBt6BU4Gd01YDzKMluMgUwpbIXsU9w4a/RsRsh2lU1i7k7RyEN kk/upaTIZ/z8JRNtJvd0uyLamW6s5GknuD2pj1PC0+E+IBBXpLqOfuRY5d81r7qXnUp/ Rfb81hhpelei3h8rAfHzOLwCPYgm1izVC7+hfSAgSdSB3dB4UWqeWIYBCjvCaOppj9XS X1xOLhwBCjTG+P2V7GBOWorKBd1byg6k56+OwUIvqF6dVI35h/j5azGBbFEZkCEKCVbQ N6RBDzh6ISkla7SvSn8su3dpkG4VJ6xpFDs958AyR7nd+9fBhJ+37mg6v0e/8xBCq/bC Otlw== X-Gm-Message-State: AODbwcCgOKjGuhFt6NGW2WSDclgcEsmVSkPYiKQ0W+wTo3K7z11ueN39 VBDbZJOYDW5ZubPI X-Received: by 10.99.1.207 with SMTP id 198mr488639pgb.181.1494341003678; Tue, 09 May 2017 07:43:23 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:23 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Rainer Weikusat , "David S . Miller" Subject: [PATCH for-3.18 13/24] af_unix: Guard against other == sk in unix_dgram_sendmsg Date: Tue, 9 May 2017 20:12:37 +0530 Message-Id: <1494340968-17152-14-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Rainer Weikusat commit a5527dda344fff0514b7989ef7a755729769daa1 upstream. The unix_dgram_sendmsg routine use the following test if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { to determine if sk and other are in an n:1 association (either established via connect or by using sendto to send messages to an unrelated socket identified by address). This isn't correct as the specified address could have been bound to the sending socket itself or because this socket could have been connected to itself by the time of the unix_peer_get but disconnected before the unix_state_lock(other). In both cases, the if-block would be entered despite other == sk which might either block the sender unintentionally or lead to trying to unlock the same spin lock twice for a non-blocking send. Add a other != sk check to guard against this. Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") Reported-By: Philipp Hahn Signed-off-by: Rainer Weikusat Tested-by: Philipp Hahn Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/unix/af_unix.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) -- 2.7.4 diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 7950b4c26651..29b1f4dc48ca 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -1722,7 +1722,12 @@ restart_locked: goto out_unlock; } - if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { + /* other == sk && unix_peer(other) != sk if + * - unix_peer(sk) == NULL, destination address bound to sk + * - unix_peer(sk) == sk by time of get but disconnected before lock + */ + if (other != sk && + unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { if (timeo) { timeo = unix_wait_for_peer(other, timeo);