[0/2] net: dccp: fix structure use-after-free

Message ID	20201013171849.236025-1-kleber.souza@canonical.com
Headers	show Return-Path: <SRS0=gWEN=DU=vger.kernel.org=netdev-owner@kernel.org> From: Kleber Sacilotto de Souza <kleber.souza@canonical.com> To: netdev@vger.kernel.org Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, "Alexander A. Klimov" <grandmaster@al2klimov.de>, Kees Cook <keescook@chromium.org>, Eric Dumazet <edumazet@google.com>, Alexey Kodanev <alexey.kodanev@oracle.com>, dccp@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 0/2] net: dccp: fix structure use-after-free Date: Tue, 13 Oct 2020 19:18:47 +0200 Message-Id: <20201013171849.236025-1-kleber.souza@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	net: dccp: fix structure use-after-free \| expand [0/2] net: dccp: fix structure use-after-free [1/2] dccp: ccid: move timers to struct dccp_sock [2/2] Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()"

Message ID

20201013171849.236025-1-kleber.souza@canonical.com

Headers

From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: netdev@vger.kernel.org
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Thadeu Lima de Souza Cascardo <cascardo@canonical.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	"Alexander A. Klimov" <grandmaster@al2klimov.de>,
	Kees Cook <keescook@chromium.org>, Eric Dumazet <edumazet@google.com>,
	Alexey Kodanev <alexey.kodanev@oracle.com>,
	dccp@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 0/2] net: dccp: fix structure use-after-free
Date: Tue, 13 Oct 2020 19:18:47 +0200
Message-Id: <20201013171849.236025-1-kleber.souza@canonical.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

net: dccp: fix structure use-after-free | expand

Message

Kleber Sacilotto de Souza Oct. 13, 2020, 5:18 p.m. UTC

This patchset addresses the following CVE:

CVE-2020-16119 - DCCP CCID structure use-after-free

Hadar Manor reported that by reusing a socket with an attached
dccps_hc_tx_ccid as a listener, it will be used after being released,
leading to DoS and potentially code execution.

The first patch moves the ccid timers to struct dccp_sock to avoid its
use-after-free, the second patch reverts 2677d2067731 "dccp: don't free
ccid2_hc_tx_sock struct in dccp_disconnect()" that's not needed anymore
and would cause another use-after-free.

Thadeu Lima de Souza Cascardo (2):
  dccp: ccid: move timers to struct dccp_sock
  Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()"

 include/linux/dccp.h   |  2 ++
 net/dccp/ccids/ccid2.c | 32 +++++++++++++++++++-------------
 net/dccp/ccids/ccid3.c | 30 ++++++++++++++++++++----------
 net/dccp/proto.c       |  2 ++
 4 files changed, 43 insertions(+), 23 deletions(-)

Comments

Jakub Kicinski Oct. 15, 2020, 3:43 a.m. UTC | #1

On Tue, 13 Oct 2020 19:18:48 +0200 Kleber Sacilotto de Souza wrote:
> From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> 
> When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason
> del_timer_sync can't be used is because this relies on keeping a reference
> to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that
> during disconnect, the timer should really belong to struct dccp_sock.
> 
> This addresses CVE-2020-16119.
> 
> Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup())

Presumably you chose this commit because the fix won't apply beyond it?
But it really fixes 2677d2067731 (dccp: don't free.. right?

> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

Thadeu Lima de Souza Cascardo Oct. 15, 2020, 10:53 a.m. UTC | #2

On Wed, Oct 14, 2020 at 08:43:22PM -0700, Jakub Kicinski wrote:
> On Tue, 13 Oct 2020 19:18:48 +0200 Kleber Sacilotto de Souza wrote:
> > From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> > 
> > When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason
> > del_timer_sync can't be used is because this relies on keeping a reference
> > to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that
> > during disconnect, the timer should really belong to struct dccp_sock.
> > 
> > This addresses CVE-2020-16119.
> > 
> > Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup())
> 
> Presumably you chose this commit because the fix won't apply beyond it?
> But it really fixes 2677d2067731 (dccp: don't free.. right?

Well, it should also fix cases where dccps_hc_tx_ccid{,_private} has been freed
right after the timer is stopped.

So, we could add:
Fixes: 2a91aa396739 ([DCCP] CCID2: Initial CCID2 (TCP-Like) implementation)
Fixes: 7c657876b63c ([DCCP]: Initial implementation)

But I wouldn't say that this fixes 2677d2067731, unless there is argument to
say that it fixes it because it claimed to fix what is being fixed here. But
even the code that it removed was supposed to be stopping the timer, so how
could it ever fix what it was claiming to fix?

Thanks.
Cascardo.

> 
> > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>