diff options
| author | Arnaldo Carvalho de Melo <acme@redhat.com> | 2016-03-14 09:56:35 -0300 |
|---|---|---|
| committer | Ziyan <jaraidaniel@gmail.com> | 2016-10-29 01:34:02 +0200 |
| commit | 7aa76215eb3fae8b93f1d0df80fdc9cb203bbb78 (patch) | |
| tree | c066e00f8357327962361c05e89b3c3c718b89af /kernel | |
| parent | b874de318724fbed9d67e2caf67f62e364ddeca3 (diff) | |
| download | kernel_samsung_tuna-7aa76215eb3fae8b93f1d0df80fdc9cb203bbb78.zip kernel_samsung_tuna-7aa76215eb3fae8b93f1d0df80fdc9cb203bbb78.tar.gz kernel_samsung_tuna-7aa76215eb3fae8b93f1d0df80fdc9cb203bbb78.tar.bz2 | |
UPSTREAM: net: Fix use after free in the recvmmsg exit path
(cherry picked from commit 34b88a68f26a75e4fded796f1a49c40f82234b7d)
The syzkaller fuzzer hit the following use-after-free:
Call Trace:
[<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
[<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
[< inline >] SYSC_recvmmsg net/socket.c:2281
[<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
[<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.
Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I2adb0faf595b7b634d9b739dfdd1a47109e20ecb
Bug: 30515201
Diffstat (limited to 'kernel')
0 files changed, 0 insertions, 0 deletions