LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH] dccp: don't duplicate ccid when cloning dccp sock
@ 2021-09-08  3:40 Lin, Zhenpeng
  2021-09-08 10:40 ` patchwork-bot+netdevbpf
  0 siblings, 1 reply; 3+ messages in thread
From: Lin, Zhenpeng @ 2021-09-08  3:40 UTC (permalink / raw)
  To: Lin, Zhenpeng
  Cc: <dccp@vger.kernel.org>,, netdev@vger.kernel.org ,,
	linux-kernel@vger.kernel.org ,, davem@davemloft.net ,,
	kuba@kernel.org ,,
	alexey.kodanev

Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
a UAF but reintroduced CVE-2017-6074.

When the sock is cloned, two dccps_hc_tx_ccid will reference to the
same ccid. So one can free the ccid object twice from two socks after
cloning.

This issue was found by "Hadar Manor" as well and assigned with
CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port
the patch from Ubuntu to fix it.

The patch prevents cloned socks from referencing the same ccid.

Fixes: 2677d2067731410 ("dccp: don't free ccid2_hc_tx_sock ...")
Signed-off-by: Zhenpeng Lin <zplin@psu.edu>
---
 net/dccp/minisocks.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index c5c74a34d139..91e7a2202697 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -94,6 +94,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
 		newdp->dccps_role	    = DCCP_ROLE_SERVER;
 		newdp->dccps_hc_rx_ackvec   = NULL;
 		newdp->dccps_service_list   = NULL;
+		newdp->dccps_hc_rx_ccid     = NULL;
+		newdp->dccps_hc_tx_ccid     = NULL;
 		newdp->dccps_service	    = dreq->dreq_service;
 		newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
 		newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;
--
2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] dccp: don't duplicate ccid when cloning dccp sock
  2021-09-08  3:40 [PATCH] dccp: don't duplicate ccid when cloning dccp sock Lin, Zhenpeng
@ 2021-09-08 10:40 ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-09-08 10:40 UTC (permalink / raw)
  To: Lin, Zhenpeng; +Cc: dccp, netdev, linux-kernel, davem, kuba, alexey.kodanev

Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Wed, 8 Sep 2021 03:40:59 +0000 you wrote:
> Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
> a UAF but reintroduced CVE-2017-6074.
> 
> When the sock is cloned, two dccps_hc_tx_ccid will reference to the
> same ccid. So one can free the ccid object twice from two socks after
> cloning.
> 
> [...]

Here is the summary with links:
  - dccp: don't duplicate ccid when cloning dccp sock
    https://git.kernel.org/netdev/net/c/d9ea761fdd19

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH] dccp: don't duplicate ccid when cloning dccp sock
@ 2021-09-07 18:28 Lin, Zhenpeng
  0 siblings, 0 replies; 3+ messages in thread
From: Lin, Zhenpeng @ 2021-09-07 18:28 UTC (permalink / raw)
  To: Lin, Zhenpeng; +Cc: dccp, netdev, linux-kernel, davem, kuba, alexey.kodanev

Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
a UAF but reintroduced CVE-2017-6074.

When the sock is cloned, two dccps_hc_tx_ccid will reference to the
same ccid. So one can free the ccid object twice from two socks after
cloning.

This issue was found by "Hadar Manor" as well and assigned with
CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port
the patch from Ubuntu to fix it.

The patch prevents cloned socks from referencing the same ccid.

Fixes: 2677d2067731410 ("dccp: don't free ccid2_hc_tx_sock ...")
Signed-off-by: Zhenpeng Lin <zplin@psu.edu>
---
net/dccp/minisocks.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index c5c74a34d139..91e7a2202697 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -94,6 +94,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
		newdp->dccps_role	    = DCCP_ROLE_SERVER;
		newdp->dccps_hc_rx_ackvec   = NULL;
		newdp->dccps_service_list   = NULL;
+		newdp->dccps_hc_rx_ccid     = NULL;
+		newdp->dccps_hc_tx_ccid     = NULL;
		newdp->dccps_service	    = dreq->dreq_service;
		newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
		newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;
--
2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-09-08 10:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-08  3:40 [PATCH] dccp: don't duplicate ccid when cloning dccp sock Lin, Zhenpeng
2021-09-08 10:40 ` patchwork-bot+netdevbpf
  -- strict thread matches above, loose matches on Subject: below --
2021-09-07 18:28 Lin, Zhenpeng

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).