[net-next,v2,1/2] nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
| Message ID | 476cccdcb57645784889fc82f0c7c10ff4c8b8c0.1701530776.git.code@siddh.me |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:bcd1:0:b0:403:3b70:6f57 with SMTP id r17csp1824888vqy;
Sat, 2 Dec 2023 07:42:10 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IGyRi6thL7rQQ8v5yIs0wvgEBw/9loT9oT1Kxcrh0ngYXoWJnsLGuuZCnAg9piE3VHuVKCx
X-Received: by 2002:a17:902:c94e:b0:1d0:6ffd:ade6 with SMTP id
i14-20020a170902c94e00b001d06ffdade6mr311760pla.77.1701531730077;
Sat, 02 Dec 2023 07:42:10 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1701531730; cv=pass;
d=google.com; s=arc-20160816;
b=YWuc3OE4J4uJZOOODyGJLU5f2q01MaU1RYS4ctoYqTy9JZMR0XRYqAmMfWYFvZHDhS
op7aFuzdVaT8ZI6zggdXD+YFex3IvRd62fPWdwIyByY1RmJFBdc49fWwKw8j6pR0SJDu
/Uf55C/zhAsBzQuNEvMNxtv7v8ICqJnVUCkNZtEbculXsTBHZo06TdOYBADXt262RGi7
3M4ccmUHIo7Wy8z9rymvbeV5SxbBc6K+L7cmAcPe7AfGCHIA8LSE/q9GAtJkPV1ZCcRN
sKomrTnWURZXLsEwqZXyda6G77jEW0mfOcTEQyT9Rxk0txTeyq1fUFNg2/d5OE2oiXDg
IAKg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=2/y8gNDVdvE3iVtTQwtex+8cx1buAga8FFDXuaGHqVY=;
fh=h/VhKUw/sQqmUIJi67BHx0BKYGyOSCZRfVBjxOsGC3Y=;
b=MGor2vcSlv6rIlxpifCc6VDftf4x4WQoLwjcWMpZ5nKEDYanwj3L+CKTwsdNH8iB+D
ZT0GlkgHsXNjknbq6cRg3IGElBzXIz7S15vpgppIGXqvXyu4ch36hT1WcJ1Y6YQxGLeo
euOM/DkDcUdlIgNwUpVIX5XxGw14J/4IgeZ9C7dsNPQ2j3nKDMMJOL/4N2RjC2Lsbw9K
6hqV0uQdk07CLmtcQobc3iPGvoBRo7vv7nsP/5LzAZAjqHe8RxJAfV11E8d/X3dqNfye
DilQDa1yW5xU6+4YT2zKYhz2y2J3vk4091bUS5Bl9fADhgsTwsJCuCIWA0MqWA+QtwD1
9R8g==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@siddh.me header.s=zmail header.b=Ek3iTZ64;
arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me
dmarc=pass fromdomain=siddh.me>);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:2 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siddh.me
Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2])
by mx.google.com with ESMTPS id
w10-20020a170902a70a00b001d0050e2466si4764578plq.23.2023.12.02.07.42.09
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sat, 02 Dec 2023 07:42:10 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:2 as permitted sender)
client-ip=2620:137:e000::3:2;
Authentication-Results: mx.google.com;
dkim=pass header.i=@siddh.me header.s=zmail header.b=Ek3iTZ64;
arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me
dmarc=pass fromdomain=siddh.me>);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:2 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siddh.me
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by agentk.vger.email (Postfix) with ESMTP id E4293807B492;
Sat, 2 Dec 2023 07:42:06 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232987AbjLBPlt (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
Sat, 2 Dec 2023 10:41:49 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41332 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229671AbjLBPlr (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 2 Dec 2023 10:41:47 -0500
Received: from sender-of-o51.zoho.in (sender-of-o51.zoho.in [103.117.158.51])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D96C7125;
Sat, 2 Dec 2023 07:41:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701531674; cv=none;
d=zohomail.in; s=zohoarc;
b=YzOx7SVnwV5ebNZQGBeGoSc+wZ0Vqmn7zDjbMX8A1HZiY3fF5LCP2aRzOUEjRTHQGe2H2jCoRP561kp26jCtmc1oSdUVJV+NVR+L6p7MtHLQtmzz3JG/PMI3VPn1lvonT4H9megUZEUxBWCXpa4P0CkpvglHrg8UvAtzffCfuMs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.in;
s=zohoarc;
t=1701531674;
h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To;
bh=2/y8gNDVdvE3iVtTQwtex+8cx1buAga8FFDXuaGHqVY=;
b=PJjfV/lMVpbGyS70Os0DRLgSA3MblAIGIvlUcmFJbQjHcDnIfEmGznZDhm1/hLEsb2NLWOVsQmRISQNV8InB5+qbhnyHZR6kjRbe52ocbMsLIfxFXMttdukAzMwAIM8vrAkTvtyjm5OgRyHrjP5BHs9ksj/P4Fu5FHP98gWeMQo=
ARC-Authentication-Results: i=1; mx.zohomail.in;
dkim=pass header.i=siddh.me;
spf=pass smtp.mailfrom=code@siddh.me;
dmarc=pass header.from=<code@siddh.me>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1701531674;
s=zmail; d=siddh.me; i=code@siddh.me;
h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
bh=2/y8gNDVdvE3iVtTQwtex+8cx1buAga8FFDXuaGHqVY=;
b=Ek3iTZ64lv3ZVAD79JdLetXTahik6epLFZmXoyDww7AAWaBnxPqMBiVxAMTADrNb
bXXKZ0tJloXvMyTUllqWeGQeC9d/+Y6Yqy9NYKay2KqdIexpoYhhq+mW+reg7cUbG9m
V5TFu2wMtuJn9merj0T62FFmBGcKApAm8I21WvNk=
Received: from kampyooter.. (122.170.35.155 [122.170.35.155]) by mx.zoho.in
with SMTPS id 1701531671764225.8381284275174;
Sat, 2 Dec 2023 21:11:11 +0530 (IST)
From: Siddh Raman Pant <code@siddh.me>
To: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Samuel Ortiz <sameo@linux.intel.com>,
syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com
Subject: [PATCH net-next v2 1/2] nfc: llcp_core: Hold a ref to llcp_local->dev
when holding a ref to llcp_local
Date: Sat, 2 Dec 2023 21:10:58 +0530
Message-ID:
<476cccdcb57645784889fc82f0c7c10ff4c8b8c0.1701530776.git.code@siddh.me>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <cover.1701530776.git.code@siddh.me>
References: <cover.1701530776.git.code@siddh.me>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-ZohoMailClient: External
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]);
Sat, 02 Dec 2023 07:42:07 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1784185335467140822
X-GMAIL-MSGID: 1784185335467140822
|
| Series |
nfc: Fix UAF during datagram sending caused by missing refcounting
|
|
Commit Message
Siddh Raman Pant
Dec. 2, 2023, 3:40 p.m. UTC
llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls
nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for
getting the headroom and tailroom needed for skb allocation.
Parallelly the nfc_dev can be freed, as the refcount is decreased via
nfc_free_device(), leading to a UAF reported by Syzkaller, which can
be summarized as follows:
(1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()
-> nfc_alloc_send_skb() -> Dereference *nfc_dev
(2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()
-> put_device() -> nfc_release() -> Free *nfc_dev
When a reference to llcp_local is acquired, we do not acquire the same
for the nfc_dev. This leads to freeing even when the llcp_local is in
use, and this is the case with the UAF described above too.
Thus, when we acquire a reference to llcp_local, we should acquire a
reference to nfc_dev, and release the references appropriately later.
References for llcp_local is initialized in nfc_llcp_register_device()
(which is called by nfc_register_device()). Thus, we should acquire a
reference to nfc_dev there.
nfc_unregister_device() calls nfc_llcp_unregister_device() which in
turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is
appropriately released later.
Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
Signed-off-by: Siddh Raman Pant <code@siddh.me>
---
net/nfc/llcp_core.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
Comments
Hi Siddh, >@@ -180,6 +183,7 @@ int nfc_llcp_local_put(struct nfc_llcp_local *local) > if (local == NULL) > return 0; > >+ nfc_put_device(local->dev); [Suman] One question here, if we consider the path, nfc_llcp_mac_is_down() -> nfc_llcp_socket_release() -> nfc_llcp_local_put(), then inside nfc_llcp_socket_release() we are already doing nfc_put_device() if "sk->sk_state == LLCP_CONNECTED", with this change we are doing it again. I guess you need to add some check to avoid that. Let me know if I am missing something. > return kref_put(&local->ref, local_release); } > >@@ -959,8 +963,17 @@ static void nfc_llcp_recv_connect(struct >nfc_llcp_local *local, > } > > new_sock = nfc_llcp_sock(new_sk); >- new_sock->dev = local->dev; >+ > new_sock->local = nfc_llcp_local_get(local); >+ if (!new_sock->local) { >+ reason = LLCP_DM_REJ; >+ release_sock(&sock->sk); >+ sock_put(&sock->sk); >+ sock_put(&new_sock->sk); [Suman] don't we need to free new_sock? nfc_llcp_sock_free()? >+ goto fail; >+ } >+ >+ new_sock->dev = local->dev; > new_sock->rw = sock->rw; > new_sock->miux = sock->miux; > new_sock->nfc_protocol = sock->nfc_protocol; @@ -1597,7 +1610,11 @@ >int nfc_llcp_register_device(struct nfc_dev *ndev) > if (local == NULL) > return -ENOMEM; > >- local->dev = ndev; >+ /* Hold a reference to the device. */ >+ local->dev = nfc_get_device(ndev->idx); >+ if (!local->dev) >+ return -ENODEV; [Suman] Memory leak here. Need to call kfree(local). >+ > INIT_LIST_HEAD(&local->list); > kref_init(&local->ref); > mutex_init(&local->sdp_lock); >-- >2.42.0 >
On Sun, 03 Dec 2023 22:29:39 +0530, Suman Ghosh wrote: > Hi Siddh, > > >@@ -180,6 +183,7 @@ int nfc_llcp_local_put(struct nfc_llcp_local *local) > > if (local == NULL) > > return 0; > > > >+ nfc_put_device(local->dev); > [Suman] One question here, if we consider the path, nfc_llcp_mac_is_down() -> > nfc_llcp_socket_release() -> nfc_llcp_local_put(), then inside > nfc_llcp_socket_release() we are already doing nfc_put_device() if > "sk->sk_state == LLCP_CONNECTED", with this change we are doing it again. > I guess you need to add some check to avoid that. Let me know if I am > missing something. The socket state is set to LLCP_CONNECTED in just two places: nfc_llcp_recv_connect() and nfc_llcp_recv_cc(). nfc_get_device() is used prior to setting the socket state to LLCP_CONNECTED in nfc_llcp_recv_connect(). After that, it calls nfc_llcp_send_cc(), which I suppose is a connection PDU by some Google-fu (NFC specs is paywalled). In nfc_llcp_recv_cc(), we do not use nfc_get_device(), but since one must send cc (which is done in nfc_llcp_recv_connect()), I think we are good here. This patch change doesn't touch any other refcounting. We increment the refcount whenever we get the local, and decrement when we put it. nfc_llcp_find_local() involves getting it, so all users of that function increment the refcount, which is also the case with nfc_llcp_mac_is_down(). The last nfc_llcp_local_put() then correctly decrements the refcount. If there is indeed a refcount error due to LLCP_CONNECTED, it probably exists without this patch too. > > new_sock->local = nfc_llcp_local_get(local); > >+ if (!new_sock->local) { > >+ reason = LLCP_DM_REJ; > >+ release_sock(&sock->sk); > >+ sock_put(&sock->sk); > >+ sock_put(&new_sock->sk); > [Suman] don't we need to free new_sock? nfc_llcp_sock_free()? > > [...] > > >+ local->dev = nfc_get_device(ndev->idx); > >+ if (!local->dev) > >+ return -ENODEV; > [Suman] Memory leak here. Need to call kfree(local). Yes, you are correct. Very stupid of me. Will send a v3. Thanks, Siddh
>> >> >@@ -180,6 +183,7 @@ int nfc_llcp_local_put(struct nfc_llcp_local >> >*local) >> > if (local == NULL) >> > return 0; >> > >> >+ nfc_put_device(local->dev); >> [Suman] One question here, if we consider the path, >> nfc_llcp_mac_is_down() -> >> nfc_llcp_socket_release() -> nfc_llcp_local_put(), then inside >> nfc_llcp_socket_release() we are already doing nfc_put_device() if >> "sk->sk_state == LLCP_CONNECTED", with this change we are doing it >again. >> I guess you need to add some check to avoid that. Let me know if I am >> missing something. > >The socket state is set to LLCP_CONNECTED in just two places: >nfc_llcp_recv_connect() and nfc_llcp_recv_cc(). > >nfc_get_device() is used prior to setting the socket state to >LLCP_CONNECTED in nfc_llcp_recv_connect(). After that, it calls >nfc_llcp_send_cc(), which I suppose is a connection PDU by some Google- >fu (NFC specs is paywalled). > >In nfc_llcp_recv_cc(), we do not use nfc_get_device(), but since one >must send cc (which is done in nfc_llcp_recv_connect()), I think we are >good here. > >This patch change doesn't touch any other refcounting. We increment the >refcount whenever we get the local, and decrement when we put it. >nfc_llcp_find_local() involves getting it, so all users of that function >increment the refcount, which is also the case with >nfc_llcp_mac_is_down(). The last nfc_llcp_local_put() then correctly >decrements the refcount. > >If there is indeed a refcount error due to LLCP_CONNECTED, it probably >exists without this patch too. [Suman] Thanks for the explanation.
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c index 1dac28136e6a..a574c653e5d2 100644 --- a/net/nfc/llcp_core.c +++ b/net/nfc/llcp_core.c @@ -145,6 +145,9 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device, static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local) { + if (!nfc_get_device(local->dev->idx)) + return NULL; + kref_get(&local->ref); return local; @@ -180,6 +183,7 @@ int nfc_llcp_local_put(struct nfc_llcp_local *local) if (local == NULL) return 0; + nfc_put_device(local->dev); return kref_put(&local->ref, local_release); } @@ -959,8 +963,17 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, } new_sock = nfc_llcp_sock(new_sk); - new_sock->dev = local->dev; + new_sock->local = nfc_llcp_local_get(local); + if (!new_sock->local) { + reason = LLCP_DM_REJ; + release_sock(&sock->sk); + sock_put(&sock->sk); + sock_put(&new_sock->sk); + goto fail; + } + + new_sock->dev = local->dev; new_sock->rw = sock->rw; new_sock->miux = sock->miux; new_sock->nfc_protocol = sock->nfc_protocol; @@ -1597,7 +1610,11 @@ int nfc_llcp_register_device(struct nfc_dev *ndev) if (local == NULL) return -ENOMEM; - local->dev = ndev; + /* Hold a reference to the device. */ + local->dev = nfc_get_device(ndev->idx); + if (!local->dev) + return -ENODEV; + INIT_LIST_HEAD(&local->list); kref_init(&local->ref); mutex_init(&local->sdp_lock);