From: Greg Kroah-Hartman Date: Mon, 18 Apr 2022 11:39:35 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v4.9.311~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5961bf58f72b01f41fbee178f8a9e2863c0f2c6f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: ax25-fix-uaf-bugs-in-ax25-timers.patch --- diff --git a/queue-5.17/ax25-fix-uaf-bugs-in-ax25-timers.patch b/queue-5.17/ax25-fix-uaf-bugs-in-ax25-timers.patch new file mode 100644 index 00000000000..e21d42d5180 --- /dev/null +++ b/queue-5.17/ax25-fix-uaf-bugs-in-ax25-timers.patch @@ -0,0 +1,77 @@ +From 82e31755e55fbcea6a9dfaae5fe4860ade17cbc0 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Mon, 28 Mar 2022 21:00:15 +0800 +Subject: ax25: Fix UAF bugs in ax25 timers + +From: Duoming Zhou + +commit 82e31755e55fbcea6a9dfaae5fe4860ade17cbc0 upstream. + +There are race conditions that may lead to UAF bugs in +ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(), +ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we call +ax25_release() to deallocate ax25_dev. + +One of the UAF bugs caused by ax25_release() is shown below: + + (Thread 1) | (Thread 2) +ax25_dev_device_up() //(1) | +... | ax25_kill_by_device() +ax25_bind() //(2) | +ax25_connect() | ... + ax25_std_establish_data_link() | + ax25_start_t1timer() | ax25_dev_device_down() //(3) + mod_timer(&ax25->t1timer,..) | + | ax25_release() + (wait a time) | ... + | ax25_dev_put(ax25_dev) //(4)FREE + ax25_t1timer_expiry() | + ax25->ax25_dev->values[..] //USE| ... + ... | + +We increase the refcount of ax25_dev in position (1) and (2), and +decrease the refcount of ax25_dev in position (3) and (4). +The ax25_dev will be freed in position (4) and be used in +ax25_t1timer_expiry(). + +The fail log is shown below: +============================================================== + +[ 106.116942] BUG: KASAN: use-after-free in ax25_t1timer_expiry+0x1c/0x60 +[ 106.116942] Read of size 8 at addr ffff88800bda9028 by task swapper/0/0 +[ 106.116942] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-06123-g0905eec574 +[ 106.116942] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-14 +[ 106.116942] Call Trace: +... +[ 106.116942] ax25_t1timer_expiry+0x1c/0x60 +[ 106.116942] call_timer_fn+0x122/0x3d0 +[ 106.116942] __run_timers.part.0+0x3f6/0x520 +[ 106.116942] run_timer_softirq+0x4f/0xb0 +[ 106.116942] __do_softirq+0x1c2/0x651 +... + +This patch adds del_timer_sync() in ax25_release(), which could ensure +that all timers stop before we deallocate ax25_dev. + +Signed-off-by: Duoming Zhou +Signed-off-by: Paolo Abeni +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1053,6 +1053,11 @@ static int ax25_release(struct socket *s + ax25_destroy_socket(ax25); + } + if (ax25_dev) { ++ del_timer_sync(&ax25->timer); ++ del_timer_sync(&ax25->t1timer); ++ del_timer_sync(&ax25->t2timer); ++ del_timer_sync(&ax25->t3timer); ++ del_timer_sync(&ax25->idletimer); + dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker); + ax25_dev_put(ax25_dev); + } diff --git a/queue-5.17/series b/queue-5.17/series index 9b47a5503c9..6753d313a26 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -216,3 +216,4 @@ dma-direct-avoid-redundant-memory-sync-for-swiotlb.patch mm-kfence-support-kmem_dump_obj-for-kfence-objects.patch drm-i915-sunset-igpu-legacy-mmap-support-based-on-graphics_ver_full.patch cpu-hotplug-remove-the-cpu-member-of-cpuhp_cpu_state.patch +ax25-fix-uaf-bugs-in-ax25-timers.patch