From: Greg Kroah-Hartman Date: Wed, 8 Sep 2021 10:52:52 +0000 (+0200) Subject: 5.13-stable patches X-Git-Tag: v5.4.145~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9022b82ec97f729770a56078e8eac3caec249844;p=thirdparty%2Fkernel%2Fstable-queue.git 5.13-stable patches added patches: igmp-add-ip_mc_list-lock-in-ip_check_mc_rcu.patch --- diff --git a/queue-5.13/igmp-add-ip_mc_list-lock-in-ip_check_mc_rcu.patch b/queue-5.13/igmp-add-ip_mc_list-lock-in-ip_check_mc_rcu.patch new file mode 100644 index 00000000000..1f435ba3eee --- /dev/null +++ b/queue-5.13/igmp-add-ip_mc_list-lock-in-ip_check_mc_rcu.patch @@ -0,0 +1,75 @@ +From 23d2b94043ca8835bd1e67749020e839f396a1c2 Mon Sep 17 00:00:00 2001 +From: Liu Jian +Date: Fri, 16 Jul 2021 12:06:17 +0800 +Subject: igmp: Add ip_mc_list lock in ip_check_mc_rcu + +From: Liu Jian + +commit 23d2b94043ca8835bd1e67749020e839f396a1c2 upstream. + +I got below panic when doing fuzz test: + +Kernel panic - not syncing: panic_on_warn set ... +CPU: 0 PID: 4056 Comm: syz-executor.3 Tainted: G B 5.14.0-rc1-00195-gcff5c4254439-dirty #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +Call Trace: +dump_stack_lvl+0x7a/0x9b +panic+0x2cd/0x5af +end_report.cold+0x5a/0x5a +kasan_report+0xec/0x110 +ip_check_mc_rcu+0x556/0x5d0 +__mkroute_output+0x895/0x1740 +ip_route_output_key_hash_rcu+0x2d0/0x1050 +ip_route_output_key_hash+0x182/0x2e0 +ip_route_output_flow+0x28/0x130 +udp_sendmsg+0x165d/0x2280 +udpv6_sendmsg+0x121e/0x24f0 +inet6_sendmsg+0xf7/0x140 +sock_sendmsg+0xe9/0x180 +____sys_sendmsg+0x2b8/0x7a0 +___sys_sendmsg+0xf0/0x160 +__sys_sendmmsg+0x17e/0x3c0 +__x64_sys_sendmmsg+0x9e/0x100 +do_syscall_64+0x3b/0x90 +entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x462eb9 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 + 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> + 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f3df5af1c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462eb9 +RDX: 0000000000000312 RSI: 0000000020001700 RDI: 0000000000000007 +RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3df5af26bc +R13: 00000000004c372d R14: 0000000000700b10 R15: 00000000ffffffff + +It is one use-after-free in ip_check_mc_rcu. +In ip_mc_del_src, the ip_sf_list of pmc has been freed under pmc->lock protection. +But access to ip_sf_list in ip_check_mc_rcu is not protected by the lock. + +Signed-off-by: Liu Jian +Signed-off-by: David S. Miller +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -2720,6 +2720,7 @@ int ip_check_mc_rcu(struct in_device *in + rv = 1; + } else if (im) { + if (src_addr) { ++ spin_lock_bh(&im->lock); + for (psf = im->sources; psf; psf = psf->sf_next) { + if (psf->sf_inaddr == src_addr) + break; +@@ -2730,6 +2731,7 @@ int ip_check_mc_rcu(struct in_device *in + im->sfcount[MCAST_EXCLUDE]; + else + rv = im->sfcount[MCAST_EXCLUDE] != 0; ++ spin_unlock_bh(&im->lock); + } else + rv = 1; /* unspecified source; tentatively allow */ + } diff --git a/queue-5.13/series b/queue-5.13/series index a9f046b63e0..2a52f529098 100644 --- a/queue-5.13/series +++ b/queue-5.13/series @@ -1 +1,2 @@ firmware-dmi-move-product_sku-info-to-the-end-of-the-modalias.patch +igmp-add-ip_mc_list-lock-in-ip_check_mc_rcu.patch