• Eric Biggers's avatar
    net: socket: set sock->sk to NULL after calling proto_ops::release() · ff7b11aa
    Eric Biggers authored
    Commit 9060cb71 ("net: crypto set sk to NULL when af_alg_release.")
    fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is
    closed concurrently with fchownat().  However, it ignored that many
    other proto_ops::release() methods don't set sock->sk to NULL and
    therefore allow the same use-after-free:
    
        - base_sock_release
        - bnep_sock_release
        - cmtp_sock_release
        - data_sock_release
        - dn_release
        - hci_sock_release
        - hidp_sock_release
        - iucv_sock_release
        - l2cap_sock_release
        - llcp_sock_release
        - llc_ui_release
        - rawsock_release
        - rfcomm_sock_release
        - sco_sock_release
        - svc_release
        - vcc_release
        - x25_release
    
    Rather than fixing all these and relying on every socket type to get
    this right forever, just make __sock_release() set sock->sk to NULL
    itself after calling proto_ops::release().
    
    Reproducer that produces the KASAN splat when any of these socket types
    are configured into the kernel:
    
        #include <pthread.h>
        #include <stdlib.h>
        #include <sys/socket.h>
        #include <unistd.h>
    
        pthread_t t;
        volatile int fd;
    
        void *close_thread(void *arg)
        {
            for (;;) {
                usleep(rand() % 100);
                close(fd);
            }
        }
    
        int main()
        {
            pthread_create(&t, NULL, close_thread, NULL);
            for (;;) {
                fd = socket(rand() % 50, rand() % 11, 0);
                fchownat(fd, "", 1000, 1000, 0x1000);
                close(fd);
            }
        }
    
    Fixes: 86741ec2 ("net: core: Add a UID field to struct sock.")
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    ff7b11aa
Name
Last commit
Last update
Documentation Loading commit data...
LICENSES Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.clang-format Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...